{ "openapi": "3.0.3", "info": { "title": "CubeSigner API", "description": "The CubeSigner management and signing service.", "contact": { "name": "Cubist Inc.", "email": "hello@cubist.dev" }, "version": "v0.152.0" }, "servers": [ { "url": "https://gamma.signer.cubist.dev", "description": "Testing and staging environment" }, { "url": "https://prod.signer.cubist.dev", "description": "Production environment" } ], "paths": { "/v0/about_me": { "get": { "tags": [ "User" ], "summary": "User Info", "description": "User Info\n\nRetrieves information about the current user.\n\nPREFER `GET /v0/orgs/{org_id}/user/me`", "operationId": "aboutMeLegacy", "responses": { "200": { "$ref": "#/components/responses/UserInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "" ] } ] } }, "/v0/email/orgs": { "get": { "tags": [ "Orgs" ], "summary": "List accessible organizations.", "description": "List accessible organizations.\n\nUnauthenticated endpoint for retrieving all organizations accessible to a user.\nThis information is emailed to the provided email address.\n", "operationId": "email_my_orgs", "parameters": [ { "name": "email", "in": "query", "description": "The email of the user", "required": true, "schema": { "type": "string" }, "style": "form", "example": "alice@example.com" } ], "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/internal/sentry": { "post": { "tags": [ "Internal" ], "summary": "(INTERNAL) Sentry API Proxy", "description": "(INTERNAL) Sentry API Proxy", "operationId": "sentryApiCallPublic", "requestBody": { "content": { "text/plain": { "schema": { "type": "string" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/mmi/v3/.well-known/jwks.json": { "get": { "tags": [ "MMI" ], "summary": "JWKS endpoint for MMI", "description": "JWKS endpoint for MMI\n\nReturns the public key used to sign JSON Web Tokens for MMI.", "operationId": "mmiJwkSet", "responses": { "200": { "$ref": "#/components/responses/JwkSetResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/mmi/v3/json-rpc": { "post": { "tags": [ "MMI" ], "summary": "MMI JSON-RPC endpoint", "description": "MMI JSON-RPC endpoint\n\nHandler for all [MMI JSON-RPC](https://docs.metamask-institutional.io/custodian-integration/integration-docs/api/methods)\nrequests.", "operationId": "mmi", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Request" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/JrpcResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "mmi:*" ] } ] } }, "/v0/oauth/token": { "post": { "tags": [ "OAuth2" ], "summary": "Token refresh endpoint, compliant with OAuth.", "description": "Token refresh endpoint, compliant with OAuth.\n\nThe body content type can be either 'application/json' or 'application/x-www-form-urlencoded'.\n", "operationId": "oauth2TokenRefresh", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TokenRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/TokenResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/org/{org_id}": { "get": { "tags": [ "Orgs" ], "summary": "Get Org", "description": "Get Org\n\nRetrieves information about an organization.", "operationId": "getOrg", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/OrgInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:get" ] } ] }, "patch": { "tags": [ "Orgs" ], "summary": "Update Org", "description": "Update Org\n\nUpdate organization attributes (enabled flag, name, and policies).", "operationId": "updateOrg", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateOrgRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/UpdateOrgResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:*" ] } ] } }, "/v0/org/{org_id}/auth_migration/add_identity": { "post": { "tags": [ "AuthMigration" ], "summary": "Associate an OIDC identity with an arbitrary user in org .", "description": "Associate an OIDC identity with an arbitrary user in org .", "operationId": "authMigrationIdentityAdd", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MigrateIdentityRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:authMigration:identity:add" ] } ] } }, "/v0/org/{org_id}/auth_migration/remove_identity": { "post": { "tags": [ "AuthMigration" ], "summary": "Dissociate an OIDC identity from an arbitrary user in org .", "description": "Dissociate an OIDC identity from an arbitrary user in org .", "operationId": "authMigrationIdentityRemove", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MigrateIdentityRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:authMigration:identity:remove" ] } ] } }, "/v0/org/{org_id}/auth_migration/update_users": { "post": { "tags": [ "AuthMigration" ], "summary": "Update existing users' profiles. Currently supports only (re)setting emails.", "description": "Update existing users' profiles. Currently supports only (re)setting emails.", "operationId": "authMigrationUserUpdate", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MigrateUpdateUsersRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:authMigration:user:update" ] } ] } }, "/v0/org/{org_id}/ava/sign/{ava_chain}/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign a serialized Avalanche C/X/P-Chain Message", "description": "Sign a serialized Avalanche C/X/P-Chain Message\n\nSigns an Avalanche message with a given SecpEth (C-Chain messages) or\nSecpAva (X- and P-Chain messages) key. Currently signing C-Chain messages\nwith SecpEth key must also be explicitly allowed via `AllowRawBlobSigning`\npolicy.\n\nThis is a pre-release feature.", "operationId": "avaSerializedTxSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "ava_chain", "in": "path", "description": "Avalanche chain", "required": true, "schema": { "type": "string" }, "example": "P" }, { "name": "pubkey", "in": "path", "description": "Avalanche address in bech32 or ETH format", "required": true, "schema": { "type": "string" }, "example": "0xB31f66AA3C1e785363F0875A1B74E27b85FD66c7" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AvaSerializedTxSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:ava" ] } ] } }, "/v0/org/{org_id}/ava/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign JSON-encoded Avalanche X- or P-Chain Message", "description": "Sign JSON-encoded Avalanche X- or P-Chain Message\n\nSigns an Avalanche message with a given SecpAva key.\nThis is a pre-release feature.", "operationId": "avaSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Avalanche bech32 address format without the chain prefix", "required": true, "schema": { "type": "string" }, "example": "avax1am4w6hfrvmh3akduzkjthrtgtqafalce6an8cr" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AvaSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:ava" ] } ] } }, "/v0/org/{org_id}/babylon/cov/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Babylon Covenant Committee Request", "description": "Sign Babylon Covenant Committee Request\n\nSigns transactions relevant to a Babylon covenant committee signer,\ni.e., Schnorr and adaptor signatures for the unbonding, slashing, and\nslash-unbonding outputs of a Babylon staking transaction.", "operationId": "babylonCovSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "hex-encoded public key", "required": true, "schema": { "type": "string" }, "example": "0x03e38106dd76656bc68d02898ede1a911df8c793e46ac4eb37d26c266aae5d2a5a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BabylonCovSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/BabylonCovSignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:babylon:covenant" ] } ] } }, "/v0/org/{org_id}/babylon/eots/nonces/{pubkey}": { "post": { "tags": [ "Babylon" ], "summary": "Create EOTS nonces", "description": "Create EOTS nonces\n\nGenerates a set of Babylon EOTS nonces for a specified chain-id, starting at a\nspecified block height.", "operationId": "createEotsNonces", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded public key of the EOTS key", "required": true, "schema": { "type": "string" }, "example": "0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/EotsCreateNonceRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EotsCreateNonceResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:babylon:eots:nonces" ] } ] } }, "/v0/org/{org_id}/babylon/eots/sign/{pubkey}": { "post": { "tags": [ "Babylon" ], "summary": "Create an EOTS signature", "description": "Create an EOTS signature\n\nGenerates an EOTS signature for the specified chain-id, block height, and message.", "operationId": "eotsSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded public key of the EOTS key", "required": true, "schema": { "type": "string" }, "example": "0x457f0f24cfb06c3c35874bbd1f59b57180a5a9d7e1f6929280839c830f5c147f" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/EotsSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:babylon:eots:sign" ] } ] } }, "/v0/org/{org_id}/babylon/registration/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Babylon Staking Registration", "description": "Sign Babylon Staking Registration\n\nCreates and signs the data needed to register a Phase-2 or Phase-3\nBabylon stake. This includes the deposit and unbonding transactions,\ntwo slashing transactions, the slashing signatures, and the proof of\npossession.\n\nNote that it is also possible to generate this registration data by\nmaking four calls to the Babylon staking API, plus one call to the\nPSBT signing API to generate the BIP-322 proof of possession. The\nregistration API generates the same data but is easier to use.\n\nNote that this action can only be called with a Taproot key. If your\ndeposit transaction spends UTXOs that are controlled by other keys,\nyou can submit the 'deposit' PSBT to the PSBT signing API one or more\ntimes to generate the required signatures.\n\nFor more information, consult the\n[Babylon documentation](https://github.com/babylonlabs-io/babylon/blob/release/v1.x/docs/register-bitcoin-stake.md).\n\nThis is a pre-release feature.", "operationId": "babylonRegistration", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "bech32 encoding of the public key", "required": true, "schema": { "type": "string" }, "example": "tb1pe4fgyn87pwku2xdptc2dtaeqzyx8wx89cqa6yntu8td49flpt5wq5k6hau" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BabylonRegistrationRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/BabylonRegistrationResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:babylon:registration" ] } ] } }, "/v0/org/{org_id}/babylon/staking/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Babylon Staking Transaction", "description": "Sign Babylon Staking Transaction\n\nCreates and signs transactions related to Babylon staking (i.e.,\ndeposit, early unbond, withdrawal). The return value is a Pre-Signed\nBitcoin Transaction (PSBT), as defined in BIP-174, which matches the\nformat used in most Babylon tooling.\n\nThe 'deposit' action can be used with either Segwit (i.e., SecpBtc/SecpBtcTest)\nor Taproot (i.e., TaprootBtc/TaprootBtcTest) keys. The remaining actions can be\nused only with Taproot keys.\n\nThis is a pre-release feature.", "operationId": "babylonStaking", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "bech32 encoding of the public key", "required": true, "schema": { "type": "string" }, "example": "tb1pe4fgyn87pwku2xdptc2dtaeqzyx8wx89cqa6yntu8td49flpt5wq5k6hau" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BabylonStakingRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/BabylonStakingResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:babylon:staking" ] } ] } }, "/v0/org/{org_id}/btc/message/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign a Bitcoin message.", "description": "Sign a Bitcoin message.\n\nSigns a message using BIP137 message signing with a given Secp256k1 key.", "operationId": "btcMessageSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Address of a Segwit or Legacy bitcoin key", "required": true, "schema": { "type": "string" }, "example": "bc1q3r35u4th78h06d64mwmp3vpu8qmzya05pq8fwl" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BtcMessageSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/BtcMessageSignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:btc:message:legacy", "sign:btc:message:segwit" ] } ] } }, "/v0/org/{org_id}/btc/psbt/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign a Partially Signed Bitcoin Transaction (PSBT)", "description": "Sign a Partially Signed Bitcoin Transaction (PSBT)\n\nSigns all inputs of the supplied PSBT v0 (BIP-174) that pertain to the\n'pubkey' specified in the request, which can be either a Taproot or a\nSegwit key. For Segwit keys, CubeSigner-specific deterministic tweaking\ncan be applied to 'pubkey' before signing, on a per-input basis. (See the\nCubeSigner documentation for more information on Segwit tweaking.)\n\nWhen calling with a segwit key the required scope is 'sign:btc:psbt:segwit'.\nFor a taproot key, the scope is 'sign:btc:psbt:taproot'. Either type of key\ncan be used with the 'sign:btc:psbt' scope.\n\nThis is a pre-release feature.", "operationId": "psbtSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "bech32(m)-encoded segwit or taproot address", "required": true, "schema": { "type": "string" }, "example": "bc1p2wsldez5mud2yam29q22wgfh9439spgduvct83k3pm50fcxa5dps59h4z5" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/PsbtSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PsbtSignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:btc:psbt:legacy", "sign:btc:psbt:segwit", "sign:btc:psbt:taproot" ] } ] } }, "/v0/org/{org_id}/btc/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Bitcoin Segwit Transaction", "description": "Sign Bitcoin Segwit Transaction\n\nSigns a Bitcoin Segwit transaction with a given key.\nThis is a pre-release feature.", "operationId": "btcSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "bech32-encoded segwit address", "required": true, "schema": { "type": "string" }, "example": "bc1q5p5qkae77ly80kr4pyfytdqm7rf08ddhdejl9g" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BtcSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:btc:segwit" ] } ] } }, "/v0/org/{org_id}/btc/taproot/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Bitcoin Taproot Transaction", "description": "Sign Bitcoin Taproot Transaction\n\nSigns a Bitcoin Taproot transaction with a given key.\nThis is a pre-release feature.", "operationId": "btcTaprootSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "bech32m-encoded taproot address", "required": true, "schema": { "type": "string" }, "example": "bc1p2wsldez5mud2yam29q22wgfh9439spgduvct83k3pm50fcxa5dps59h4z5" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TaprootSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:btc:taproot" ] } ] } }, "/v0/org/{org_id}/contacts": { "get": { "tags": [ "Contact" ], "summary": "List Contacts", "description": "List Contacts\n\nList all contacts in the org.\nAny org member is allowed to list all contacts in the org.\n\nIf a search condition is provided, the result will contain only the contacts\nwho have an address starting with, or equaling, the given search string. The\nsearch is case-insensitive. If a search term is defined, we do not guarantee\nthe number of results in a page. The behavior of this parameter may change\nin the future (for example, making results more strictly paginated or\nperforming a fuzzy search rather than a prefix search).", "operationId": "listContacts", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 100, "maximum": 1001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" }, { "name": "search", "in": "query", "description": "An entire address, or prefix of an address, that returned contacts must have. Must be at least 3 characters.", "required": false, "schema": { "type": "string", "nullable": true } } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListContactsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:contact:list" ] } ] }, "post": { "tags": [ "Contact" ], "summary": "Create Contact", "description": "Create Contact\n\nCreates a new contact in the organization-wide address book. The\nuser making the request is the owner of the contact, giving them edit access\nto the contact along with the org owners.", "operationId": "createContact", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateContactRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/ContactInfoResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:contact:create" ] } ] } }, "/v0/org/{org_id}/contacts/by-address": { "post": { "tags": [ "Contact" ], "summary": "Lookup Contacts by Address", "description": "Lookup Contacts by Address\n\nReturns all contacts in the org that have the given address.\n\nWhen querying with an EVM address without a chain, this endpoint returns\ncontacts with that address on *any* chain, including those without a chain\ndefined.", "operationId": "lookupContactsByAddress", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ContactAddressData" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PaginatedListContactsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:contact:lookup:address" ] } ] } }, "/v0/org/{org_id}/contacts/{contact_id}": { "get": { "tags": [ "Contact" ], "summary": "Get Contact", "description": "Get Contact\n\nReturns the properties of a Contact.", "operationId": "getContact", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "contact_id", "in": "path", "description": "ID of the desired Contact", "required": true, "schema": { "type": "string" }, "example": "Contact#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/ContactInfoResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:contact:get" ] } ] }, "delete": { "tags": [ "Contact" ], "summary": "Delete Contact", "description": "Delete Contact\n\nDelete a contact, specified by its ID.\n\nOnly the contact owner and org owners are allowed to delete contacts.\nAdditionally, the contact's edit policy (if set) must permit the deletion.", "operationId": "deleteContact", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "contact_id", "in": "path", "description": "ID of the desired Contact", "required": true, "schema": { "type": "string" }, "example": "Contact#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:contact:delete" ] } ] }, "patch": { "tags": [ "Contact" ], "summary": "Update Contact", "description": "Update Contact\n\nUpdates an existing contact in the organization-wide address book. Only\nthe contact owner or an org owner can update contacts.\n\n*Updates will overwrite the existing value of the field.*\n", "operationId": "updateContact", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "contact_id", "in": "path", "description": "ID of the desired Contact", "required": true, "schema": { "type": "string" }, "example": "Contact#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateContactRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/ContactInfoResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:contact:update:name", "manage:contact:update:addresses", "manage:contact:update:owner", "manage:contact:update:metadata", "manage:contact:update:editPolicy" ] } ] } }, "/v0/org/{org_id}/counts": { "get": { "tags": [ "Metrics" ], "summary": "Get current counts of users and keys within an org.", "description": "Get current counts of users and keys within an org.", "operationId": "counts", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/ComputeCountsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:metrics:query" ] } ] } }, "/v0/org/{org_id}/derive_key": { "put": { "tags": [ "Keys" ], "summary": "Derive Key From Long-Lived Mnemonic", "description": "Derive Key From Long-Lived Mnemonic\n\nDerives a key of a specified type using a supplied derivation path and an\nexisting long-lived mnemonic.", "operationId": "deriveKeyLegacy", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DeriveKeyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/CreateKeyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "deprecated": true, "security": [ { "SignerAuth": [ "manage:key:create" ] } ] } }, "/v0/org/{org_id}/derive_keys": { "put": { "tags": [ "Keys" ], "summary": "Derive Key From New Or Existing Long-Lived Mnemonic", "description": "Derive Key From New Or Existing Long-Lived Mnemonic\n\nUses either a new or existing long-lived mnemonic to derive keys of\none or more specified types via specified derivation paths.", "operationId": "deriveKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DeriveKeysRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/CreateKeyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:create" ] } ] } }, "/v0/org/{org_id}/diffie_hellman/{key_id}": { "post": { "tags": [ "Signing" ], "summary": "Compute Diffie Hellman shared secret", "description": "Compute Diffie Hellman shared secret\n\nFor a set of elliptic curve points (P_1, ..., P_i), computes the Diffie Hellman\nshared secret (Q_1, ..., Qi) = (sk * P_1, ... sk * P_i), for sk the secret key.\nPoints are specified in a curve-dependent format. See CubeSigner documentation\nfor more details.\n\nThe user can optionally specify a NIST P-256 public key, in which case the result\nwill be encrypted to the public key using RFC9180 HPKE(P-256, HKDF-SHA256) with\nAES-256-GCM as the symmetric cipher. In this case, the resulting ciphertext will\ncontain a serialized JSON blob containing the vector of shared secrets in the same\norder they were specified in the request.\n\nIf the user does not specify a public key, the resulting shared secrets will be\nreturned unencrypted. In this case, the caller should sample a random value r\nmodulo the group order and mask the requested points as (r * P_1, ..., r * P_i).\nThe result will be (r * sk * P_1, ..., r * sk * P_i), which can be unmasked by\nfirst computing r^-1, the multiplicative inverse of r modulo the group order,\nthen computing a scalar multiplication of each returned point with r^-1.\n\nThere is little practical security difference between these two approaches. The\nclient is free to choose the one that is easier from an implementation perspective.", "operationId": "diffieHellmanExchange", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DiffieHellmanRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/DiffieHellmanResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:diffieHellman" ] } ] } }, "/v0/org/{org_id}/emails/{purpose}": { "put": { "tags": [ "Org" ], "operationId": "configureEmail", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "purpose", "in": "path", "description": "Which email to configure", "required": true, "schema": { "type": "string", "enum": [ "otp", "mfa_reset", "otp_mfa", "alien_password_reset", "alien_invite" ] } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ConfigureEmailRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:email" ] } ] } }, "/v0/org/{org_id}/evm/eip191/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign EIP-191 Data", "description": "Sign EIP-191 Data\n\nSigns a message using EIP-191 personal_sign with a given Secp256k1 key.", "operationId": "eip191Sign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded EVM address of the Secp256k1 key", "required": true, "schema": { "type": "string" }, "example": "0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Eip191SignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:evm:eip191" ] } ] } }, "/v0/org/{org_id}/evm/eip712/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign EIP-712 Typed Data", "description": "Sign EIP-712 Typed Data\n\nSigns typed data according to EIP-712 with a given Secp256k1 key.", "operationId": "eip712Sign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded EVM address of the Secp256k1 key", "required": true, "schema": { "type": "string" }, "example": "0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Eip712SignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:evm:eip712" ] } ] } }, "/v0/org/{org_id}/export/{key_id}": { "get": { "tags": [ "Keys" ], "summary": "Get an Org-Export Ciphertext", "description": "Get an Org-Export Ciphertext\n\nReturns the export ciphertext associated with the provided key-id.\nIn order to use this API, you must be an org owner and your org must\nbe configured for org export and for API-based export delivery.", "operationId": "getOrgExport", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/OrgExportResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:export:org:get" ] } ] } }, "/v0/org/{org_id}/identity": { "get": { "tags": [ "Identity" ], "summary": "List associated OIDC identities with the current user.", "description": "List associated OIDC identities with the current user.\n", "operationId": "listOidcIdentities", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/ListIdentitiesResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:identity:list" ] } ] }, "post": { "tags": [ "Identity" ], "summary": "Associate an OIDC identity with the current user in org .", "description": "Associate an OIDC identity with the current user in org .\n\nAlien users are allowed to call this endpoint, but for them MFA is required\n(unless they are registering an email-otp identity matching their current email);\nadditionally, limits may apply to how many identities that may register.\n", "operationId": "addOidcIdentity", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AddIdentityRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:identity:add" ] } ] }, "delete": { "tags": [ "Identity" ], "summary": "Remove an OIDC identity from the current user's account in org .", "description": "Remove an OIDC identity from the current user's account in org .\n", "operationId": "removeOidcIdentity", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/OidcIdentity" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:identity:remove" ] } ] } }, "/v0/org/{org_id}/identity/prove": { "post": { "tags": [ "Identity" ], "summary": "Create [IdentityProof] from CubeSigner user session", "description": "Create [IdentityProof] from CubeSigner user session\n\nThis route can be used to prove to another party that a user has a\nvalid CubeSigner session.\n\nClients are intended to call this route and pass the returned evidence\nto another service which will verify it by making a request to `/v0/org//identity/verify`.", "operationId": "createProofCubeSigner", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/IdentityProof" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] } }, "/v0/org/{org_id}/identity/prove/oidc": { "post": { "tags": [ "Identity" ], "summary": "Create [IdentityProof] from OIDC token", "description": "Create [IdentityProof] from OIDC token\n\nExchange an OIDC ID token (passed via the `Authorization` header) for a proof of authentication.\n\nThis route can be used to prove to another party that a user has met the\nauthentication requirements (allowed issuers & audiences) for CubeSigner\nwithout leaking their credentials.\n\nClients are intended to call this route and pass the returned evidence to another service\nwhich will verify it by making a request to `/v0/org//identity/verify`.", "operationId": "createProofOidc", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/IdentityProof" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "Oidc": [] } ] } }, "/v0/org/{org_id}/identity/verify": { "post": { "tags": [ "Identity" ], "summary": "Verify identity proof", "description": "Verify identity proof\n\nAllows a third-party to validate proof of authentication.\n\nWhen a third-party is provided an [IdentityProof] object, they must check its\nveracity by calling this endpoint", "operationId": "verifyProof", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/IdentityProof" } } }, "required": true }, "responses": {}, "security": [ { "SignerAuth": [ "manage:identity:verify" ] } ] } }, "/v0/org/{org_id}/idp/authenticate": { "post": { "tags": [ "Login" ], "summary": "Authenticate", "description": "Authenticate\n\nThis endpoint exchanges an email & password for an OIDC token", "operationId": "idpAuthenticate", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AuthenticationRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/AuthenticationResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [] } }, "/v0/org/{org_id}/idp/password_reset": { "post": { "tags": [ "Account" ], "summary": "Request Password Reset", "description": "Request Password Reset\n\nThis endpoint generates an OIDC token without a signature (of the form `{header}.{payload}.`),\nand sends the signature to the user's email. Client applications can reconstruct the token\nby concatenating the `{header}.{payload}.` with the signature, producing a valid OIDC token of\nthe form `{header}.{payload}.{signature}`. The token can then be used to authenticate the user\nwhen performing the `idp_password_reset_confirm` request.", "operationId": "idpPasswordResetRequest", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/PasswordResetRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmailOtpResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [] }, "patch": { "tags": [ "Account" ], "summary": "Confirm Password Reset", "description": "Confirm Password Reset\n\nThis endpoint allows IDP users to reset their password\nusing a token they have received in their email.", "operationId": "idpPasswordResetConfirm", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/PasswordResetConfirmRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [] } }, "/v0/org/{org_id}/import_key": { "get": { "tags": [ "Keys" ], "summary": "Create Key-Import Key", "description": "Create Key-Import Key\n\nGenerate an ephemeral key that a client can use for key-import encryption.", "operationId": "createKeyImportKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/CreateKeyImportKeyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:import" ] } ] }, "put": { "tags": [ "Keys" ], "summary": "Import Key", "description": "Import Key\n\nSecurely imports an existing key using a previously generated key-import key.", "operationId": "importKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ImportKeyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/CreateKeyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:import" ] } ] } }, "/v0/org/{org_id}/info": { "get": { "tags": [ "Orgs" ], "summary": "Public Org Info", "description": "Public Org Info\n\nUnauthenticated endpoint that returns publicly-available information about an organization.\n", "operationId": "public_org_info", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/PublicOrgInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/org/{org_id}/internal/esplora": { "post": { "tags": [ "Internal" ], "summary": "(INTERNAL) Esplora API Proxy", "description": "(INTERNAL) Esplora API Proxy", "operationId": "esploraApiCall", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/EsploraRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EsploraResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] } }, "/v0/org/{org_id}/internal/sentry": { "post": { "tags": [ "Internal" ], "summary": "(INTERNAL) Authenticated Sentry API Proxy", "description": "(INTERNAL) Authenticated Sentry API Proxy", "operationId": "sentryApiCall", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "text/plain": { "schema": { "type": "string" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] } }, "/v0/org/{org_id}/invitation/accept": { "post": { "tags": [ "Accounts" ], "summary": "Accept an invitation", "description": "Accept an invitation\n\nThis endpoint allows idp users to register using a token they have received in their email", "operationId": "invitationAccept", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/InvitationAcceptRequest" } } }, "required": true }, "responses": {}, "security": [] } }, "/v0/org/{org_id}/invite": { "post": { "tags": [ "Users In Org" ], "summary": "Invite User", "description": "Invite User\n\nCreates a new user in an existing org and sends that user an invite email.", "operationId": "invite", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/InviteRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:inviteUser" ] } ] } }, "/v0/org/{org_id}/keys": { "get": { "tags": [ "Keys" ], "summary": "List Keys", "description": "List Keys\n\nGets the list of accessible keys in a given org (to org owner, all org keys\nare accessible; to members, only their own keys are accessible).\n\nIf a search condition is, the result will contain only the keys whose either\nmaterial ID or metadata contain the search condition string.\n\nNOTE that if pagination is used and a page limit is set, the returned result\nset may contain either FEWER or MORE elements than the requested page limit.", "operationId": "listKeysInOrg", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" }, { "name": "key_type", "in": "query", "description": "Filter by key type", "required": false, "schema": { "allOf": [ { "$ref": "#/components/schemas/KeyType" } ], "nullable": true }, "style": "form", "example": "SecpEthAddr" }, { "name": "key_owner", "in": "query", "description": "Filter by key owner", "required": false, "schema": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "style": "form", "example": "User#5269c579-b4f9-4620-9e90-e46a5a0ffb4d" }, { "name": "search", "in": "query", "description": "Search key metadata", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form", "example": "some value" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListKeysResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:list" ] } ] }, "post": { "tags": [ "Keys" ], "summary": "Create Key", "description": "Create Key\n\nCreates one or more new keys of the specified type.", "operationId": "createKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateKeyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/CreateKeyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:create" ] } ] } }, "/v0/org/{org_id}/keys/{key_id}": { "get": { "tags": [ "Keys" ], "summary": "Get Key", "description": "Get Key\n\nReturns the properties of a key.", "operationId": "getKeyInOrg", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/KeyInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:get" ] } ] }, "delete": { "tags": [ "Keys" ], "summary": "Delete Key", "description": "Delete Key\n\nDeletes a key specified by its ID.\n\nOnly the key owner and org owners are allowed to delete keys.\nAdditionally, the role's edit policy (if set) must permit the update.", "operationId": "deleteKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:delete" ] } ] }, "patch": { "tags": [ "Keys" ], "summary": "Update Key", "description": "Update Key\n\nEnable or disable a key. The user must be the owner of the key or\norganization to perform this action.\n\nFor each requested update, the session must have the corresponding 'manage:key:update:_' scope;\nif no updates are requested, the session must have 'manage:key:get'.", "operationId": "updateKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateKeyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/KeyInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:update:enabled", "manage:key:update:metadata", "manage:key:update:policy", "manage:key:update:owner", "manage:key:update:editPolicy" ] } ] } }, "/v0/org/{org_id}/keys/{key_id}/roles": { "get": { "tags": [ "Keys" ], "summary": "List Key Roles", "description": "List Key Roles\n\nGet all roles the key is in", "operationId": "listKeyRoles", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListKeyRolesResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:list_roles" ] } ] } }, "/v0/org/{org_id}/keys/{key_id}/tx": { "get": { "tags": [ "Keys" ], "summary": "List Historical Transactions", "description": "List Historical Transactions\n\nReturns a sorted, paginated list of transactions signed by a given key,\nordered from most recent first.", "operationId": "listHistoricalKeyTx", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListHistoricalTxResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:history:tx:list" ] } ] } }, "/v0/org/{org_id}/keys/{key_type}/{material_id}": { "get": { "tags": [ "Keys" ], "summary": "Get Key by Material ID", "description": "Get Key by Material ID\n\nReturns the properties of a key.", "operationId": "getKeyByMaterialId", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_type", "in": "path", "description": "Type of the key to look up", "required": true, "schema": { "type": "string" } }, { "name": "material_id", "in": "path", "description": "Material ID of the key to look up", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "$ref": "#/components/responses/KeyInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:get" ] } ] } }, "/v0/org/{org_id}/metrics": { "post": { "tags": [ "Metrics" ], "summary": "Query org metrics.", "description": "Query org metrics.\n\nMetrics summarize usage information about your CubeSigner organization over time. For example,\nyou can call this endpoint find out:\n\n- the average number of keys over the last month,\n- the average number monthly users over the last year,\n- the total number of transactions signed last week,\n- how the number of different API requests was trending day-by-day over the last week/month/year, etc.\n\nEach metric kind can have one or more dimensions, to further specify the org property it describes.\nFor example, the `UserCount` metrics have a membership dimensions to specify the kind of user membership\nin the organization (\"Owner\" vs. \"Member\" vs. \"Alien\").", "operationId": "queryMetrics", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/QueryMetricsRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PaginatedQueryMetricsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:metrics:query" ] } ] } }, "/v0/org/{org_id}/mfa": { "get": { "tags": [ "MFA" ], "summary": "List Pending MFA Requests", "description": "List Pending MFA Requests\n\nRetrieves and returns all pending MFA requests that are accessible to the current session,\ni.e., those created by the current session identity plus those in which the current user\nis listed as an approver", "operationId": "mfaList", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/ListMfaResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:list" ] } ] } }, "/v0/org/{org_id}/mfa/{mfa_id}": { "get": { "tags": [ "MFA" ], "summary": "Get Pending MFA Request", "description": "Get Pending MFA Request\n\nRetrieves and returns a pending MFA request by its id.", "operationId": "mfaGet", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_id", "in": "path", "description": "Name or ID of the desired MfaRequest", "required": true, "schema": { "type": "string" }, "example": "MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/MfaRequestInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] }, "patch": { "tags": [ "MFA" ], "summary": "Approve or Reject MFA Request", "description": "Approve or Reject MFA Request\n\nApprove or reject request after logging in with CubeSigner.\n\nIf approving, adds the currently-logged user as an approver\nof a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of\napprovers is reached, the MFA request is approved; the confirmation receipt can be used to\nresume the original HTTP request.\n\nIf rejecting, immediately deletes the pending MFA request.", "operationId": "mfaVoteCs", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_id", "in": "path", "description": "Name or ID of the desired MfaRequest", "required": true, "schema": { "type": "string" }, "example": "MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_vote", "in": "query", "required": false, "schema": { "allOf": [ { "$ref": "#/components/schemas/MfaVote" } ], "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/MfaRequestInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:vote:cs" ] } ] } }, "/v0/org/{org_id}/mfa/{mfa_id}/email": { "post": { "tags": [ "MFA" ], "summary": "Initiate an Email OTP MFA Approval/Rejection", "description": "Initiate an Email OTP MFA Approval/Rejection\n\nInitiates the approval/rejection process of an MFA Request using Email OTP.", "operationId": "mfaEmailInit", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_id", "in": "path", "description": "Name or ID of the desired MfaRequest", "required": true, "schema": { "type": "string" }, "example": "MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_vote", "in": "query", "required": false, "schema": { "allOf": [ { "$ref": "#/components/schemas/MfaVote" } ], "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/EmailOtpResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:vote:email" ] } ] }, "patch": { "tags": [ "MFA" ], "summary": "Finalize a Email OTP MFA Approval/Rejection.", "description": "Finalize a Email OTP MFA Approval/Rejection.\n\nThe request should contain the full JWT obtained by concatenating the\npartial token returned by the `mfa_email_init` endpoint and the signature\nemailed to the user issuing the request.\n\nIf approving, adds an approver to a pending MFA request.\nIf the required number of approvers is reached, the MFA request is approved;\nthe confirmation receipt can be used to resume the original HTTP request.\n\nIf rejecting, immediately deletes the pending MFA request.", "operationId": "mfaVoteEmailComplete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_id", "in": "path", "description": "Name or ID of the desired MfaRequest", "required": true, "schema": { "type": "string" }, "example": "MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/EmailOtpAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/MfaRequestInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:vote:email" ] } ] } }, "/v0/org/{org_id}/mfa/{mfa_id}/fido": { "post": { "tags": [ "MFA" ], "summary": "Initiate a FIDO MFA Approval/Rejection", "description": "Initiate a FIDO MFA Approval/Rejection\n\nInitiates the approval/rejection process of an MFA Request using FIDO.", "operationId": "mfaFidoInit", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_id", "in": "path", "description": "Name or ID of the desired MfaRequest", "required": true, "schema": { "type": "string" }, "example": "MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/FidoAssertChallenge" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:vote:fido" ] } ] }, "patch": { "tags": [ "MFA" ], "summary": "Finalize a FIDO MFA Approval/Rejection", "description": "Finalize a FIDO MFA Approval/Rejection\n\nIf approving, adds an approver to a pending MFA request.\nIf the required number of approvers is reached, the MFA request is approved;\nthe confirmation receipt can be used to resume the original HTTP request.\n\nIf rejecting, immediately deletes the pending MFA request.", "operationId": "mfaVoteFidoComplete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_id", "in": "path", "description": "Name or ID of the desired MfaRequest", "required": true, "schema": { "type": "string" }, "example": "MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_vote", "in": "query", "required": false, "schema": { "allOf": [ { "$ref": "#/components/schemas/MfaVote" } ], "nullable": true }, "style": "form" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FidoAssertAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/MfaRequestInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:vote:fido" ] } ] } }, "/v0/org/{org_id}/mfa/{mfa_id}/totp": { "patch": { "tags": [ "MFA" ], "summary": "Approve/Reject a TOTP MFA Request", "description": "Approve/Reject a TOTP MFA Request\n\nIf approving, adds the current user as approver to a pending MFA request by\nproviding TOTP code. If the required number of approvers is reached, the MFA request is\napproved; the confirmation receipt can be used to resume the original HTTP request.\n\nIf rejecting, immediately deletes the pending MFA request.", "operationId": "mfaVoteTotp", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_id", "in": "path", "description": "Name or ID of the desired MfaRequest", "required": true, "schema": { "type": "string" }, "example": "MfaRequest#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "mfa_vote", "in": "query", "required": false, "schema": { "allOf": [ { "$ref": "#/components/schemas/MfaVote" } ], "nullable": true }, "style": "form" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TotpApproveRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/MfaRequestInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:vote:totp" ] } ] } }, "/v0/org/{org_id}/mmi/v3/messages": { "get": { "tags": [ "MMI" ], "summary": "List pending MMI requests", "description": "List pending MMI requests\n\nRetrieves and returns all pending MMI messages accessible to the current session identity, i.e.,\n- a role session can access only the messages created by that role\n- a user session can access the messages created by either that user or any role which the user is a member of", "operationId": "mmiMessageList", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/ListPendingMessagesResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mmi:list" ] } ] } }, "/v0/org/{org_id}/mmi/v3/messages/{msg_id}": { "get": { "tags": [ "MMI" ], "summary": "Get an MMI request", "description": "Get an MMI request\n\nRetrieves a pending MMI request by its ID.", "operationId": "mmiMessageGet", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "msg_id", "in": "path", "description": "Name or ID of the desired PendingMessage", "required": true, "schema": { "type": "string" }, "example": "PendingMessage#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/PendingMessageInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mmi:get" ] } ] }, "delete": { "tags": [ "MMI" ], "summary": "Delete an MMI request", "description": "Delete an MMI request\n\nRejects an existing MMI request and then deletes it from the database.", "operationId": "mmiMessageDelete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "msg_id", "in": "path", "description": "Name or ID of the desired PendingMessage", "required": true, "schema": { "type": "string" }, "example": "PendingMessage#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mmi:delete" ] } ] } }, "/v0/org/{org_id}/mmi/v3/messages/{msg_id}/reject": { "post": { "tags": [ "MMI" ], "summary": "Reject an MMI request", "description": "Reject an MMI request\n\nRejects a pending MMI request. The record of the MMI request is kept in\nthe database until it expires or is explicitly deleted.\n\nReturns the updated request information.", "operationId": "mmiMessageReject", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "msg_id", "in": "path", "description": "Name or ID of the desired PendingMessage", "required": true, "schema": { "type": "string" }, "example": "PendingMessage#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/MmiRejectRequest" } ], "nullable": true } } }, "required": false }, "responses": { "200": { "$ref": "#/components/responses/PendingMessageInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mmi:reject" ] } ] } }, "/v0/org/{org_id}/mmi/v3/messages/{msg_id}/sign": { "post": { "tags": [ "MMI" ], "summary": "Approve and sign an MMI request", "description": "Approve and sign an MMI request\n\nSigns a pending request that was generated through the MMI JSON RPC endpoint.\nThe signature is stored with the pending message and the updated request info is returned.\n\nThe message should be associated with the organization this is called from,\nand the user should be the owner of the corresponding message's key.", "operationId": "mmiMessageSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "msg_id", "in": "path", "description": "Name or ID of the desired PendingMessage", "required": true, "schema": { "type": "string" }, "example": "PendingMessage#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/PendingMessageInfo" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PendingMessageSignResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:mmi" ] } ] } }, "/v0/org/{org_id}/oauth2/twitter": { "post": { "tags": [ "OAuth2" ], "summary": "Mint an OIDC ID token for Twitter", "description": "Mint an OIDC ID token for Twitter\n\nThis function acts identically to Twitter's [`oauth2/token`](https://developer.twitter.com/en/docs/authentication/api-reference/token) endpoint,\nbut extends the output with an `id_token`.\n\nThis `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.\n\n> [!IMPORTANT]\n> This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.\n", "operationId": "oauth2Twitter", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "type": "object", "additionalProperties": { "type": "string" } } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/TokenResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/org/{org_id}/oidc": { "post": { "tags": [ "OAuth2" ], "summary": "Login with OIDC", "description": "Login with OIDC\n\nExchange an OIDC ID token (passed via the `Authorization` header) for a signer session.\n\nMFA is required when:\n- an MFA policy is explicitly attached to the user logging in\n(e.g., an org owner can do that at user creation time to require certain kind of MFA)\n- the user has at least 1 MFA factor configured", "operationId": "oidcAuth", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/OidcLoginRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/NewSessionResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "Oidc": [] } ] } }, "/v0/org/{org_id}/oidc/email-otp": { "post": { "tags": [ "OAuth2" ], "summary": "Initiate login via email token", "description": "Initiate login via email token\n\nThis endpoint generates an OIDC token without a signature (of the form `header.payload.`), and sends the signature to the user's email.\nClient applications can reconstruct the token by concatenating the `partial_token` with the signature, producing a valid OIDC token of the form `header.payload.signature`\nThe token can then be used to authenticate the user.\n\n> [!IMPORTANT]\n> For this endpoint to succeed, the org must be configured to:\n> 1. Allow the issuer `https://shim.oauth2.cubist.dev/email-otp` and client ID being the Org ID\n> 2. Have an email sender configured for OTPs", "operationId": "emailOtpAuth", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/EmailOtpRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmailOtpResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/org/{org_id}/oidc/siwe": { "post": { "tags": [ "OAuth2" ], "summary": "Initiate login via Sign-in With Ethereum (SIWE).", "description": "Initiate login via Sign-in With Ethereum (SIWE).\n\nThis endpoint generates a challenge which can be answered (via the corresponding PATCH endpoint)\nto obtain an OIDC token. The OIDC token can then be exchanged for a user session via the standard\nOIDC auth route.\n\n> [!IMPORTANT]\n> For this endpoint to succeed, the org must be configured to:\n> Allow the issuer `https://shim.oauth2.cubist.dev/siwe` with the Org ID as the client ID", "operationId": "siweInit", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SiweInitRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SiweInitResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] }, "patch": { "tags": [ "OAuth2" ], "summary": "Complete login via Sign-in With Ethereum (SIWE)", "description": "Complete login via Sign-in With Ethereum (SIWE)\n\nIf the challenge (issued by the corresponding POST endpoint) is answered correctly, this endpoint\ngenerates an OIDC token that can then be exchanged for a user session via the standard OIDC auth route.\n\n> [!IMPORTANT]\n> For this endpoint to succeed, the org must be configured to:\n> Allow the issuer `https://shim.oauth2.cubist.dev/siwe` with the Org ID as the client ID", "operationId": "siweComplete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SiweCompleteRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SiweCompleteResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/org/{org_id}/oidc/telegram": { "post": { "tags": [ "OAuth2" ], "summary": "Allows a user to authenticate with the telegram API using the tgWebAppData value", "description": "Allows a user to authenticate with the telegram API using the tgWebAppData value\nThe token has the following properties:\n- The `sub` field is the telegram user ID\n- The `iss` field depends on the chosen environment:\n- `https://shim.oauth2.cubist.dev/telegram/production` for the production environment\n- `https://shim.oauth2.cubist.dev/telegram/test` for the test environment\n- The `aud` field is the provided telegram bot ID\n- The `exp` field is derived from the `auth_date` field in the telegram data\n\nFails if the telegram data is invalid or the signature is invalid", "operationId": "telegramAuth", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TelegramAuthRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/TelegramAuthResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/org/{org_id}/orgs": { "post": { "tags": [ "Orgs" ], "summary": "Create Org", "description": "Create Org\n\nCreates a new organization. The new org is a child of the\ncurrent org and inherits its key-export policy. The new org\nis created with one owner, the caller of this API.", "operationId": "createOrg", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateOrgRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/OrgInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:create" ] } ] } }, "/v0/org/{org_id}/policies": { "get": { "tags": [ "Policies" ], "summary": "List Policies", "description": "List Policies\n\nReturns the list of all policies in the Org.", "operationId": "listPolicies", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 100, "maximum": 1001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListPoliciesResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:list" ] } ] }, "post": { "tags": [ "Policies" ], "summary": "Create Policy", "description": "Create Policy\n\nCreates a new named policy in the organization. The user making the request is the\nowner of the policy, giving them edit access to the policy along with the org owners.", "operationId": "createPolicy", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreatePolicyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PolicyInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:create" ] } ] } }, "/v0/org/{org_id}/policies/{policy_id}": { "delete": { "tags": [ "Policies" ], "summary": "Delete Policy", "description": "Delete Policy\n\nDelete the named policy with the given name or id.", "operationId": "deletePolicy", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "policy_id", "in": "path", "description": "Name or ID of the desired NamedPolicy", "required": true, "schema": { "type": "string" }, "example": "NamedPolicy#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:delete" ] } ] }, "patch": { "tags": [ "Policies" ], "summary": "Update Policy", "description": "Update Policy\n\nUpdates the policy with the given name or id.", "operationId": "updatePolicy", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "policy_id", "in": "path", "description": "Name or ID of the desired NamedPolicy", "required": true, "schema": { "type": "string" }, "example": "NamedPolicy#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdatePolicyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PolicyInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:update", "manage:policy:update:rule", "manage:policy:update:owner", "manage:policy:update:name", "manage:policy:update:editPolicy" ] } ] } }, "/v0/org/{org_id}/policies/{policy_id}/logs": { "post": { "tags": [ "Policies" ], "summary": "Get Policy Logs", "description": "Get Policy Logs\n\nReturns the logs for the given policy, within the given timeframe.", "operationId": "getPolicyLogs", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "policy_id", "in": "path", "description": "Name or ID of the desired NamedPolicy", "required": true, "schema": { "type": "string" }, "example": "NamedPolicy#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 100, "maximum": 1001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/PolicyLogsRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PaginatedPolicyLogsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:logs:get" ] } ] } }, "/v0/org/{org_id}/policies/{policy_id}/{version}": { "get": { "tags": [ "Policies" ], "summary": "Get Policy", "description": "Get Policy\n\nReturns the specified version or latest of a named policy with the given name or id.", "operationId": "getPolicy", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "policy_id", "in": "path", "description": "Name or ID of the desired NamedPolicy", "required": true, "schema": { "type": "string" }, "example": "NamedPolicy#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "version", "in": "path", "description": "The policy version, either 'latest' or 'v'.", "required": true, "schema": { "type": "string" }, "example": "latest" } ], "responses": { "200": { "$ref": "#/components/responses/PolicyInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:get" ] } ] } }, "/v0/org/{org_id}/policies/{policy_id}/{version}/invoke": { "post": { "tags": [ "Policies" ], "summary": "Invoke Policy", "description": "Invoke Policy\n\nInvokes the [NamedPolicy] with the given ID with the given request information.\nIt is only supported for Wasm policies.", "operationId": "invokePolicy", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "policy_id", "in": "path", "description": "Name or ID of the desired NamedPolicy", "required": true, "schema": { "type": "string" }, "example": "NamedPolicy#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "version", "in": "path", "description": "The policy version, either 'latest' or 'v'.", "required": true, "schema": { "type": "string" }, "example": "latest" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/InvokePolicyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/InvokePolicyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:invoke" ] } ] } }, "/v0/org/{org_id}/policy/import_key": { "get": { "tags": [ "Policies" ], "summary": "Create Policy Import Key", "description": "Create Policy Import Key\n\nGenerate an ephemeral key that a client can use for encrypting data related to Wasm\npolicies (e.g., policy secrets).", "operationId": "createPolicyImportKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/CreatePolicyImportKeyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:createImportKey" ] } ] } }, "/v0/org/{org_id}/policy/secrets": { "get": { "tags": [ "Policies" ], "summary": "Get the org-wide policy secrets.", "description": "Get the org-wide policy secrets.\n\nNote that this only returns the keys for the secrets, omiting the values.\nThe values are secret and are not accessible outside Wasm policy execution.", "operationId": "getPolicySecrets", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/PolicySecretsInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:secrets:get" ] } ] }, "patch": { "tags": [ "Policies" ], "summary": "Update org-level policy secrets", "description": "Update org-level policy secrets\n\nThe provided secrets will replace any existing org-level secrets.\nIt fails if the secrets weren't previously created.", "operationId": "updatePolicySecrets", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdatePolicySecretsRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PolicySecretsInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:secrets:update", "manage:policy:secrets:update:values", "manage:policy:secrets:update:editPolicy" ] } ] } }, "/v0/org/{org_id}/policy/secrets/{secret_name}": { "put": { "tags": [ "Policies" ], "summary": "Create or overwrite an org-level policy secret", "description": "Create or overwrite an org-level policy secret", "operationId": "setPolicySecret", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "secret_name", "in": "path", "required": true, "schema": { "type": "string" }, "style": "simple" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SetPolicySecretRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PolicySecretsInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:secrets:update:values" ] } ] }, "delete": { "tags": [ "Policies" ], "summary": "Delete an org-level policy secret", "description": "Delete an org-level policy secret", "operationId": "deletePolicySecret", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "secret_name", "in": "path", "required": true, "schema": { "type": "string" } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PolicySecretsInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:secrets:update:values" ] } ] } }, "/v0/org/{org_id}/policy/wasm": { "post": { "tags": [ "Policies" ], "summary": "Upload Wasm Policy", "description": "Upload Wasm Policy\n\nReturns a signed URL for uploading a wasm policy to CubeSigner. The policy will be\ndeleted if not attached to a [NamedPolicy] soon after the upload has been completed.", "operationId": "uploadWasmPolicy", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UploadWasmPolicyRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/UploadWasmPolicyResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:policy:wasm:upload" ] } ] } }, "/v0/org/{org_id}/roles": { "get": { "tags": [ "Roles" ], "summary": "List Roles", "description": "List Roles\n\nRetrieves all roles in an organization that the current user is allowed to access.", "operationId": "listRoles", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" }, { "name": "summarize", "in": "query", "description": "Don't include keys and users for each role", "required": false, "schema": { "type": "boolean", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListRolesResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:list" ] } ] }, "post": { "tags": [ "Roles" ], "summary": "Create Role", "description": "Create Role\n\nCreates a new role in an organization. Unless the logged-in user\nis the owner, they are automatically added to the newly created role.", "operationId": "createRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "description": "Optional request body to set the role name", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/CreateRoleRequest" } ], "nullable": true } } }, "required": false }, "responses": { "200": { "$ref": "#/components/responses/CreateRoleResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:create" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}": { "get": { "tags": [ "Roles" ], "summary": "Get Role", "description": "Get Role\n\nRetrieves information about a role in an organization", "operationId": "getRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/RoleInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:get" ] } ] }, "delete": { "tags": [ "Roles" ], "summary": "Delete Role", "description": "Delete Role\n\nDeletes a role in an organization.\n\nOnly users in the role can perform this action.\nAdditionally, the role's edit policy (if set) must permit the update.", "operationId": "deleteRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:delete" ] } ] }, "patch": { "tags": [ "Roles" ], "summary": "Update Role", "description": "Update Role\n\nEnables or disables a role (this requires the `manage:role:update:enable` scope).\nUpdates the role's policies (this requires the `manage:role:update:policy` scope).\nUpdates the role's edit policies (this requires the `manage:role:update:editPolicy` scope).\n\nThe user must be in the role or an owner of the organization.\nAdditionally, the role's edit policy (if set) must permit the update.", "operationId": "updateRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateRoleRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/RoleInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:update:enable", "manage:role:update:policy", "manage:role:update:editPolicy" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/add_keys": { "put": { "tags": [ "Keys In Role" ], "summary": "Add Keys", "description": "Add Keys\n\nAdds a list of existing keys to an existing role.\n\nThe key owner is allowed to add their key to any role that they are in.\n\nIn \"org custody\" model only, org owners are allowed to add any key to any role.\n\nIn all cases: the role's edit policy, as well as the edit policy of each of the keys, must permit the update.\n\nEach request to this endpoint can add, at maximum, 32 keys.", "operationId": "addKeysToRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AddKeysToRoleRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:update:key:add" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/add_user/{user_id}": { "put": { "tags": [ "Users In Role" ], "summary": "Add User", "description": "Add User\n\nAdds an existing user to an existing role.\n\nOnly users in the role or org owners can add users to a role.\nAdditionally, the role's edit policy (if set) must permit the update.", "operationId": "addUserToRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "user_id", "in": "path", "description": "ID of the desired User", "required": true, "schema": { "type": "string" }, "example": "User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:update:user:add" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/keys": { "get": { "tags": [ "Roles" ], "summary": "List Role Keys", "description": "List Role Keys\n\nReturns an array of all keys in a role.", "operationId": "listRoleKeys", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 100, "maximum": 1001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListRoleKeysResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:get:keys" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/keys/{key_id}": { "get": { "tags": [ "Roles" ], "summary": "Get a Key in Role", "description": "Get a Key in Role\n\nReturns the key-in-role information for a given key and role. If `details` is set to `true`,\nthis endpoint returns detailed key information.", "operationId": "getRoleKey", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "details", "in": "query", "description": "Whether to include detailed key information", "required": false, "schema": { "type": "boolean", "nullable": true }, "style": "form", "example": "true" } ], "responses": { "200": { "$ref": "#/components/responses/KeyInRoleInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:get:keys" ] } ] }, "delete": { "tags": [ "Keys In Role" ], "summary": "Remove Key", "description": "Remove Key\n\nRemoves a given key from a role.\n\nOnly users in the role or org owners can remove keys from a role.\nAdditionally, both the role's and the key's edit policy must permit the update.", "operationId": "removeKeyFromRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:update:key:remove" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/tokens": { "post": { "tags": [ "Role Access Tokens" ], "summary": "Create Token", "description": "Create Token\n\nCreates a new access token for a given role (to be used as \"API Key\" for all signing actions).\nThe `restricted_actions` field on the [Role] determines the membership role that is required to\ncreate tokens.", "operationId": "createRoleToken", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateTokenRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/NewSessionResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:session:create" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/tx": { "get": { "tags": [ "Roles" ], "summary": "List Historical Transactions", "description": "List Historical Transactions\n\nReturns a sorted, paginated list of transactions signed by the given role,\nordered from most recent first.", "operationId": "listHistoricalRoleTx", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListHistoricalTxResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:history:tx:list" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/users": { "get": { "tags": [ "Roles" ], "summary": "List Role Users.", "description": "List Role Users.\n\nReturns an array of all users who have access to a role.", "operationId": "listRoleUsers", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedListRoleUsersResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:get:users" ] } ] } }, "/v0/org/{org_id}/roles/{role_id}/users/{user_id}": { "delete": { "tags": [ "Users In Role" ], "summary": "Remove User", "description": "Remove User\n\nRemoves an existing user from an existing role.\n\nOnly users in the role or org owners can remove users from a role.\nAdditionally, the role's edit policy (if set) must permit the update.", "operationId": "removeUserFromRole", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role_id", "in": "path", "description": "Name or ID of the desired Role", "required": true, "schema": { "type": "string" }, "example": "Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "user_id", "in": "path", "description": "ID of the desired User", "required": true, "schema": { "type": "string" }, "example": "User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:role:update:user:remove" ] } ] } }, "/v0/org/{org_id}/session": { "get": { "tags": [ "Sessions" ], "summary": "List sessions", "description": "List sessions\n\nIf no query parameters are provided, all active sessions for the current user are returned.\n\nIf a `role` query parameter is provided, all active sessions for the selected role are returned\n(asserting first that the current user has permissions to read sessions for that role).\n", "operationId": "listSessions", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" }, { "name": "role", "in": "query", "description": "If provided, the name or ID of a role to operate on.\nCannot be specified together with `user`.", "required": false, "schema": { "type": "string", "nullable": true }, "example": "my-role" }, { "name": "user", "in": "query", "description": "If provided, the ID of a user to operate on.\nCannot be specified together with `role`.", "required": false, "schema": { "type": "string", "nullable": true }, "example": "User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedSessionsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:session:list" ] } ] }, "post": { "tags": [ "Sessions" ], "summary": "Create new user session (management and/or signing)", "description": "Create new user session (management and/or signing)\n\nCreates a new user session, silently truncating requested session and auth lifetimes to be at\nmost requestor's session and auth lifetime, respectively. To extend the requested lifetimes past\nthe requestor's, set the `extend_lifetimes` flag in the request body (in which case MFA will\nbe required).\n", "operationId": "createSession", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateSessionRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/NewSessionResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:session:create" ] } ] }, "delete": { "tags": [ "Sessions" ], "summary": "Revoke ALL existing user or role session(s)", "description": "Revoke ALL existing user or role session(s)\n\nImmediately revokes existing sessions, preventing them from being used or refreshed.\n\nIf no query params are provided, **ALL** sessions for the **CURRENT USER** are revoked\n(to revoke just the current user session, use `DELETE /v0/org//session/self`)\n\nIf a `role` query parameter is provided, **ALL** session for **THAT ROLE** are revoked\n(if the current user has permissions to revoke sessions for the role).\n", "operationId": "revokeSessions", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "role", "in": "query", "description": "If provided, the name or ID of a role to operate on.\nCannot be specified together with `user`.", "required": false, "schema": { "type": "string", "nullable": true }, "example": "my-role" }, { "name": "user", "in": "query", "description": "If provided, the ID of a user to operate on.\nCannot be specified together with `role`.", "required": false, "schema": { "type": "string", "nullable": true }, "example": "User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/SessionsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:session:revoke" ] } ] } }, "/v0/org/{org_id}/session/self": { "delete": { "tags": [ "Sessions" ], "summary": "Revoke current session", "description": "Revoke current session\n\nImmediately revokes the current session, preventing it from being used or refreshed", "operationId": "revokeCurrentSession", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] } }, "/v0/org/{org_id}/session/{session_id}": { "get": { "tags": [ "Sessions" ], "summary": "Get session information", "description": "Get session information", "operationId": "getSession", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "session_id", "in": "path", "description": "The ID of the session to get or 'self' for current session", "required": true, "schema": { "type": "string" }, "example": "1c0d853d-c15f-42dc-a82c-9874e589bc75" } ], "responses": { "200": { "$ref": "#/components/responses/SessionInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:session:get" ] } ] }, "delete": { "tags": [ "Sessions" ], "summary": "Revoke a session", "description": "Revoke a session\n\nImmediately revokes an existing session, preventing it from being used or refreshed", "operationId": "revokeSession", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "session_id", "in": "path", "description": "The ID of the session to revoke", "required": true, "schema": { "type": "string" }, "example": "77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e" } ], "responses": { "200": { "$ref": "#/components/responses/SessionInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:session:revoke" ] } ] } }, "/v0/org/{org_id}/solana/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Solana Message", "description": "Sign Solana Message\n\nSigns a Solana message with a given key.\nThis is a pre-release feature.", "operationId": "solanaSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "The base58-encoded public key", "required": true, "schema": { "type": "string" }, "example": "86ZRPszBp5EoPj7wR3bHn7wnAZ5iYfpasRc7DKFPTUaZ" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SolanaSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:solana" ] } ] } }, "/v0/org/{org_id}/sui/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign a serialized SUI transaction.", "description": "Sign a serialized SUI transaction.\n\nThis is a pre-release feature.", "operationId": "suiSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded SUI key address", "required": true, "schema": { "type": "string" }, "example": "0xdd68d35a778db1e3123c950e5db5361333f57733a77486a704dd8c994d96761d" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SuiSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:sui" ] } ] } }, "/v0/org/{org_id}/tendermint/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign a tendermint message.", "description": "Sign a tendermint message.\n\nSigns the given base-64 encoded vote or proposal with the given tendermint key.", "operationId": "tendermintSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded validator public key with 0x prefix", "required": true, "schema": { "type": "string" }, "example": "0x7d8d344e6e53151692fa78a098630799946ad4d6a027ae6bcd7a78dc78281650" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TendermintSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:tendermint" ] } ] } }, "/v0/org/{org_id}/token/keys": { "get": { "tags": [ "Role Access Tokens" ], "summary": "Get Token-Accessible Keys", "description": "Get Token-Accessible Keys\n\nRetrieves the keys that a user or role session can access.", "operationId": "listTokenKeys", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/KeyInfos" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:key:get" ] } ] } }, "/v0/org/{org_id}/user/me": { "get": { "tags": [ "User" ], "summary": "User Info", "description": "User Info\n\nRetrieves information about the current user.", "operationId": "aboutMe", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/UserInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] } }, "/v0/org/{org_id}/user/me/email": { "post": { "tags": [ "User" ], "summary": "Initiate Reset Verified Email Flow", "description": "Initiate Reset Verified Email Flow\n", "operationId": "userResetEmailInit", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/EmailResetRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmailOtpResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:register:email" ] } ] }, "patch": { "tags": [ "User" ], "summary": "Finalize a Reset Verified Email Flow", "description": "Finalize a Reset Verified Email Flow", "operationId": "userResetEmailComplete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/EmailOtpAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:register:email" ] } ] } }, "/v0/org/{org_id}/user/me/export": { "get": { "tags": [ "User Export" ], "summary": "List outstanding user-export requests", "description": "List outstanding user-export requests", "operationId": "userExportList", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" }, { "name": "user_id", "in": "query", "description": "If provided, the user-id whose user-export requests to list. Defaults to the\ncurrent user. Only the org owner may list requests for another user.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form", "example": "User#806c9544-f1fa-4bad-8d4d-1097a1844726" }, { "name": "key_id", "in": "query", "description": "If provided, the key-id for which to list an existing user-export request.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form", "example": "Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedUserExportListResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:export:user:list" ] } ] }, "post": { "tags": [ "User Export" ], "summary": "Initiate a user-export request", "description": "Initiate a user-export request\n\nThis starts a delay (whose length is determined by Org-wide settings)\nbefore export can be completed, and returns a ticket that can be used\nto complete the export once the timer has expired.\n\nOnly one user-export request can be active for a given key. If there\nis already an active export, this endpoint will return an error. To\ncreate a new request, first delete the existing one.", "operationId": "userExportInit", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserExportInitRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/UserExportInitResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "export:user:init" ] } ] }, "delete": { "tags": [ "User Export" ], "summary": "Delete an existing user-export request", "description": "Delete an existing user-export request", "operationId": "userExportDelete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "query", "description": "The key-id whose export request should be deleted", "required": true, "schema": { "type": "string" }, "style": "form", "example": "Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8" }, { "name": "user_id", "in": "query", "description": "The user-id who owns this request. If omitted, defaults to the current user.\nOnly the org owner may delete user-export requests for another user.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form", "example": "User#806c9544-f1fa-4bad-8d4d-1097a1844726" } ], "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:export:user:delete" ] } ] }, "patch": { "tags": [ "User Export" ], "summary": "Complete a user-export request", "description": "Complete a user-export request\n\nThis endpoint can be called only after initiating a user-export request via\nthe `user_export_init` API, and only within the subsequent export window\n(i.e., after the export delay has passed and before the request has expired).\n\nTo check on the status of an export request, see the `user_export_list` API.", "operationId": "userExportComplete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserExportCompleteRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/UserExportCompleteResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "export:user:complete" ] } ] } }, "/v0/org/{org_id}/user/me/fido": { "post": { "tags": [ "User" ], "summary": "Initiate registration of a FIDO key.", "description": "Initiate registration of a FIDO key.\n\nIf a discoverable key is requested, user verification (PIN) is required.\n\nGenerates a challenge that must be answered to prove ownership of a key.", "operationId": "userRegisterFidoInit", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FidoCreateRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/FidoCreateChallengeResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:register:fido" ] } ] }, "patch": { "tags": [ "User" ], "summary": "Finalize registration of a FIDO key", "description": "Finalize registration of a FIDO key\n\nAccepts the response to the challenge generated by the POST to this endpoint.", "operationId": "userRegisterFidoComplete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FidoCreateChallengeAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:register:fido" ] } ] } }, "/v0/org/{org_id}/user/me/fido/{fido_id}": { "delete": { "tags": [ "User" ], "summary": "Delete FIDO key", "description": "Delete FIDO key\n\nDeletes a FIDO key from the user's account (if the key is not the sole MFA factor). MFA is always required.", "operationId": "userDeleteFido", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "fido_id", "in": "path", "description": "Name or ID of the desired FidoKey", "required": true, "schema": { "type": "string" }, "example": "FidoKey#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:unregister:fido" ] } ] } }, "/v0/org/{org_id}/user/me/totp": { "post": { "tags": [ "User" ], "summary": "Initialize TOTP Reset", "description": "Initialize TOTP Reset\n\nCreates a new TOTP challenge that must be answered to prove that the new TOTP\nwas successfully imported into an authenticator app.\n\nThis operation is allowed if EITHER\n- the user account is not yet initialized and no TOTP is already set, OR\n- the user has not configured any auth factors;\notherwise, MFA is required.", "operationId": "userResetTotpInit", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/TotpResetRequest" } ], "nullable": true } } }, "required": false }, "responses": { "200": { "$ref": "#/components/responses/TotpInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:register:totp" ] } ] }, "delete": { "tags": [ "User" ], "summary": "Delete TOTP", "description": "Delete TOTP\n\nDeletes TOTP from the user's account (if TOTP is not the sole MFA factor). MFA is always required.\n", "operationId": "userDeleteTotp", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Empty" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:unregister:totp" ] } ] }, "patch": { "tags": [ "User" ], "summary": "Finalize resetting TOTP", "description": "Finalize resetting TOTP\n\nChecks if the response contains the correct TOTP code corresponding to the\nchallenge generated by the POST method of this endpoint.", "operationId": "userResetTotpComplete", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TotpChallengeAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:register:totp" ] } ] } }, "/v0/org/{org_id}/user/me/totp/verify": { "post": { "tags": [ "User" ], "summary": "Verify TOTP", "description": "Verify TOTP\n\nChecks if a given code matches the current TOTP code for the current user.\nErrors with 403 if the current user has not set up TOTP or the code fails verification.", "operationId": "userVerifyTotp", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TotpApproveRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:mfa:verify:totp" ] } ] } }, "/v0/org/{org_id}/users": { "get": { "tags": [ "Users In Org" ], "summary": "List users in organization", "description": "List users in organization\n\nIf a query is defined, the result will contain only the users whose name or\nemail contain the query string. NOTE that if pagination is used and a page\nlimit is set, the returned result set may contain FEWER elements than the\nrequested page limit.\n", "operationId": "listUsersInOrg", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "page.size", "in": "query", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "required": false, "schema": { "type": "integer", "format": "int32", "default": 1000, "maximum": 10001, "minimum": 1 }, "style": "form" }, { "name": "page.start", "in": "query", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" }, { "name": "q", "in": "query", "description": "A query string. If defined, all returned users will contain this string in their name or email.", "required": false, "schema": { "type": "string", "nullable": true }, "style": "form" } ], "responses": { "200": { "$ref": "#/components/responses/PaginatedGetUsersInOrgResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:user:list" ] } ] }, "post": { "tags": [ "Users In Org" ], "summary": "Add a third-party user to the org", "description": "Add a third-party user to the org\n", "operationId": "createOidcUser", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AddThirdPartyUserRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/AddThirdPartyUserResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:addUser" ] } ] } }, "/v0/org/{org_id}/users/email/{email}": { "get": { "tags": [ "Users In Org" ], "summary": "Get user by email.", "description": "Get user by email.\n\nThe search includes all users and their third-party identities.", "operationId": "getUserInOrgByEmail", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "email", "in": "path", "description": "The email associated with the user.", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "$ref": "#/components/responses/GetUserByEmailResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:user:get" ] } ] } }, "/v0/org/{org_id}/users/oidc": { "delete": { "tags": [ "Users In Org" ], "summary": "Remove a third-party user from the org", "description": "Remove a third-party user from the org\n", "operationId": "deleteOidcUser", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/OidcIdentity" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:deleteUser" ] } ] } }, "/v0/org/{org_id}/users/oidc/{iss}/{sub}": { "get": { "tags": [ "Users In Org" ], "summary": "Get a user by their OIDC identity", "description": "Get a user by their OIDC identity\n\nRetrieves a user in the organization by their OIDC issuer and subject.", "operationId": "getUserInOrgByOidc", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "iss", "in": "path", "description": "The OIDC issuer.", "required": true, "schema": { "type": "string" } }, { "name": "sub", "in": "path", "description": "The OIDC subject.", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "$ref": "#/components/responses/GetUserByOidcResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:user:get" ] } ] } }, "/v0/org/{org_id}/users/reset_mfa": { "post": { "tags": [ "Users In Org" ], "summary": "Initialize MFA reset for user", "description": "Initialize MFA reset for user", "operationId": "resetMemberMfa", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MfaResetRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:resetMfa" ] } ] }, "patch": { "tags": [ "Users In Org" ], "summary": "Complete MFA reset for user", "description": "Complete MFA reset for user", "operationId": "completeResetMemberMfa", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CompleteMfaResetRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "Oidc": [] } ] } }, "/v0/org/{org_id}/users/{user_id}": { "get": { "tags": [ "Users In Org" ], "summary": "Get user by id", "description": "Get user by id\n", "operationId": "getUserInOrg", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "user_id", "in": "path", "description": "ID of the desired User", "required": true, "schema": { "type": "string" }, "example": "User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/UserInOrgInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:user:get" ] } ] }, "delete": { "tags": [ "Users In Org" ], "summary": "Remove a user from the org", "description": "Remove a user from the org\n", "operationId": "deleteUser", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "user_id", "in": "path", "description": "ID of the desired User", "required": true, "schema": { "type": "string" }, "example": "User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:deleteUser" ] } ] } }, "/v0/org/{org_id}/users/{user_id}/membership": { "patch": { "tags": [ "Users In Org" ], "summary": "Update a user's membership in the org", "description": "Update a user's membership in the org\n\nEnable/disable another user in the org, or change their membership role.", "operationId": "updateUserMembership", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "user_id", "in": "path", "description": "ID of the desired User", "required": true, "schema": { "type": "string" }, "example": "User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateUserMembershipRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/UserInOrgInfo" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "manage:org:updateMembership" ] } ] } }, "/v0/passkey": { "post": { "tags": [ "Login" ], "summary": "Initiate Login with Passkey", "description": "Initiate Login with Passkey\n\nThe response contains a FIDO challenge that the client must answer with any of their\ndiscoverable credentials. The answer should be submitted with the corresponding PATCH request.", "operationId": "passkeyAuthInit", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/LoginRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PasskeyAssertChallenge" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] }, "patch": { "tags": [ "Login" ], "summary": "Complete Login with Passkey", "description": "Complete Login with Passkey\n\nThe request should contain an answer to the challenge issued by the corresponding POST request.\nThe challenge may be answered with any of the user's discoverable credentials; if the credential\nincluded in the answer is registered with a user and an organization, the response will contain\na CubeSigner session (with the parameters supplied in the previous POST request) for that user\nin that organization.", "operationId": "passkeyAuthComplete", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/PasskeyAssertAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/NewSessionResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ {} ] } }, "/v0/private/policy-execute/{policy_name}": { "post": { "tags": [ "policy-engine" ], "summary": "The policy_execute API endpoint is intended to demonstrate that the signer", "description": "The policy_execute API endpoint is intended to demonstrate that the signer\ncan use the policy engine, by way of the PolicyEngineClient.", "operationId": "policy-execute", "parameters": [ { "name": "policy_name", "in": "path", "description": "Base64Url-nopad of the sha256 digest of the policy binary", "required": true, "schema": { "type": "string" }, "example": "123456" } ], "requestBody": { "content": { "application/json": { "schema": { "type": "object" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/PolicyResultResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] } }, "/v0/user/me/fido": { "post": { "tags": [ "User" ], "summary": "Initiate registration of a FIDO key", "description": "Initiate registration of a FIDO key\n\nDEPRECATED. Use `POST /v0/org/{org_id}/user/me/fido` instead.\n\nGenerates a challenge that must be answered to prove ownership of a key", "operationId": "registerFidoInitLegacy", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FidoCreateRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/FidoCreateChallengeResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "deprecated": true, "security": [ { "SignerAuth": [ "manage:mfa:register:fido" ] } ] }, "patch": { "tags": [ "User" ], "summary": "Finalize registration of a FIDO key", "description": "Finalize registration of a FIDO key\n\nDEPRECATED. Use `PATCH /v0/org/{org_id}/user/me/fido` instead.\n\nAccepts the response to the challenge generated by the POST to this endpoint.", "operationId": "registerFidoCompleteLegacy", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FidoCreateChallengeAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "deprecated": true, "security": [ { "SignerAuth": [ "manage:mfa:register:fido" ] } ] } }, "/v0/user/me/totp": { "post": { "tags": [ "User" ], "summary": "Initialize TOTP Reset", "description": "Initialize TOTP Reset\n\nDEPRECATED. Use `POST /v0/org/{org_id}/user/me/totp` instead.\n\nCreates a new TOTP challenge that must be answered to prove that the new TOTP\nwas successfully imported into an authenticator app.\n\nThis operation is allowed if EITHER\n- the user account is not yet initialized and no TOTP is already set, OR\n- the user has not configured any auth factors;\notherwise, MFA is required.", "operationId": "resetTotpInitLegacy", "requestBody": { "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/TotpResetRequest" } ], "nullable": true } } }, "required": false }, "responses": { "200": { "$ref": "#/components/responses/TotpInfo" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "deprecated": true, "security": [ { "SignerAuth": [ "manage:mfa:register:totp" ] } ] }, "patch": { "tags": [ "User" ], "summary": "Finalize resetting TOTP", "description": "Finalize resetting TOTP\n\nDEPRECATED. Use `PATCH /v0/org/{org_id}/user/me/totp` instead.\n\nChecks if the response contains the correct TOTP code corresponding to the\nchallenge generated by the POST method of this endpoint.", "operationId": "resetTotpCompleteLegacy", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TotpChallengeAnswer" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "deprecated": true, "security": [ { "SignerAuth": [ "manage:mfa:register:totp" ] } ] } }, "/v0/user/me/totp/verify": { "post": { "tags": [ "User" ], "summary": "Verify TOTP", "description": "Verify TOTP\n\nDEPRECATED. Use `POST /v0/org/{org_id}/user/me/totp/verify` instead.\n\nChecks if a given code matches the current TOTP code for the current user.\nErrors with 403 if the current user has not set up TOTP or the code fails verification.", "operationId": "verifyTotpLegacy", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TotpApproveRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "deprecated": true, "security": [ { "SignerAuth": [ "manage:mfa:verify:totp" ] } ] } }, "/v0/user/orgs": { "get": { "tags": [ "User" ], "summary": "Retrieves all the orgs the user is a part of", "description": "Retrieves all the orgs the user is a part of", "operationId": "userOrgs", "responses": { "200": { "$ref": "#/components/responses/UserOrgsResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "Oidc": [] } ] } }, "/v1/org/{org_id}/blob/sign/{key_id}": { "post": { "tags": [ "Signing" ], "summary": "Sign Raw Blob", "description": "Sign Raw Blob\n\nSigns an arbitrary blob with a given key.\n\n- ECDSA signatures are serialized as big-endian r and s plus recovery-id\nbyte v, which can in general take any of the values 0, 1, 2, or 3.\n\n- EdDSA signatures are serialized in the standard format.\n\n- BLS signatures are not supported on the blob-sign endpoint.", "operationId": "blobSign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "key_id", "in": "path", "description": "ID of the desired Key", "required": true, "schema": { "type": "string" }, "example": "Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BlobSignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:blob" ] } ] } }, "/v1/org/{org_id}/cube3signer/heartbeat": { "post": { "tags": [ "Cube3Signer" ], "summary": "Record heartbeat", "description": "Record heartbeat\n\nThis endpoint is called by the cube3signer proxy to record various metrics to CloudWatch.", "operationId": "cube3signerHeartbeat", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/HeartbeatRequest" } ], "nullable": true } } }, "required": false }, "responses": { "200": { "$ref": "#/components/responses/EmptyImpl" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [] } ] } }, "/v1/org/{org_id}/eth1/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign EVM Transaction", "description": "Sign EVM Transaction\n\nSigns an Ethereum (and other EVM) transaction with a given Secp256k1 key.\nReturns an RLP-encoded transaction with EIP-155 signature.\n\nThe key must be associated with the role and organization on whose behalf this action is called.", "operationId": "eth1Sign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded ethereum address of the secp key", "required": true, "schema": { "type": "string" }, "example": "0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Eth1SignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/Eth1SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:evm:tx" ] } ] } }, "/v1/org/{org_id}/eth2/sign/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Validator Request", "description": "Sign Validator Request\n\nSigns an eth2 validator request with a given BLS key.\n\nThe key must be associated with the role and organization on whose behalf this action is called.", "operationId": "eth2Sign", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded validator (BLS) public key with 0x prefix", "required": true, "schema": { "type": "string" }, "example": "0x9700fbb8c906942442c2a5b3ad7498f27aedda253786a6fbaa8fef47fb7af234e50cf2cce815a553087992ae565d48da" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Eth2SignRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/Eth2SignResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:eth2:validate" ] } ] } }, "/v1/org/{org_id}/eth2/stake": { "post": { "tags": [ "Signing" ], "summary": "Sign Stake Deposit", "description": "Sign Stake Deposit\n\nSigns a deposit transaction with a `validator_key`. If `validator_key` is set to a pregenerated key, we use the\nprovided validator key. Otherwise, we generate a new BLS key.\n\nWhen using a pregenerated key, the key must be associated with the role and organization on whose\nbehalf this action is called.", "operationId": "stake", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/StakeRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/StakeResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:eth2:stake" ] } ] } }, "/v1/org/{org_id}/eth2/unstake/{pubkey}": { "post": { "tags": [ "Signing" ], "summary": "Sign Unstake Request", "description": "Sign Unstake Request\n\nHandle unstaking request, producing a signed voluntary exit message\nthat can be posted directly to the Beacon chain.\n\nThe key must be associated with the role and organization on whose behalf this action is called.", "operationId": "unstake", "parameters": [ { "name": "org_id", "in": "path", "description": "Name or ID of the desired Org", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, { "name": "pubkey", "in": "path", "description": "Hex-encoded validator (BLS) public key", "required": true, "schema": { "type": "string" }, "example": "0xa99a76ed7796f7be22d5b7e85deeb7c5677e88e511e0b337618f8c4eb61349b4bf2d153f649f7b53359fe8b94a38e44c" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UnstakeRequest" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/UnstakeResponse" }, "202": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AcceptedResponse" } } } }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "sign:eth2:unstake" ] } ] } }, "/v1/org/{org_id}/token/refresh": { "patch": { "tags": [ "SignerSession" ], "summary": "Refresh Signer Session", "description": "Refresh Signer Session", "operationId": "signerSessionRefresh", "parameters": [ { "name": "org_id", "in": "path", "description": "ID of the organization owning the key", "required": true, "schema": { "type": "string" }, "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AuthData" } } }, "required": true }, "responses": { "200": { "$ref": "#/components/responses/NewSessionResponse" }, "default": { "description": "", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorResponse" } } } } }, "security": [ { "SignerAuth": [ "" ] } ] } } }, "components": { "schemas": { "AcceptedResponse": { "allOf": [ { "$ref": "#/components/schemas/ErrorResponse" }, { "type": "object" } ] }, "AcceptedValue": { "oneOf": [ { "type": "object", "required": [ "MfaRequired" ], "properties": { "MfaRequired": { "type": "object", "required": [ "id", "ids", "org_id" ], "properties": { "id": { "type": "string", "description": "Always set to first MFA id from `Self::ids`" }, "ids": { "type": "array", "items": { "type": "string", "minLength": 1 }, "description": "Non-empty MFA request IDs" }, "org_id": { "type": "string", "description": "Organization id" }, "session": { "allOf": [ { "$ref": "#/components/schemas/NewSessionResponse" } ], "nullable": true } } } } } ], "description": "Different responses we return for status code \"202 Accepted\".\n\nEven though \"202 Accepted\" is a successful response, we represent\nit as a Rust error because that makes it easy to have route handlers\nreturn `Result` where `T` is the type of the\nresponse for the status code \"200 Ok\"." }, "AcceptedValueCode": { "type": "string", "enum": [ "MfaRequired" ] }, "AccessModel": { "type": "string", "description": "Determines who controls the keys within an org", "enum": [ "User", "Org" ] }, "AddIdentityRequest": { "type": "object", "description": "Request to add OIDC identity to an existing user account", "required": [ "oidc_token" ], "properties": { "oidc_token": { "type": "string" } } }, "AddKeysToRoleRequest": { "type": "object", "required": [ "key_ids" ], "properties": { "key_ids": { "type": "array", "items": { "type": "string" }, "description": "A list of keys to add to a role", "example": [ "Key#63023a27-1e70-430a-b293-ffbc9d6c4484" ] }, "policy": { "type": "array", "items": {}, "description": "Optional policies to apply for each key", "example": [ { "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa" }, { "TxDeposit": { "kind": "Canonical" } }, { "RequireMfa": { "kind": { "RequiredApprovers": { "count": 1 } }, "restricted_operations": [ "Eth1Sign", "BlobSign" ] } } ], "nullable": true } } }, "AddThirdPartyUserRequest": { "type": "object", "required": [ "role" ], "properties": { "email": { "type": "string", "description": "Optional user email", "example": "alice@example.com", "nullable": true }, "identity": { "allOf": [ { "$ref": "#/components/schemas/OidcIdentity" } ], "nullable": true }, "mfa_policy": { "type": "object", "description": "Optional login MFA policy", "nullable": true }, "name": { "type": "string", "description": "Optional user full name", "example": "Alice Wonderland", "nullable": true }, "proof": { "allOf": [ { "$ref": "#/components/schemas/IdentityProof" } ], "nullable": true }, "role": { "$ref": "#/components/schemas/MemberRole" } } }, "AddThirdPartyUserResponse": { "type": "object", "required": [ "user_id" ], "properties": { "user_id": { "type": "string", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" } } }, "AddressMap": { "type": "object", "description": "The addresses associated with a contact.", "properties": { "btc": { "type": "array", "items": { "$ref": "#/components/schemas/BitcoinAddressInfo" }, "description": "Bitcoin addresses.", "uniqueItems": true }, "evm": { "type": "array", "items": { "$ref": "#/components/schemas/EvmAddressInfo" }, "description": "EVM addresses.", "uniqueItems": true }, "sui": { "type": "array", "items": { "$ref": "#/components/schemas/SuiAddressInfo" }, "description": "SUI addresses.", "uniqueItems": true } } }, "AlertKind": { "type": "string", "enum": [ "PolicyChanges", "Eth2ConcurrentBlockSigning", "BabylonEotsConcurrentSigning" ] }, "AllowedMfaMap": { "type": "object", "description": "MFA types that are allowed to be used for individual implicitly security-sensitive\noperations (like logging in, adding an MFA factor, exporting keys, etc; see `MfaProtectedAction`).", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/MfaType" }, "uniqueItems": true } }, "ApprovalInfo": { "type": "object", "required": [ "timestamp" ], "properties": { "timestamp": { "$ref": "#/components/schemas/EpochDateTime" } } }, "AttestationConveyancePreference": { "type": "string", "description": "WebAuthn Relying Parties may use AttestationConveyancePreference to specify\ntheir preference regarding attestation conveyance during credential\ngeneration.\n\nhttps://www.w3.org/TR/webauthn-2/#enumdef-attestationconveyancepreference", "enum": [ "none", "indirect", "direct", "enterprise" ] }, "Aud": { "oneOf": [ { "type": "string" }, { "type": "array", "items": { "type": "string" } } ], "description": "Audience(s) that this ID Token is intended for. It MUST contain the\nOAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain\nidentifiers for other audiences. In the general case, the aud value is an array of\ncase-sensitive strings. In the common special case when there is one audience,\nthe aud value MAY be a single case-sensitive string." }, "AuthData": { "type": "object", "description": "Data required for both `authenticate` and `refresh`.", "required": [ "epoch_num", "epoch_token", "other_token" ], "properties": { "epoch_num": { "type": "integer", "format": "int32", "minimum": 0 }, "epoch_token": { "$ref": "#/components/schemas/B32" }, "other_token": { "type": "string" } } }, "AuthSource": { "type": "object", "description": "At redemption time, the user must provide a credential they wish to use to authenticate.\nThis enum represents the two possible sources of authentication.", "required": [ "kind", "credential" ], "properties": { "credential": { "type": "string" }, "kind": { "$ref": "#/components/schemas/AuthSourceKind" } } }, "AuthSourceKind": { "type": "string", "description": "At redemption time, the user must provide a credential they wish to use to authenticate.\nThis enum represents the two possible sources of authentication.", "enum": [ "password", "oidc" ] }, "AuthenticationRequest": { "type": "object", "description": "The request body for the idp authenticate endpoint", "required": [ "email", "password" ], "properties": { "email": { "type": "string", "description": "The email address of the user attempting to authenticate", "example": "alice@example.com" }, "password": { "type": "string", "description": "The password for that user" } } }, "AuthenticationResponse": { "type": "object", "description": "The response to the idp authenticate endpoint", "required": [ "id_token" ], "properties": { "id_token": { "type": "string", "description": "An OIDC token that can be used to authenticate with CubeSigner" } } }, "AuthenticatorAssertionResponse": { "type": "object", "description": "Represents the assertion response used by clients when attempting to log in with a known credential\nhttps://www.w3.org/TR/webauthn-2/#authenticatorassertionresponse", "required": [ "clientDataJSON", "authenticatorData", "signature" ], "properties": { "authenticatorData": { "type": "string", "description": "Contains the standard CTAP2 authenticator data. Must be a valid [`AuthenticatorData`].\nThis contains information about how key was invoked.\nhttps://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-authenticatordata" }, "clientDataJSON": { "type": "string", "description": "Contains UTF8 encoded JSON which must be a valid [`ClientData`]\nThis data is combined with `authenticator_data` to produce the signature\nmeaning the client attests to the correctness of this data.\nhttps://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson" }, "signature": { "type": "string", "description": "The signature of the concatenated `authenticatorData || hash` where\n`hash` is the SHA256 hash of the `clientDataJSON` buffer:\n\nField Definition: https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-signature\nStep 11 of `getAssertion` specifies the concatenation: https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion\nRequirement for SHA-256: https://www.w3.org/TR/webauthn-2/#collectedclientdata-hash-of-the-serialized-client-data" }, "userHandle": { "type": "string", "description": "Allows the authenticator to optionally declare the credential identifier they used.\nhttps://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle", "nullable": true } } }, "AuthenticatorAttachment": { "type": "string", "description": "This enumeration’s values describe authenticators' attachment modalities.\nRelying Parties use this to express a preferred authenticator attachment\nmodality when calling navigator.credentials.create() to create a credential.\n\nhttps://www.w3.org/TR/webauthn-2/#enumdef-authenticatorattachment", "enum": [ "platform", "cross-platform" ] }, "AuthenticatorAttestationResponse": { "type": "object", "description": "The AuthenticatorAttestationResponse interface represents the authenticator's\nresponse to a client’s request for the creation of a new public key\ncredential. It contains information about the new credential that can be\nused to identify it for later use, and metadata that can be used by the\nWebAuthn Relying Party to assess the characteristics of the credential\nduring registration.\n\nhttps://www.w3.org/TR/webauthn-2/#iface-authenticatorattestationresponse", "required": [ "clientDataJSON", "attestationObject" ], "properties": { "attestationObject": { "type": "string", "description": "This attribute contains an attestation object, which is opaque to, and\ncryptographically protected against tampering by, the client. The\nattestation object contains both authenticator data and an attestation\nstatement. The former contains the AAGUID, a unique credential ID, and\nthe credential public key. The contents of the attestation statement are\ndetermined by the attestation statement format used by the\nauthenticator. It also contains any additional information that the\nRelying Party's server requires to validate the attestation statement,\nas well as to decode and validate the authenticator data along with the\nJSON-compatible serialization of client data. For more details, see\n§ 6.5 Attestation, § 6.5.4 Generating an Attestation Object, and Figure\n6." }, "clientDataJSON": { "type": "string", "description": "This attribute, inherited from AuthenticatorResponse, contains the\nJSON-compatible serialization of client data (see § 6.5 Attestation)\npassed to the authenticator by the client in order to generate this\ncredential. The exact JSON serialization MUST be preserved, as the hash\nof the serialized client data has been computed over it." } } }, "AuthenticatorSelectionCriteria": { "type": "object", "description": "WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria\ndictionary to specify their requirements regarding authenticator\nattributes.\n\nhttps://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria", "properties": { "authenticatorAttachment": { "allOf": [ { "$ref": "#/components/schemas/AuthenticatorAttachment" } ], "nullable": true }, "requireResidentKey": { "type": "boolean", "description": "This member is retained for backwards compatibility with WebAuthn Level\n1 and, for historical reasons, its naming retains the deprecated\n“resident” terminology for discoverable credentials. Relying Parties\nSHOULD set it to true if, and only if, residentKey is set to required.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-requireresidentkey" }, "residentKey": { "allOf": [ { "$ref": "#/components/schemas/ResidentKeyRequirement" } ], "nullable": true }, "userVerification": { "$ref": "#/components/schemas/UserVerificationRequirement" } } }, "AuthenticatorTransport": { "type": "string", "description": "Authenticators may implement various transports for communicating with\nclients. This enumeration defines hints as to how clients might communicate\nwith a particular authenticator in order to obtain an assertion for a\nspecific credential. Note that these hints represent the WebAuthn Relying\nParty's best belief as to how an authenticator may be reached. A Relying\nParty will typically learn of the supported transports for a public key\ncredential via getTransports().\n\nhttps://www.w3.org/TR/webauthn-2/#enumdef-authenticatortransport", "enum": [ "usb", "nfc", "ble", "internal" ] }, "AvaSerializedTxSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "tx" ], "properties": { "tx": { "type": "string", "description": "Serialized transaction to sign" } } } ], "description": "Request to sign a serialized Avalanche transaction" }, "AvaSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "tx" ], "properties": { "tx": { "type": "object", "description": "Transaction to sign.\n\nExamples:\n- {\"P\": { \"AddPermissionlessValidator\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_permissionless_validator.rs#L14) }}\n- {\"P\": { \"AddSubnetValidator\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_subnet_validator.rs#L29) }}\n- {\"P\": { \"AddValidator\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/add_validator.rs#L12) }}\n- {\"P\": { \"CreateChain\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_chain.rs#L8) }}\n- {\"P\": { \"CreateSubnet\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/create_subnet.rs#L8) }}\n- {\"P\": { \"Export\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/export.rs#L12) }}\n- {\"P\": { \"Import\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/platformvm/txs/import.rs#L12) }}\n- {\"X\": { \"Base\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/mod.rs#L21) }}\n- {\"X\": { \"Export\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/export.rs#L16) }}\n- {\"X\": { \"Import\": [TxJson](https://github.com/ava-labs/avalanche-rs/blob/avalanche-types-v0.1.3/crates/avalanche-types/src/avm/txs/import.rs#L14) }}" } } } ], "description": "Request to sign an Avalanche transaction" }, "B32": { "type": "string", "description": "Wrapper around a zeroizing 32-byte fixed-size array" }, "BabylonCovSignRequest": { "type": "object", "required": [ "staking_tx", "slashing_tx", "unbonding_tx", "slash_unbonding_tx", "staking_output_idx", "slashing_script", "unbonding_script", "unbonding_slashing_script", "fp_enc_keys" ], "properties": { "fp_enc_keys": { "type": "array", "items": { "type": "string" }, "description": "The keys for the finality providers to which this transaction is being staked.\nEach key is a hex string containing a SEC1-encoded secp256k1 public key.", "example": [ "03b573e318803fd7aee1be5b6b18d496cc60ecc52429dbd477a879217c3ed26a795cb4f4e880aaff3a6ad66335e5404fa51caeb4964f0c9f7562737864e3bde5bc" ] }, "slash_unbonding_tx": { "type": "string", "description": "The slash-unbonding transaction being approved by the covenant signer.\nThis is a Bitcoin consensus--encoded hex string.", "example": "6899b5baf713a2c60e6abf05e8909440d41dc4125b98891c332f7087daf017fb2436286e2aa097464d9c927d644fa6de" }, "slashing_script": { "type": "string", "description": "The slashing script in the staking transaction.\nThis is a Bitcoin consensus--encoded hex string.", "example": "877f05cc626dedcf53b50eeba0821ca0" }, "slashing_tx": { "type": "string", "description": "The slashing transaction being approved by the covenant signer.\nThis is a Bitcoin consensus--encoded hex string.", "example": "f37e7ca2b24a5f7b8b6c9ba054f9932efb047ce80cf50a118e3f72751429fb13a355fa093bd358cdc30efacf5a62cabe" }, "stake_expansion": { "allOf": [ { "$ref": "#/components/schemas/BabylonCovStakeExpansionRequest" } ], "nullable": true }, "staking_output_idx": { "type": "integer", "format": "int32", "description": "The output index of the Babylon staking scripts in the staking transaction.", "example": 1, "minimum": 0 }, "staking_tx": { "type": "string", "description": "The staking transaction being approved by the covenant signer.\nThis is a Bitcoin consensus--encoded hex string.", "example": "954ba118e7133b4bb3a67acc4f40cb9529aabbc01007229f7bfd85706850175d77d5cbe5e4c0ca67238d14afa47c51cc" }, "unbonding_script": { "type": "string", "description": "The unbonding script in the staking transaction.\nThis is a Bitcoin consensus--encoded hex string.", "example": "55f6638c0c0c0b0e51ca922e0e9e6abd" }, "unbonding_slashing_script": { "type": "string", "description": "The slashing script in the unbonding transaction.\nThis is a Bitcoin consensus--encoded hex string.", "example": "e133f5a923a07b9c7f6767cda171005b" }, "unbonding_tx": { "type": "string", "description": "The unbonding transaction being approved by the covenant signer.\nThis is a Bitcoin consensus--encoded hex string.", "example": "969cb95129a55a96d51919f5f67f3adc597ecdee6eda21e7777f370c3b1809336ee7d08ec574c8bbb361ff63d032a976" } } }, "BabylonCovSignResponse": { "type": "object", "required": [ "slashing_transactions_signatures", "unbonding_transaction_signature", "slash_unbonding_transactions_signatures" ], "properties": { "slash_unbonding_transactions_signatures": { "type": "array", "items": { "type": "string" }, "description": "The slash-unbonding transaction signatures as an array of hex strings with no 0x prefix", "example": [ "02e21a7b0519539ef670f79d1c25a54f90b0c6d9fdb56a7de813fb207033032fffad8aaafeb1b77dd9ea8f17dadcf297696bbf5a4133292f3515b86bb9c2d78d9c" ] }, "slashing_transactions_signatures": { "type": "array", "items": { "type": "string" }, "description": "The slashing transaction signatures as an array of hex strings with no 0x prefix", "example": [ "03075eca9d176d1605d6c096c111e9a4f8d8739ac9708c1df3ed516106e7ab1387a3924a6652acf2e3524359731ca1fbb338a3afb1a67f6ea19c207b6ff466a5ad", "022224493f4cffad5b84076db32dd8c49a28ff48af4e19e2bcc9953ff80347ba6e8343cf7a44e74a96ff71ea59a03b40166e85b0d1355954e04a4427dc8d637ff0" ] }, "stake_expansion_transaction_signature": { "type": "string", "description": "The signature that allows expanding a stake by spending the current active\nstake transaction into a new staking transaction. A value is present iff the\ncorresponding request included a `stake_expansion` value.", "example": "b573e318803fd7aee1be5b6b18d496cc60ecc52429dbd477a879217c3ed26a795cb4f4e880aaff3a6ad66335e5404fa51caeb4964f0c9f7562737864e3bde5bc", "nullable": true }, "unbonding_transaction_signature": { "type": "string", "description": "The unbonding transaction signature as hex string with no 0x prefix", "example": "b573e318803fd7aee1be5b6b18d496cc60ecc52429dbd477a879217c3ed26a795cb4f4e880aaff3a6ad66335e5404fa51caeb4964f0c9f7562737864e3bde5bc" } } }, "BabylonCovStakeExpansionRequest": { "type": "object", "description": "Request to expand an active stake with additional funds.", "required": [ "previous_active_stake_tx", "previous_staking_output_idx", "previous_active_stake_unbonding_script", "other_funding_output" ], "properties": { "other_funding_output": { "type": "string", "description": "The transaction output that is being used to fund the stake expansion.\nThis is a Bitcoin consensus--encoded hex string." }, "previous_active_stake_tx": { "type": "string", "description": "The active staking transaction that is being expanded with this request.\nThis is a Bitcoin consensus--encoded hex string.", "example": "954ba118e7133b4bb3a67acc4f40cb9529aabbc01007229f7bfd85706850175d77d5cbe5e4c0ca67238d14afa47c51cc" }, "previous_active_stake_unbonding_script": { "type": "string", "description": "The unbonding script in the active staking transaction.\nThis is a Bitcoin consensus--encoded hex string.", "example": "e133f5a923a07b9c7f6767cda171005b" }, "previous_staking_output_idx": { "type": "integer", "format": "int32", "description": "The index of the active stake output in the active staking transaction.", "example": 1, "minimum": 0 } } }, "BabylonNetworkId": { "type": "string", "description": "The network-id for Babylon staking", "enum": [ "bbt4", "bbn1", "bbt5" ] }, "BabylonRegistrationRequest": { "allOf": [ { "allOf": [ { "type": "object", "description": "Data needed to create the Babylon deposit scripts", "required": [ "network", "staker_pk", "finality_provider_pks", "lock_time" ], "properties": { "explicit_params": { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingParams" } ], "nullable": true }, "finality_provider_pks": { "type": "array", "items": { "type": "string" }, "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the finality\nprovider to which the stake is delegated." }, "lock_time": { "type": "integer", "format": "int32", "description": "The lock time used for the withdrawal output in the staking deposit transaction", "minimum": 0 }, "network": { "$ref": "#/components/schemas/BabylonNetworkId" }, "staker_pk": { "type": "string", "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the staker. This\nis the key that signs the slashing, withdrawal, and unbonding scripts." }, "version": { "type": "integer", "format": "int32", "description": "The parameter version to use. If `None`, uses the latest version.", "nullable": true, "minimum": 0 } } }, { "type": "object", "required": [ "psbt", "value", "change", "fee", "fee_type" ], "properties": { "change": { "type": "string", "description": "The change address, specified as a Bitcoin spend script" }, "fee": { "type": "integer", "format": "int64", "description": "The transaction fee value. The `fee_type` field determines whether this\nis a fixed fee in sats or a rate in sats per (estimated) virtual byte of\ntransaction weight (i.e., sats per vb).", "minimum": 0 }, "fee_type": { "$ref": "#/components/schemas/FeeType" }, "ignore_psbt_outputs": { "type": "boolean", "description": "By default, the PSBT in this request can only specify transaction inputs:\nPSBTs that specify outputs will result in an error. When this flag is set,\nexisting outputs in the PSBT will instead be ignored (i.e., deleted from\nthe PSBT) when creating the deposit transaction." }, "psbt": { "type": "string", "description": "A hex-serialized PSBT (version 0) containing the transaction inputs and\nall necessary information for signing (e.g., taproot path and leaf\ninformation). This PSBT must not have any transaction outputs; they\nwill be added to the returned PSBT." }, "value": { "type": "integer", "format": "int64", "description": "The value to be staked in sats", "minimum": 0 } } } ], "description": "Data needed to create a Babylon deposit transaction" }, { "type": "object", "required": [ "bbn_addr" ], "properties": { "bbn_addr": { "type": "string", "description": "The Babylon address that will receive the staking rewards for this deposit.\nBabylon requires this to be the same address that registers the deposit on\nthe Babylon chain.\n\nThis must be a secp256k1 Cosmos address with either a `bbn` or a `cosmos`\nhuman-readable part (i.e., `bbn1...` or `cosmos1...`). The latter lets you\nspecify the material-id of a SecpCosmos CubeSigner key.", "example": "bbn1n5anmc0kkrh70yjy7f6f399c74yd09xl5teffm" } } } ], "description": "Babylon staking registration specification" }, "BabylonRegistrationResponse": { "type": "object", "required": [ "deposit", "deposit_fee", "unbond", "slash_deposit", "slash_deposit_sig", "slash_unbond", "slash_unbond_sig", "pop", "bbn_addr" ], "properties": { "bbn_addr": { "type": "string", "description": "The Babylon address that will receive the staking rewards for this deposit.\n\nThis value will correspond to the `bbn_addr` value specified in the request,\nbut it will always have a `bbn` human-readable part.", "example": "bbn1n5anmc0kkrh70yjy7f6f399c74yd09xl5teffm" }, "deposit": { "type": "string", "description": "The deposit transaction PSBT. This PSBT includes signatures on any\ninputs controlled by the staker taproot key specified in the request." }, "deposit_fee": { "type": "integer", "format": "int64", "description": "The deposit transaction fee in sats.", "example": "1337", "minimum": 0 }, "pop": { "type": "string", "description": "The proof of possession, i.e., a BIP322 signature on the staker's\nBabylon address signed by the staker taproot key. This is a Bitcoin\nwitness stack in Bitcoin consensus hex encoding." }, "slash_deposit": { "type": "string", "description": "The slash-deposit transaction in Bitcoin consensus hex encoding." }, "slash_deposit_sig": { "type": "string", "description": "The staker taproot key's signature on the slash-deposit transaction.\nThis is a BIP340 signature in hex format." }, "slash_unbond": { "type": "string", "description": "The slash-unbond transaction in Bitcoin consensus hex encoding." }, "slash_unbond_sig": { "type": "string", "description": "The staker taproot key's signature on the slash-unbond transaction.\nThis is a BIP340 signature in hex format." }, "unbond": { "type": "string", "description": "The (unsigned) unbonding transaction in Bitcoin consensus hex encoding." } } }, "BabylonScriptData": { "type": "object", "description": "Data needed to create the Babylon deposit scripts", "required": [ "network", "staker_pk", "finality_provider_pks", "lock_time" ], "properties": { "explicit_params": { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingParams" } ], "nullable": true }, "finality_provider_pks": { "type": "array", "items": { "type": "string" }, "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the finality\nprovider to which the stake is delegated." }, "lock_time": { "type": "integer", "format": "int32", "description": "The lock time used for the withdrawal output in the staking deposit transaction", "minimum": 0 }, "network": { "$ref": "#/components/schemas/BabylonNetworkId" }, "staker_pk": { "type": "string", "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the staker. This\nis the key that signs the slashing, withdrawal, and unbonding scripts." }, "version": { "type": "integer", "format": "int32", "description": "The parameter version to use. If `None`, uses the latest version.", "nullable": true, "minimum": 0 } } }, "BabylonStakingDeposit": { "allOf": [ { "type": "object", "description": "Data needed to create the Babylon deposit scripts", "required": [ "network", "staker_pk", "finality_provider_pks", "lock_time" ], "properties": { "explicit_params": { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingParams" } ], "nullable": true }, "finality_provider_pks": { "type": "array", "items": { "type": "string" }, "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the finality\nprovider to which the stake is delegated." }, "lock_time": { "type": "integer", "format": "int32", "description": "The lock time used for the withdrawal output in the staking deposit transaction", "minimum": 0 }, "network": { "$ref": "#/components/schemas/BabylonNetworkId" }, "staker_pk": { "type": "string", "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the staker. This\nis the key that signs the slashing, withdrawal, and unbonding scripts." }, "version": { "type": "integer", "format": "int32", "description": "The parameter version to use. If `None`, uses the latest version.", "nullable": true, "minimum": 0 } } }, { "type": "object", "required": [ "psbt", "value", "change", "fee", "fee_type" ], "properties": { "change": { "type": "string", "description": "The change address, specified as a Bitcoin spend script" }, "fee": { "type": "integer", "format": "int64", "description": "The transaction fee value. The `fee_type` field determines whether this\nis a fixed fee in sats or a rate in sats per (estimated) virtual byte of\ntransaction weight (i.e., sats per vb).", "minimum": 0 }, "fee_type": { "$ref": "#/components/schemas/FeeType" }, "ignore_psbt_outputs": { "type": "boolean", "description": "By default, the PSBT in this request can only specify transaction inputs:\nPSBTs that specify outputs will result in an error. When this flag is set,\nexisting outputs in the PSBT will instead be ignored (i.e., deleted from\nthe PSBT) when creating the deposit transaction." }, "psbt": { "type": "string", "description": "A hex-serialized PSBT (version 0) containing the transaction inputs and\nall necessary information for signing (e.g., taproot path and leaf\ninformation). This PSBT must not have any transaction outputs; they\nwill be added to the returned PSBT." }, "value": { "type": "integer", "format": "int64", "description": "The value to be staked in sats", "minimum": 0 } } } ], "description": "Data needed to create a Babylon deposit transaction" }, "BabylonStakingEarlyUnbond": { "allOf": [ { "type": "object", "description": "Data needed to create the Babylon deposit scripts", "required": [ "network", "staker_pk", "finality_provider_pks", "lock_time" ], "properties": { "explicit_params": { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingParams" } ], "nullable": true }, "finality_provider_pks": { "type": "array", "items": { "type": "string" }, "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the finality\nprovider to which the stake is delegated." }, "lock_time": { "type": "integer", "format": "int32", "description": "The lock time used for the withdrawal output in the staking deposit transaction", "minimum": 0 }, "network": { "$ref": "#/components/schemas/BabylonNetworkId" }, "staker_pk": { "type": "string", "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the staker. This\nis the key that signs the slashing, withdrawal, and unbonding scripts." }, "version": { "type": "integer", "format": "int32", "description": "The parameter version to use. If `None`, uses the latest version.", "nullable": true, "minimum": 0 } } }, { "type": "object", "required": [ "txid", "vout", "value" ], "properties": { "as_base64": { "type": "boolean", "description": "If `true`, the resulting PSBT is encoded as a base64 string.\nOtherwise, it is encoded as a hex string." }, "txid": { "type": "string", "description": "Transaction-id of the deposit transaction to unbond or slash." }, "value": { "type": "integer", "format": "int64", "description": "The value in sats that was staked in the transaction to unbond or slash.", "minimum": 0 }, "vout": { "type": "integer", "format": "int32", "description": "Transaction output index of the staking transaction to unbond or slash.\nFor staking transactions generated by CubeSigner, this will always be zero.", "minimum": 0 } } } ], "description": "Data needed to create a Babylon early-unbonding or slashing transaction" }, "BabylonStakingParams": { "type": "object", "description": "Parameter set for Babylon staking. The latest parameter sets are\navailable from ", "required": [ "version", "activation_height", "covenant_pks", "covenant_quorum", "unbonding_time", "unbonding_fee", "max_staking_amount", "min_staking_amount", "max_staking_time", "min_staking_time" ], "properties": { "activation_height": { "type": "integer", "format": "int64", "description": "Block height at which these params will enter use", "minimum": 0 }, "covenant_pks": { "type": "array", "items": { "type": "string" }, "description": "Public keys of the covenant signers" }, "covenant_quorum": { "type": "integer", "description": "Quorum for covenant signer", "minimum": 0 }, "max_staking_amount": { "type": "integer", "format": "int64", "description": "Max amount that can be staked in a single txn", "minimum": 0 }, "max_staking_time": { "type": "integer", "format": "int32", "description": "Max timelock for staking", "minimum": 0 }, "min_staking_amount": { "type": "integer", "format": "int64", "description": "Min amount that must be staked", "minimum": 0 }, "min_staking_time": { "type": "integer", "format": "int32", "description": "Min timelock for staking", "minimum": 0 }, "slashing_fee": { "type": "integer", "format": "int64", "description": "Minimum fee (in sats) that must be paid as part of the slashing txn", "minimum": 0 }, "slashing_margin": { "type": "integer", "format": "int64", "description": "An extra number of sats to slash in the slashing txn. This can be used\nto ensure that the transaction meets the minimum slashing requirement\neven if the covenant committee members use floats to compute the amount\nthat should be slashed. The default is 2; it should not be necessary to\ngo higher than this.", "nullable": true, "minimum": 0 }, "slashing_pk_script": { "type": "string", "description": "The pk_script value for the 0th output index of a slashing transaction,\nserialized as a hex byte string. This value must be present to create\nslashing signatures.", "nullable": true }, "slashing_rate": { "type": "string", "description": "The fraction of stake slashed if a double-sign is detected", "nullable": true }, "tag": { "type": "string", "description": "Bitcoin transaction tag for staking metadata. If present, an identifiable\nstaking output (i.e., one with an OP_RETURN) will be created.", "nullable": true }, "unbonding_fee": { "type": "integer", "format": "int64", "description": "Fee (in sats) that must be spent as part of the unbonding txn", "minimum": 0 }, "unbonding_time": { "type": "integer", "format": "int32", "description": "Min timelock for an unbonding script", "minimum": 0 }, "version": { "type": "integer", "format": "int32", "description": "Parameter version", "minimum": 0 } } }, "BabylonStakingRequest": { "oneOf": [ { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingDeposit" }, { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "deposit" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingEarlyUnbond" }, { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "early_unbond" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingWithdrawal" }, { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "withdraw_timelock" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingWithdrawal" }, { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "withdraw_early_unbond" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingWithdrawal" }, { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "withdraw_slashing" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingEarlyUnbond" }, { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "slash_deposit" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingEarlyUnbond" }, { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "slash_early_unbond" ] } } } ] } ], "description": "The actions possible via the Babylon Staking endpoint", "discriminator": { "propertyName": "action" } }, "BabylonStakingResponse": { "type": "object", "required": [ "psbt", "fee" ], "properties": { "fee": { "type": "integer", "format": "int64", "description": "The transaction fee in sats", "example": "1337", "minimum": 0 }, "psbt": { "type": "string", "description": "The PSBT in either hex or base64 serialization", "example": "70736274ff01005e..." } } }, "BabylonStakingWithdrawal": { "allOf": [ { "type": "object", "description": "Data needed to create the Babylon deposit scripts", "required": [ "network", "staker_pk", "finality_provider_pks", "lock_time" ], "properties": { "explicit_params": { "allOf": [ { "$ref": "#/components/schemas/BabylonStakingParams" } ], "nullable": true }, "finality_provider_pks": { "type": "array", "items": { "type": "string" }, "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the finality\nprovider to which the stake is delegated." }, "lock_time": { "type": "integer", "format": "int32", "description": "The lock time used for the withdrawal output in the staking deposit transaction", "minimum": 0 }, "network": { "$ref": "#/components/schemas/BabylonNetworkId" }, "staker_pk": { "type": "string", "description": "The Schnorr public key (i.e., 32-byte X-coordinate) of the staker. This\nis the key that signs the slashing, withdrawal, and unbonding scripts." }, "version": { "type": "integer", "format": "int32", "description": "The parameter version to use. If `None`, uses the latest version.", "nullable": true, "minimum": 0 } } }, { "type": "object", "required": [ "txid", "vout", "value", "fee", "fee_type", "recipient" ], "properties": { "as_base64": { "type": "boolean", "description": "If `true`, the resulting PSBT is encoded as a base64 string.\nOtherwise, it is encoded as a hex string." }, "fee": { "type": "integer", "format": "int64", "description": "The transaction fee value. The `fee_type` field determines whether this\nis a fixed fee in sats or a rate in sats per (estimated) virtual byte of\ntransaction weight (i.e., sats per vb).", "minimum": 0 }, "fee_type": { "$ref": "#/components/schemas/FeeType" }, "recipient": { "type": "string", "description": "The withdrawal recipient, specified as a Bitcoin spend script" }, "txid": { "type": "string", "description": "Transaction-id of the deposit or early unbonding transaction to withdraw from" }, "txn_lock_height": { "type": "integer", "format": "int32", "description": "An optional lock height (in blocks) for this transaction. The resulting\ntransaction cannot be mined before the specified block height.", "nullable": true, "minimum": 0 }, "value": { "type": "integer", "format": "int64", "description": "The value in sats that is staked in the transaction being withdrawn", "minimum": 0 }, "vout": { "type": "integer", "format": "int32", "description": "Transaction output index of the staking transaction from which to withdraw.\nFor staking transactions generated by CubeSigner, this will always be 0.\nFor slashing transactions generated by CubeSigner, this will always be 1.", "minimum": 0 } } } ], "description": "Data needed to create a Babylon withdrawal transaction" }, "BadGatewayErrorCode": { "type": "string", "enum": [ "EsploraApiError", "SentryApiError", "CallWebhookError", "OAuthProviderError", "OidcDisoveryFailed", "OidcIssuerJwkEndpointUnavailable", "SmtpServerUnavailable" ] }, "BadRequestErrorCode": { "type": "string", "enum": [ "GenericBadRequest", "DisallowedAllowRuleReference", "InvalidPaginationToken", "InvalidEmail", "InvalidEmailTemplate", "QueryMetricsError", "InvalidTelegramData", "QueryMetricsValidationError", "WebhookPolicyTimeoutOutOfBounds", "WebhookPolicyDisallowedUrlScheme", "WebhookPolicyDisallowedUrlHost", "WebhookPolicyDisallowedHeaders", "ReservedName", "UserEmailNotConfigured", "EmailPasswordNotFound", "PasswordAuthNotAllowedByInvitation", "OneTimeCodeExpired", "InvalidBody", "InvalidJwt", "InvitationNoLongerValid", "TokenRequestError", "InvalidMfaReceipt", "InvalidMfaPolicyCount", "InvalidMfaPolicyNumAuthFactors", "InvalidMfaPolicyNumAllowedApprovers", "InvalidMfaPolicyGracePeriodTooLong", "InvalidBabylonStakingPolicyParams", "InvalidSuiTxReceiversEmptyAllowlist", "InvalidBtcTxReceiversEmptyAllowlist", "InvalidRequireRoleSessionAllowlist", "InvalidCreateKeyCount", "InvalidDiffieHellmanCount", "OrgInviteExistingUser", "OrgUserAlreadyExists", "OrgNameTaken", "OrgIsNotOrgExport", "RoleNameTaken", "PolicyNameTaken", "NameTaken", "ContactNameInvalid", "ContactAddressesInvalid", "ContactModified", "PolicyNotFound", "PolicyVersionNotFound", "PolicyRuleDisallowedByType", "PolicyTypeDisallowed", "PolicyDuplicateError", "PolicyStillAttached", "PolicyModified", "PolicyNotAttached", "AddKeyToRoleCountTooHigh", "InvalidKeyId", "InvalidTimeLockAlreadyInThePast", "InvalidRestrictedScopes", "InvalidUpdate", "InvalidMetadataLength", "InvalidLength", "InvalidKeyMaterialId", "KeyNotFound", "SiweChallengeNotFound", "SiweInvalidRequest", "UserExportDerivedKey", "UserExportPublicKeyInvalid", "NistP256PublicKeyInvalid", "UnableToAccessSmtpRelay", "UserExportInProgress", "RoleNotFound", "InvalidRoleNameOrId", "InvalidMfaReceiptOrgIdMissing", "InvalidMfaReceiptInvalidOrgId", "MfaRequestNotFound", "InvalidKeyType", "InvalidKeyMaterial", "InvalidHexValue", "InvalidBase32Value", "InvalidBase58Value", "InvalidSs58Value", "InvalidForkVersionLength", "InvalidEthAddress", "InvalidStellarAddress", "InvalidOrgNameOrId", "InvalidUpdateOrgRequestDisallowedMfaType", "InvalidUpdateOrgRequestEmptyAllowedMfaTypes", "EmailOtpDelayTooShortForRegisterMfa", "InvalidStakeDeposit", "InvalidBlobSignRequest", "InvalidDiffieHellmanRequest", "InvalidSolanaSignRequest", "InvalidEip712SignRequest", "OnlySpecifyOne", "NoOidcDataInProof", "InvalidEvmSignRequest", "InvalidEth2SignRequest", "InvalidDeriveKeyRequest", "InvalidStakingAmount", "CustomStakingAmountNotAllowedForWrapperContract", "InvalidUnstakeRequest", "InvalidCreateUserRequest", "UserAlreadyExists", "IdpUserAlreadyExists", "CognitoUserAlreadyOrgMember", "UserNotFound", "UserWithEmailNotFound", "PolicyKeyMismatch", "PolicyRuleKeyMismatch", "EmptyScopes", "InvalidScopesForRoleSession", "InvalidLifetime", "NoSingleKeyForUser", "InvalidOrgPolicyRule", "SourceIpAllowlistEmpty", "LimitWindowTooLong", "Erc20ContractDisallowed", "EmptyRuleError", "OptionalListEmpty", "MultipleExclusiveFieldsProvided", "DuplicateFieldEntry", "InvalidRange", "InvalidOrgPolicyRepeatedRule", "InvalidSuiTransaction", "SuiSenderMismatch", "AvaSignHashError", "AvaSignError", "BtcSegwitHashError", "BtcTaprootHashError", "BtcSignError", "TaprootSignError", "Eip712SignError", "InvalidMemberRoleInUserAdd", "InvalidMemberRoleInRecipientAdd", "ThirdPartyUserAlreadyExists", "OidcIdentityAlreadyExists", "ThirdPartyUserNotFound", "DeleteOidcUserError", "DeleteUserError", "SessionRoleMismatch", "InvalidOidcToken", "InvalidOidcIdentity", "OidcIssuerUnsupported", "OidcIssuerNotAllowed", "OidcIssuerNoApplicableJwk", "FidoKeyAlreadyRegistered", "FidoKeySignCountTooLow", "FidoVerificationFailed", "FidoChallengeMfaMismatch", "UnsupportedLegacyCognitoSession", "InvalidIdentityProof", "PaginationDataExpired", "ExistingKeysViolateExclusiveKeyAccess", "ExportDelayTooShort", "ExportWindowTooLong", "InvalidTotpFailureLimit", "InvalidEip191SignRequest", "CannotResendUserInvitation", "InvalidNotificationEndpointCount", "CannotDeletePendingSubscription", "InvalidNotificationUrlProtocol", "EmptyOneOfOrgEventFilter", "EmptyAllExceptOrgEventFilter", "InvalidTapNodeHash", "InvalidOneTimeCode", "MessageNotFound", "MessageAlreadySigned", "MessageRejected", "MessageReplaced", "InvalidMessageType", "EmptyAddress", "InvalidEth2SigningPolicySlotRange", "InvalidEth2SigningPolicyEpochRange", "InvalidEth2SigningPolicyTimestampRange", "InvalidEth2SigningPolicyOverlappingRule", "RpcUrlMissing", "MmiChainIdMissing", "EthersInvalidRpcUrl", "EthersGetTransactionCountError", "InvalidPassword", "BabylonStakingFeePlusDustOverflow", "BabylonStaking", "BabylonStakingIncorrectKey", "BabylonStakingSegwitNonDeposit", "BabylonStakingRegistrationRequiresTaproot", "PsbtSigning", "TooManyResets", "TooManyRequests", "TooManyFailedLogins", "BadBtcMessageSignP2shFlag", "InvalidTendermintRequest", "PolicyVersionMaxReached", "PolicyVersionInvalid", "AlienOwnerInvalid", "EmptyUpdateRequest", "InvalidPolicyReference", "PolicyEngineDisabled", "InvalidWasmPolicy", "RedundantDerivationPath", "ImportKeyMissing", "InvalidAbiMethods", "BabylonCovSign", "InvalidPolicyLogsRequest", "UserProfileMigrationMultipleEntries", "UserProfileMigrationTooManyItems", "InputTooShort" ] }, "BillingArgs": { "type": "object", "required": [ "event_type", "billing_org" ], "properties": { "billing_org": { "$ref": "#/components/schemas/Id" }, "event_type": { "$ref": "#/components/schemas/BillingEvent" }, "key": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "role": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "user": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true } } }, "BillingDimensions": { "type": "object", "required": [ "org_id", "kind" ], "properties": { "kind": { "$ref": "#/components/schemas/BillingEvent" }, "org_id": { "type": "string", "description": "All metrics must include 'org_id' as a dimension." } } }, "BillingEvent": { "type": "string", "description": "Billing event types.", "enum": [ "Mmi", "MmiMessageGet", "MmiMessageList", "MmiMessageSign", "MmiMessageReject", "MmiMessageDelete", "AboutMe", "UserResetEmailInit", "UserResetEmailComplete", "UserDeleteTotp", "UserResetTotpInit", "UserResetTotpComplete", "UserVerifyTotp", "UserRegisterFidoInit", "UserRegisterFidoComplete", "UserDeleteFido", "CreateProofOidc", "CreateProofCubeSigner", "VerifyProof", "AddOidcIdentity", "RemoveOidcIdentity", "ListOidcIdentities", "GetOrg", "UpdateOrg", "GetOrgExport", "CreateOrg", "ListKeys", "GetKey", "GetKeyByMaterialId", "ListKeyRoles", "UpdateKey", "ListHistoricalKeyTx", "Invite", "ListUsers", "GetUser", "GetUserByEmail", "GetUserByOidc", "UpdateMembership", "ResetMemberMfa", "CompleteResetMemberMfa", "CreateRole", "GetRole", "ListTokenKeys", "ListRoles", "GetRoleKey", "ListRoleKeys", "ListRoleUsers", "UpdateRole", "DeleteRole", "ConfigureEmail", "ListHistoricalRoleTx", "CreatePolicy", "GetPolicy", "ListPolicies", "DeletePolicy", "UpdatePolicy", "InvokePolicy", "GetPolicyLogs", "UploadWasmPolicy", "GetPolicySecrets", "UpdatePolicySecrets", "SetPolicySecret", "DeletePolicySecret", "CreatePolicyImportKey", "UserExportDelete", "UserExportList", "UserExportInit", "UserExportComplete", "AddUserToRole", "RemoveUserFromRole", "MfaApproveCs", "MfaRejectCs", "MfaGet", "MfaList", "AddKeysToRole", "RemoveKeyFromRole", "CreateToken", "CreateSession", "RevokeSession", "RevokeCurrentSession", "RevokeSessions", "ListSessions", "GetSession", "SignerSessionRefresh", "MfaApproveTotp", "MfaRejectTotp", "MfaFidoInit", "MfaApproveFidoComplete", "MfaRejectFidoComplete", "MfaEmailInit", "MfaEmailComplete", "Cube3signerHeartbeat", "CreateContact", "GetContact", "ListContacts", "DeleteContact", "UpdateContact", "LookupContactsByAddress", "QueryMetrics", "Counts", "CreateKey", "ImportKey", "CreateKeyImportKey", "DeriveKey", "DeleteKey", "AvaSign", "AvaSerializedTxSign", "BabylonRegistration", "BabylonStaking", "BabylonCovSign", "BlobSign", "BtcMessageSign", "BtcSign", "DiffieHellmanExchange", "PsbtSign", "PsbtLegacyInputSign", "PsbtSegwitInputSign", "PsbtTaprootInputSign", "TaprootSign", "Eip712Sign", "Eip191Sign", "Eth1Sign", "Eth2Sign", "SolanaSign", "SuiSign", "TendermintSign", "Stake", "Unstake", "PasskeyAuthInit", "PasskeyAuthComplete", "OidcAuth", "Oauth2Twitter", "OAuth2TokenRefresh", "EmailOtpAuth", "SiweInit", "SiweComplete", "TelegramAuth", "CreateOidcUser", "DeleteOidcUser", "DeleteUser", "CreateEotsNonces", "EotsSign", "AuthMigrationIdentityAdd", "AuthMigrationIdentityRemove", "AuthMigrationUserUpdate", "KeyCreated", "KeyImported", "InvitationAccept", "IdpAuthenticate", "IdpPasswordResetRequest", "IdpPasswordResetConfirm", "EsploraApiCall", "ExecutePolicy", "SentryApiCall", "SentryApiCallPublic", "MmiJwkSet", "UserOrgs", "PublicOrgInfo", "EmailMyOrgs" ] }, "BitcoinAddressInfo": { "type": "object", "description": "A bitcoin address and its network.", "required": [ "chain", "address" ], "properties": { "address": { "type": "string", "description": "The bitcoin address.", "example": "bc1puc0q8jhx3knc2stlfhl35nja89nvkmqr4c5e2ldyuq2mcckhr3msavj99j" }, "chain": { "$ref": "#/components/schemas/BtcChain" } } }, "BlobSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "message_base64" ], "properties": { "adaptor_pk": { "type": "string", "description": "An optional base64 string comprising a SEC1-encoded secp256k1 public key.\nThis field can be used *only* with Schnorr keys.\n\nIf this field is present, the response will be a Schnorr adaptor signature\nin the format specified by Blockstream for use in libsecp256k1-zkp. See\n\nfor more information.", "example": "Arny4WoHDNBVXYcynhNl9/y7JttJ2rk0CCRfLR7t3aDg", "nullable": true }, "bls_dst": { "type": "string", "description": "An optional domain separation tag for use *only* with BLS signing requests.\nThis field must not be supplied for requests involving non-BLS key types.\n\nIf this field is not present or null, the domain separation tag specified in\nthe IETF BLS Signatures draft versions 4 and 5, section 4.2.3 (minimal pubkey\nsize variant) is used.\n\nOtherwise, this field must contain a base-64 string encoding a non-empty byte\nvector. When using a custom tag, RFC9380 (Section 3.1) recommends a length of\nat least 16 bytes.", "example": "EbbLvCxI7gan71iISDsfr46etOv606QkGGDP5PpVl5Q=", "nullable": true }, "message_base64": { "type": "string", "description": "The blob to sign, encoded as a base64 string.\n\nNote that certain signing keys impose additional requirements on the contents of\nthe message. For example, Secp256k1 keys require that the message is 32 bytes long." }, "segwit_tweak": { "type": "string", "description": "An optional tweak value for use *only* with Segwit (i.e., SecpBtc and SecpBtcTest)\nkeys. This field must not be supplied for requests involving any other key type.\n\nIf this field is not present or null, no tweak is applied. Otherwise, this field\nmust contain a base-64 string encoding a vector of exactly 32 bytes. See the\nCubeSigner documentation for more information on the Segwit tweaking procedure.", "example": "F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=", "nullable": true }, "taproot_tweak": { "type": "string", "description": "An optional tweak value for use *only* with Taproot keys. This field must not\nbe supplied for requests involving any other key type.\n\nIf this field is not present or null, no tweak is applied. If the field is an\nempty string, the key is tweaked with an unspendable script path per BIP0341.\nOtherwise, this field must contain a 32-byte, base-64 string representing the\nMerkle root with which to tweak the key before signing.", "example": "F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=", "nullable": true } } } ], "example": { "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK" } }, "BtcChain": { "type": "string", "description": "Supported BTC chains.", "enum": [ "mainnet", "signet" ] }, "BtcLeafHashCodeSeparator": { "type": "object", "description": "Leaf hash and code, as per BIP341 and https://github.com/rust-bitcoin/rust-bitcoin/blob/464202109d2b2c96e9b4867461bffe420dbd8177/bitcoin/src/crypto/sighash.rs#L691", "required": [ "leaf_hash", "code_separator" ], "properties": { "code_separator": { "type": "integer", "format": "int32", "description": "Code separator", "minimum": 0 }, "leaf_hash": { "type": "string", "description": "Taproot-tagged hash with tag \"TapLeaf\"." } } }, "BtcMessageSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "data" ], "properties": { "data": { "type": "string", "description": "Message to sign as a hex-encoded byte string.", "example": "0xdeadbeef13c0ffee" }, "is_p2sh": { "type": "boolean", "description": "For segwit, sign the message as p2sh-p2wpkh instead of p2wpkh" } } } ], "description": "Data to sign" }, "BtcMessageSignResponse": { "type": "object", "description": "BTC message signing response", "required": [ "sig" ], "properties": { "sig": { "type": "string", "description": "The base64-encoded signature in BIP137 format." } } }, "BtcSighashType": { "type": "string", "enum": [ "All", "None", "Single", "AllPlusAnyoneCanPay", "NonePlusAnyoneCanPay", "SinglePlusAnyoneCanPay" ] }, "BtcSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "tx", "sig_kind" ], "properties": { "sig_kind": { "$ref": "#/components/schemas/BtcSignatureKind" }, "tx": { "$ref": "#/components/schemas/BtcTx" } } } ] }, "BtcSignatureKind": { "oneOf": [ { "type": "object", "required": [ "Segwit" ], "properties": { "Segwit": { "type": "object", "description": "Segregated Witness", "required": [ "input_index", "script_code", "value", "sighash_type" ], "properties": { "input_index": { "type": "integer", "description": "Transaction input index", "example": 0, "minimum": 0 }, "script_code": { "type": "string", "description": "Script", "example": "0x76a91479091972186c449eb1ded22b78e40d009bdf008988ac" }, "sighash_type": { "$ref": "#/components/schemas/BtcSighashType" }, "tweak": { "type": "string", "description": "Optional tweak to apply to the key before signing.\n\nWhen supplied, this field must contain a base-64 string encoding a vector of\nexactly 32 bytes, which are used to compute the tweaked public key. See the\nCubeSigner documentation for more information on the Segwit tweaking procedure.", "example": "F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=", "nullable": true }, "value": { "type": "integer", "format": "int64", "description": "The total amount of the input (in satoshis).", "example": 1000000, "minimum": 0 } } } } } ] }, "BtcTx": { "type": "object", "example": { "input": [ { "previous_output": "77541aeb3c4dac9260b68f74f44c973081a9d4cb2ebe8038b2d70faa201b6bdb:1", "script_sig": "", "sequence": 4294967294, "witness": [] } ], "lock_time": 1170, "output": [ { "script_pubkey": "76a914a457b684d7f0d539a46a45bbc043f35b59d0d96388ac", "value": 199996600 }, { "script_pubkey": "76a914fd270b1ee6abcaea97fea7ad0402e8bd8ad6d77c88ac", "value": 800000000 } ], "version": 1 } }, "BtcTxOut": { "type": "object", "required": [ "value", "script_pubkey" ], "properties": { "script_pubkey": { "type": "string", "description": "The script which must be satisfied for the output to be spent." }, "value": { "type": "integer", "format": "int64", "description": "The value of the output, in satoshis.", "minimum": 0 } } }, "ChallengePieces": { "type": "object", "description": "Describes how to derive a WebAuthn challenge value.", "required": [ "preimage", "random_seed" ], "properties": { "preimage": { "type": "string", "description": "A base64url encoding of UTF8 JSON. The data in that JSON is endpoint specific, and describes what this FIDO challenge will be used for.\n\nClients can use `preimage` along with `random_seed` to reconstruct the challenge like so:\n\n`challenge = HMAC-SHA256(key=random_seed, message=preimage)`" }, "random_seed": { "type": "string", "description": "A random seed that prevents replay attacks" } } }, "ClientProfile": { "type": "object", "description": "Client information representing the nature of front-end in [`ClientSessionMetadata`] and reflected in [`SessionMetadata`].", "properties": { "agent": { "type": "string", "description": "Agent/Product name", "example": "Mozilla Firefox", "nullable": true }, "engine": { "type": "string", "description": "Name of the engine", "example": "Gecko", "nullable": true }, "version": { "type": "string", "description": "Agent/product version", "example": "41.2", "nullable": true } } }, "ClientSessionInfo": { "type": "object", "description": "Session information sent to the client.\nThis struct works in tandem with its server-side counterpart [`SessionData`].", "required": [ "session_id", "auth_token", "refresh_token", "epoch", "epoch_token", "auth_token_exp", "refresh_token_exp" ], "properties": { "auth_token": { "type": "string", "description": "Token to use for authorization." }, "auth_token_exp": { "$ref": "#/components/schemas/EpochDateTime" }, "epoch": { "type": "integer", "format": "int32", "description": "Epoch at which the token was last refreshed", "minimum": 0 }, "epoch_token": { "$ref": "#/components/schemas/B32" }, "refresh_token": { "type": "string", "description": "Token to use for refreshing the `(auth, refresh)` token pair" }, "refresh_token_exp": { "$ref": "#/components/schemas/EpochDateTime" }, "session_id": { "type": "string", "description": "Session ID" } } }, "ClientSessionMetadata": { "type": "object", "description": "Attributes that are expected to be provided by the client", "properties": { "client": { "$ref": "#/components/schemas/ClientProfile" }, "os_info": { "$ref": "#/components/schemas/OsInfo" } } }, "CommonFields": { "type": "object", "description": "Fields that are common to different types of resources such as keys", "properties": { "created": { "allOf": [ { "$ref": "#/components/schemas/EpochDateTime" } ], "nullable": true }, "edit_policy": { "$ref": "#/components/schemas/EditPolicy" }, "last_modified": { "allOf": [ { "$ref": "#/components/schemas/EpochDateTime" } ], "nullable": true }, "metadata": { "description": "User-defined metadata. When rendering (e.g., in the browser) you should treat\nit as untrusted user data (and avoid injecting metadata into HTML directly) if\nuntrusted users can create/update keys (or their metadata)." }, "version": { "type": "integer", "format": "int64", "description": "Version of this object", "minimum": 0 } } }, "CompleteMfaResetRequest": { "type": "object", "required": [ "token" ], "properties": { "token": { "type": "string", "description": "The reset token emailed to the user", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" } } }, "ComputeCountsResponse": { "type": "object", "description": "The number of users and keys in an org, organized by user role and key type", "required": [ "users", "keys" ], "properties": { "keys": { "type": "object", "description": "A map of a `KeyType` to the amount of keys with that type in the org.", "additionalProperties": { "type": "integer", "minimum": 0 }, "example": { "SecpBtc": 3, "SecpEthAddr": 1 } }, "users": { "type": "object", "description": "A map of a `MemberRole` to the amount of number of users with that role in the org.", "additionalProperties": { "type": "integer", "minimum": 0 }, "example": { "Member": 10, "Owner": 1 } } } }, "ConfigureEmailRequest": { "type": "object", "required": [ "sender", "auth" ], "properties": { "auth": { "oneOf": [ { "type": "object", "required": [ "smtp" ], "properties": { "smtp": { "type": "string" } }, "example": { "smtp": "smtps://username%40mysite.com:password@mysite.com:465" } } ] }, "sender": { "type": "string", "description": "The email address that emails will be sent from" }, "template": { "allOf": [ { "type": "object", "description": "The template arguments for email configuration", "required": [ "subject_template", "body_template" ], "properties": { "body_template": { "type": "string", "description": "An HTML template to use for the body." }, "subject_template": { "type": "string", "description": "The subject line template" } } } ], "nullable": true } } }, "ConfiguredMfa": { "oneOf": [ { "type": "object", "required": [ "type" ], "properties": { "type": { "type": "string", "enum": [ "totp" ] } } }, { "type": "object", "description": "Named FIDO device (multiple can be configured per user)", "required": [ "name", "discoverable", "id", "created_at", "last_used_at", "aaguid", "type" ], "properties": { "aaguid": { "type": "string", "description": "UUID of the device type" }, "created_at": { "type": "integer", "format": "int64", "description": "Creation date", "minimum": 0 }, "discoverable": { "type": "boolean", "description": "Whether this key was requested to be discoverable." }, "id": { "type": "string", "description": "A unique credential id" }, "last_used_at": { "type": "integer", "format": "int64", "description": "Last used date", "minimum": 0 }, "name": { "type": "string", "description": "A human-readable name given to the key" }, "type": { "type": "string", "enum": [ "fido" ] } } } ], "discriminator": { "propertyName": "type" } }, "ConflictErrorCode": { "type": "string", "enum": [ "ConcurrentRequestDisallowed", "ConcurrentLockCreation" ] }, "Contact": { "allOf": [ { "$ref": "#/components/schemas/CommonFields" }, { "type": "object", "required": [ "name", "owner" ], "properties": { "name": { "type": "string", "description": "The name for the contact. Must be a unique name among contacts in the\norg. The name must consist of alphanumeric characters, spaces, `.` and `-`,\nand cannot be longer than 50 characters.", "example": "Satoshi Nakamoto", "pattern": "^[a-zA-Z0-9 .-]{1,50}$" }, "owner": { "$ref": "#/components/schemas/Id" } } } ], "description": "A contact in the org." }, "ContactAddressData": { "oneOf": [ { "allOf": [ { "$ref": "#/components/schemas/BitcoinAddressInfo" }, { "type": "object", "required": [ "network" ], "properties": { "network": { "type": "string", "enum": [ "Bitcoin" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/EvmAddressInfo" }, { "type": "object", "required": [ "network" ], "properties": { "network": { "type": "string", "enum": [ "Evm" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/SuiAddressInfo" }, { "type": "object", "required": [ "network" ], "properties": { "network": { "type": "string", "enum": [ "Sui" ] } } } ] } ], "description": "An address associated with a contact.", "discriminator": { "propertyName": "network" } }, "ContactInfoResponse": { "allOf": [ { "$ref": "#/components/schemas/Contact" }, { "type": "object", "required": [ "id", "addresses" ], "properties": { "addresses": { "$ref": "#/components/schemas/AddressMap" }, "id": { "$ref": "#/components/schemas/Id" } } } ], "description": "Information about a Contact." }, "CreateAndUpdateKeyProperties": { "type": "object", "properties": { "edit_policy": { "allOf": [ { "$ref": "#/components/schemas/EditPolicy" } ], "nullable": true }, "metadata": { "description": "Set this key's metadata. If this value is `null`, the metadata is erased. If the field is\nmissing, the metadata remains unchanged." }, "owner": { "type": "string", "description": "Specify a user other than themselves to be the (potentially new) owner of the key.\nThe specified owner must be an existing user who is a member of the same org.", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f", "nullable": true }, "policy": { "type": "array", "items": {}, "description": "Set this key's policies. For an existing key, this overwrites all its policies.", "example": [ "AllowRawBlobSigning", { "RequireMfa": { "count": 1 } } ], "nullable": true } } }, "CreateContactRequest": { "type": "object", "description": "The information needed to create a Contact.", "required": [ "name" ], "properties": { "addresses": { "$ref": "#/components/schemas/AddressMap" }, "edit_policy": { "allOf": [ { "$ref": "#/components/schemas/EditPolicy" } ], "nullable": true }, "metadata": { "description": "Optional user-defined metadata about the contact.", "nullable": true }, "name": { "type": "string", "description": "The name for the contact. Must be a unique name among contacts in the\norg. Name must consist of alphanumeric characters, spaces, `.` and `-`,\nand cannot be longer than 50 characters.", "example": "Satoshi Nakamoto" } } }, "CreateKeyImportKeyResponse": { "allOf": [ { "$ref": "#/components/schemas/KeyImportKey" }, { "type": "object", "required": [ "enclave_attestation", "enclave_signature" ], "properties": { "enclave_attestation": { "type": "string", "description": "An attestation document from a secure enclave, including an\nRSA signing key used to sign the contents of this message." }, "enclave_signature": { "type": "string", "description": "An RSA-PSS-SHA256 signature on the public key and encrypted\nsecrets attesting to their generation inside a secure enclave." } } } ] }, "CreateKeyRequest": { "allOf": [ { "$ref": "#/components/schemas/CreateAndUpdateKeyProperties" }, { "type": "object", "required": [ "key_type", "count" ], "properties": { "chain_id": { "type": "integer", "format": "int64", "description": "Chain id for which the key is allowed to sign messages", "example": 5, "nullable": true, "minimum": 0 }, "count": { "type": "integer", "format": "int32", "description": "Number of keys to create", "example": 1, "maximum": 32, "minimum": 1 }, "key_type": { "$ref": "#/components/schemas/KeyType" } } } ] }, "CreateKeyResponse": { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInfo" }, "description": "The info about the created keys" } } }, "CreateOrgRequest": { "type": "object", "required": [ "name" ], "properties": { "metrics_enabled": { "type": "boolean", "description": "Whether to enable metrics for the new organization" }, "name": { "type": "string", "description": "The human readable name of the new organization", "example": "My Cool Org" } } }, "CreatePolicyImportKeyResponse": { "allOf": [ { "$ref": "#/components/schemas/KeyImportKey" }, { "type": "object", "required": [ "enclave_attestation", "enclave_signature" ], "properties": { "enclave_attestation": { "type": "string", "description": "An attestation document from a secure enclave, including an\nRSA signing key used to sign the contents of this message." }, "enclave_signature": { "type": "string", "description": "An RSA-PSS-SHA256 signature on the public key and encrypted\nsecrets attesting to their generation inside a secure enclave." } } } ], "description": "The response to [create_import_key] containing the generated key and enclave\nattestations." }, "CreatePolicyRequest": { "type": "object", "description": "Request for creating a named policy", "required": [ "rules", "name", "policy_type" ], "properties": { "edit_policy": { "allOf": [ { "$ref": "#/components/schemas/EditPolicy" } ], "nullable": true }, "metadata": { "description": "Optional metadata.", "nullable": true }, "name": { "type": "string", "description": "The policy name.\nMust be unique among the named policies in this org. Duplicate policy names\nwill be rejected.", "example": "my_policy", "pattern": "^[_a-zA-Z0-9]{3,30}$" }, "policy_type": { "$ref": "#/components/schemas/PolicyType" }, "rules": { "type": "array", "items": {}, "description": "The policy rules.", "example": [ { "RequireMfa": { "count": 1 } } ] } } }, "CreateRoleRequest": { "type": "object", "description": "Optional create role request body", "required": [ "name" ], "properties": { "name": { "type": "string", "description": "A human-readable name for the role.", "example": "my_role", "pattern": "^[_a-zA-Z0-9]{3,30}$" } } }, "CreateRoleResponse": { "type": "object", "description": "The newly created role information", "required": [ "role_id" ], "properties": { "name": { "type": "string", "description": "A human-readable name for the role.", "example": "my_role", "nullable": true, "pattern": "^[a-zA-Z0-9_]{3,30}$" }, "role_id": { "type": "string", "description": "The id of the newly created role", "example": "Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b" } } }, "CreateSessionRequest": { "allOf": [ { "$ref": "#/components/schemas/RatchetConfig" }, { "$ref": "#/components/schemas/ClientSessionMetadata" }, { "type": "object", "required": [ "purpose", "scopes" ], "properties": { "extend_lifetimes": { "type": "boolean", "description": "By default, the requested session and auth lifetimes are truncated to be at most requestor's\nsession and auth lifetime, respectively. To extend the requested lifetimes past the\nrequestor's, set this property to `true` (in which case MFA will be required)." }, "purpose": { "type": "string", "description": "A human readable description of the session's purpose", "example": "Manage keys on server foo.bar" }, "scopes": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "Controls what capabilities this session will have.", "example": [ "manage:key:*" ], "minItems": 1 } } } ] }, "CreateTokenRequest": { "allOf": [ { "$ref": "#/components/schemas/RatchetConfig" }, { "$ref": "#/components/schemas/ClientSessionMetadata" }, { "type": "object", "required": [ "purpose" ], "properties": { "purpose": { "type": "string", "description": "A human readable description of the purpose of the key", "example": "Validator Signing" }, "scopes": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "Controls what capabilities this session will have. By default, it has all\nsigning capabilities, i.e., just the 'sign:*' scope.", "example": [ "sign:*" ], "minItems": 1, "nullable": true } } } ] }, "CreationOptionsWithHash": { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialCreationOptions" } } } ], "description": "An extended form of `PublicKeyCredentialCreationOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, "CubeSignerUserInfo": { "type": "object", "required": [ "user_id", "initialized", "configured_mfa" ], "properties": { "configured_mfa": { "type": "array", "items": { "$ref": "#/components/schemas/ConfiguredMfa" }, "description": "All multi-factor authentication methods configured for this user" }, "initialized": { "type": "boolean", "description": "Set once the user successfully logs into CubeSigner" }, "name": { "type": "string", "description": "Optional human name for the user", "nullable": true }, "user_id": { "type": "string", "description": "CubeSigner's user identifier" } } }, "DepositTxn": { "type": "object", "description": "Information produced by a successful deposit", "required": [ "new_validator_pk", "chain_id", "deposit_txn" ], "properties": { "chain_id": { "type": "integer", "format": "int64", "description": "Chain ID for which the deposit transaction was created", "minimum": 1 }, "deposit_txn": { "type": "object", "description": "The deposit transaction. Includes only `to`, `value`, and `data` fields." }, "new_validator_pk": { "type": "string", "description": "The hex-encoded compressed form of the new validator BLS public key" } }, "example": { "chain_id": 5, "deposit_txn": { "data": "0x...", "to": "0xff50ed3d0ec03ac01d4c79aad74928bff48a7b2b", "value": "0x1bc16d674ec800000" }, "new_validator_pk": "9700fbb8c906942442c2a5b3ad7498f27aedda253786a6fbaa8fef47fb7af234e50cf2cce815a553087992ae565d48da" } }, "DepositType": { "type": "string", "description": "The type of deposit to perform", "enum": [ "Canonical", "Wrapper" ] }, "DeriveKeyRequest": { "allOf": [ { "$ref": "#/components/schemas/CreateAndUpdateKeyProperties" }, { "type": "object", "required": [ "key_type", "derivation_path", "mnemonic_id" ], "properties": { "derivation_path": { "type": "array", "items": { "type": "string" }, "description": "List of derivation paths for which to derive.", "example": [ "m/44'/60'/0'/0/0", "m/44'/9000'/0'/0/0" ], "maxItems": 32, "minItems": 1 }, "idempotent": { "type": "boolean", "description": "When false (the default), nothing is returned when a derived key already\nexists. When true, returns the KeyInfo struct for keys that already exist\nif caller is allowed to list that key." }, "key_type": { "$ref": "#/components/schemas/KeyType" }, "mnemonic_id": { "type": "string", "description": "Material-id of the mnemonic to use for derivation.", "example": "0x9f07be82d934fcb5d0f75dd24c2dfea8a85a4d0c289d58828b3537fae24d32b8" } } } ], "description": "Request to derive keys for one type from a specified mnemonic." }, "DeriveKeysRequest": { "allOf": [ { "$ref": "#/components/schemas/CreateAndUpdateKeyProperties" }, { "type": "object", "required": [ "key_types_and_derivation_paths" ], "properties": { "idempotent": { "type": "boolean", "description": "When false (the default), nothing is returned when a derived key already\nexists. When true, returns the KeyInfo struct for keys that already exist\nif caller is allowed to list that key." }, "key_types_and_derivation_paths": { "type": "array", "items": { "$ref": "#/components/schemas/KeyTypeAndDerivationPath" }, "description": "Key types and corresponding paths for derivation, plus optional\npolicies to include for specific keys. It is an error to specify\na policy that does not apply to the corresponding key type.", "example": [ { "derivation_path": "m/44'/60'/0'/0/0", "key_type": "SecpEthAddr" }, { "derivation_path": "m/11'/22'/33", "key_type": "TaprootBtc", "policy": [ "AllowRawBlobSigning" ] } ], "maxItems": 32, "minItems": 1 }, "mnemonic_id": { "type": "string", "description": "Material-id of the mnemonic to use for derivation. If unspecified,\na new mnemonic is first created.", "example": "0x9f07be82d934fcb5d0f75dd24c2dfea8a85a4d0c289d58828b3537fae24d32b8", "nullable": true } } } ], "description": "Request to derive keys for multiple types from a specified mnemonic." }, "DiffieHellmanRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "points" ], "properties": { "points": { "type": "array", "items": { "type": "string" }, "description": "The set of serialized elliptic curve points from which to compute shared secrets.\nThe serialization format of these points depends on the key type; see the CubeSigner\ndocumentation for more information.", "maxItems": 32, "minItems": 1 }, "public_key": { "type": "string", "description": "An optional NIST P-256 public key (base64-encoded SEC1 with or without compression).\n\nIf provided, the response will be encrypted to this public key using RFC9180\nHPKE-DHKEM(P-256, HKDF-SHA256) with AES-256-GCM as the symmetric cipher.\n\nIf no public key is specified, the results will be returned unencrypted. In this\ncase, the input points should be masked with a random scalar to avoid leaking the\nshared secret in the response; the results can be unmasked via point multiplication\nwith the inverse of the masking scalar.", "example": "AkpLT/3dXApJzXSduaPQ7apyT0ADBwqkt1es/aT0iWWf", "nullable": true } } } ] }, "DiffieHellmanResponse": { "oneOf": [ { "type": "object", "required": [ "points", "response_type" ], "properties": { "points": { "type": "array", "items": { "type": "string" }, "description": "The resulting points as base64-encoded byte strings in a key-type--dependent format." }, "response_type": { "type": "string", "enum": [ "masked" ] } } }, { "type": "object", "required": [ "encrypted_shared_secrets", "ephemeral_public_key", "response_type" ], "properties": { "encrypted_shared_secrets": { "type": "string", "description": "A ciphertext containing the resulting points. The enclosed plaintext is a sequence\nof base64-encoded byte strings in a key-type--dependent format." }, "ephemeral_public_key": { "type": "string", "description": "The ephemeral public key used for HPKE key derivation in base64-encoded\nuncompressed SEC1 serialization." }, "response_type": { "type": "string", "enum": [ "encrypted" ] } } } ], "description": "The result of a Diffie Hellman key exchange", "discriminator": { "propertyName": "response_type" } }, "EditPolicy": { "type": "object", "description": "A policy which governs when and who is allowed to update the entity this policy is\nattached to (e.g., a role or a key).\n\nWhen attached to a role, by default, this policy applies to role deletion and all\nrole updates (including adding/removing keys and users); in terms of scopes,\nit applies to `manage:role:update:*` and `manage:role:delete`.\n\nWhen attached to a key, by default, this policy applies to key deletion, all\nkey updates, and adding/removing that key to/from a role; in terms of scopes,\nit applies to `manage:key:update:*`, `manage:key:delete`, `manage:role:update:key:*`.\n\nThis default can be changed by setting the `applies_to_scopes` property.", "properties": { "applies_to_scopes": { "$ref": "#/components/schemas/ScopeSet" }, "mfa": { "allOf": [ { "$ref": "#/components/schemas/MfaPolicy" } ], "nullable": true }, "time_lock_until": { "allOf": [ { "$ref": "#/components/schemas/EpochDateTime" } ], "nullable": true } } }, "Eip191SignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "data" ], "properties": { "data": { "type": "string", "description": "EIP-191 data to sign as hex-encoded bytes.", "example": "0xdeadbeef13c0ffee" } } } ] }, "Eip712SignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "typed_data", "chain_id" ], "properties": { "chain_id": { "type": "integer", "format": "int64", "description": "The chain-id to which this typed data will be sent", "minimum": 1 }, "typed_data": { "$ref": "#/components/schemas/TypedData" } } } ], "example": { "chain_id": 1337, "typed_data": { "domain": { "chainId": 1337, "name": "Ether Mail", "salt": "0x0000000000000000000000000000000000000000000000000000000000000000", "verifyingContract": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC", "version": "1" }, "message": { "contents": "Hello, Bob!", "from": { "name": "Cow", "wallets": [ "0xCD2a3d9F938E13CD947Ec05AbC7FE734Df8DD826", "0xDeaDbeefdEAdbeefdEadbEEFdeadbeEFdEaDbeeF" ] }, "to": { "name": "Bob", "wallets": [ "0xbBbBBBBbbBBBbbbBbbBbbbbBBbBbbbbBbBbbBBbB", "0xB0BdaBea57B0BDABeA57b0bdABEA57b0BDabEa57", "0xB0B0b0b0b0b0B000000000000000000000000000" ] } }, "primaryType": "Mail", "types": { "EIP712Domain": [ { "name": "name", "type": "string" }, { "name": "version", "type": "string" }, { "name": "chainId", "type": "uint256" }, { "name": "verifyingContract", "type": "address" }, { "name": "salt", "type": "bytes32" } ], "Group": [ { "name": "name", "type": "string" }, { "name": "members", "type": "Person[]" } ], "Mail": [ { "name": "from", "type": "Person" }, { "name": "to", "type": "Person" }, { "name": "contents", "type": "string" } ], "Person": [ { "name": "name", "type": "string" }, { "name": "wallets", "type": "address[]" } ] } } } }, "Email": { "type": "string" }, "EmailOtpAnswer": { "type": "object", "description": "An answer to the challenge returned by the `mfa_email_init` endpoint.", "required": [ "token" ], "properties": { "token": { "type": "string", "description": "Full JWT token, constructed by concatenating the \"partial token\"\n(i.e., `{header}.{payload}.`) returned by the `mail_email_init` endpoint\nand the signature sent to the user's email." } } }, "EmailOtpRequest": { "type": "object", "description": "The request users send to initiate email OTP", "required": [ "email" ], "properties": { "email": { "type": "string", "description": "The email which will receive the OTP" } } }, "EmailOtpResponse": { "type": "object", "description": "The HTTP response to an email OTP request.\n\nThis response contains an OIDC token without a signature.\nThe signature is sent to the end-user in an email.\nThe token can be reconstructed by concatenating the `partial_token` with the signature.", "required": [ "partial_token" ], "properties": { "partial_token": { "type": "string", "description": "The OIDC token without the signature.\n(The signature, which is actually a MAC, is sent to the end-user in an email)" } } }, "EmailPreferences": { "allOf": [ { "$ref": "#/components/schemas/OrgAlertsPrefs" }, { "type": "object", "properties": { "login_notifications": { "type": "boolean", "description": "If true, send notifications on every login", "nullable": true }, "new_device": { "type": "boolean", "description": "If true, send notifications when logging in from a new device.\nnew_device takes precedence over login_notifications. E.g., email for\nnew_device is sent instead of a general login notification email when a\nnew device is detected", "nullable": true }, "pending_approvals": { "type": "boolean", "description": "If true, send email notifications for mfa approvals", "nullable": true } } } ], "description": "Describes email preferences at an Org level - what emails to send and options associated" }, "EmailResetRequest": { "type": "object", "description": "Request to reset verified email.", "required": [ "email" ], "properties": { "allow_otp_login": { "type": "boolean", "description": "Whether this email should be usable for email OTP login. The request\nwill fail if this field is set to `true`, and the org does not have\nemail OTP enabled. Default: `false`", "nullable": true }, "email": { "type": "string", "description": "The email to register" } } }, "Empty": { "default": null, "nullable": true }, "EmptyImpl": { "type": "object", "required": [ "status" ], "properties": { "status": { "type": "string" } } }, "EotsCreateNonceRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "chain_id", "start_height", "num" ], "properties": { "chain_id": { "type": "string", "description": "The chain id for which the nonces will be used, as a hex string", "example": "0x11223344" }, "num": { "type": "integer", "format": "int32", "description": "The number of nonces to generate", "example": 16, "maximum": 10000, "minimum": 1 }, "start_height": { "type": "string", "description": "The starting block height of the generated nonces (quoted decimal u64)", "example": "31337" } } } ], "description": "Request to create a set of EOTS nonces for a specified chain-id, starting\nat a specified block height." }, "EotsCreateNonceResponse": { "type": "object", "description": "Response generated when creating EOTS nonces", "required": [ "nonces" ], "properties": { "nonces": { "type": "array", "items": { "type": "string" }, "description": "The generated nonces as an array of 0x-prefixed hex strings", "example": [ "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7", "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d" ] } } }, "EotsSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "chain_id", "block_height", "message" ], "properties": { "block_height": { "type": "string", "description": "The block height for the signature (quoted decimal u64)", "example": "123456" }, "chain_id": { "type": "string", "description": "The chain id for the signature", "example": "0x11223344" }, "message": { "type": "string", "description": "The message to sign", "example": "0x5a2688faea09d42b9270fdb8de6fff6f192243a910ba66329073e12e0d0046a2" } } } ], "description": "Request for an EOTS signature on a specified message, chain-id, block-height triple" }, "Epoch": { "type": "string", "description": "Epoch is a quoted `uint64`.", "example": "256" }, "EpochDateTime": { "type": "integer", "format": "int64", "description": "DateTime measured in seconds since unix epoch.\nA wrapper type for serialization that encodes a [`SystemTime`] as a [`u64`]\nrepresenting the number of seconds since [`SystemTime::UNIX_EPOCH`].", "minimum": 0 }, "ErrorObj": { "type": "object", "required": [ "code", "message" ], "properties": { "code": { "type": "integer", "format": "int32", "description": "Code" }, "data": { "description": "Optional data", "nullable": true }, "message": { "type": "string", "description": "Message" } } }, "ErrorResponse": { "type": "object", "description": "The structure of ErrorResponse must match the response template that AWS uses", "required": [ "message", "error_code" ], "properties": { "accepted": { "allOf": [ { "$ref": "#/components/schemas/AcceptedValue" } ], "nullable": true }, "error_code": { "$ref": "#/components/schemas/SignerErrorCode" }, "message": { "type": "string", "description": "Error message" }, "request_id": { "type": "string", "description": "Optional request identifier" } } }, "EsploraRequest": { "type": "object", "description": "Esplora request", "required": [ "network", "path", "method" ], "properties": { "body": { "type": "string", "description": "HTTP body", "nullable": true }, "method": { "type": "string", "description": "HTTP method" }, "network": { "type": "string", "enum": [ "mainnet", "testnet", "signet" ] }, "path": { "type": "string", "description": "HTTP relative path (which comes after '/{network}/api/')" } } }, "EsploraResponse": {}, "Eth1SignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "tx", "chain_id" ], "properties": { "chain_id": { "type": "integer", "format": "int64", "description": "The chain id to set in the given transaction.", "minimum": 1 }, "tx": { "$ref": "#/components/schemas/Transaction" } } } ], "description": "EVM transaction signing request.", "example": { "chain_id": 43113, "tx": { "chain_id": "0xa869", "gas": "0x61a80", "maxFeePerGas": "0x9502F900", "maxPriorityFeePerGas": "0x50", "nonce": "0xb", "to": "0xf00ba12f00000000b4121200000f00c0ffeef00d", "type": "0x2", "value": "0x10000000000" } } }, "Eth1SignResponse": { "type": "object", "required": [ "rlp_signed_tx" ], "properties": { "rlp_signed_tx": { "type": "string", "description": "Hex-encoded RLP encoding of the transaction and its signature", "example": "0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001201d58656b0e22aaa68fdc692db41979098c3886ed33015d7467de9211609cdac000000000000000000000000000000000000000000000000000000000000000308b0c2900324d3ff9adfba7fdfe5af3f9b2cdbeef7b280437bbf1b1c59a093d615afe3e5dfed9622b540cdd9b49b3c5ad00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002001000000000000000000000049011adbcc3bc9c0307bb07f37dda1a1a9c69d2e0000000000000000000000000000000000000000000000000000000000000060903db8525674b8e7904f9b7d7d9ec55a0a42d33cf58be25469b0c21bbb6d06172bc5bb5fd1aed8e4f35936968958116b0619553c2cb1c52e7323074c6f8eb3d5a7074fc6580148df907837fa3b164ad7fbc2288dad1e8a5b021095b57c8a36d4" } } }, "Eth2SignRequest": { "type": "object", "required": [ "network", "eth2_sign_request" ], "properties": { "eth2_sign_request": { "type": "object", "description": "Subset of the Web3Signer Eth2 BLS signing request whose schema is defined\n[here](https://consensys.github.io/web3signer/web3signer-eth2.html#tag/Signing/operation/ETH2_SIGN).\nWe handle deposits and voluntary exits separately." }, "network": { "$ref": "#/components/schemas/Network" } }, "example": { "eth2_sign_request": { "aggregation_slot": { "slot": "36" }, "fork_info": { "fork": { "current_version": "0x42424242", "epoch": "0", "previous_version": "0x42424242" }, "genesis_validators_root": "0x9d13d61212c067e02ce8e608a7007e2c3b02571e9e6f27ff45dfa91bf27c870b" }, "signingRoot": "0x9c57e77c4965727542b9337df6756f948464bca3859bea6ed3c0ec6600d8982a", "type": "AGGREGATION_SLOT" }, "network": "mainnet" } }, "Eth2SignResponse": { "type": "object", "required": [ "signature" ], "properties": { "signature": { "type": "string", "description": "Hex encoded signature prefixed with 0x e.g. \"0x0000...\"", "example": "0xb4f2ef9d12a54e1f569596c07c97d6d730535b6ffc0d287761dc78103a86326782471a04c75ce7a6faea08ca9a4a0830031cdcb893da8711d54aa22619f1a7e71b8185ddf4c6bfd9babbd735960e35e56bd6eeb89625b04850e7a9ef8846e549" } } }, "Event": { "allOf": [ { "$ref": "#/components/schemas/EventData" }, { "type": "object", "required": [ "org", "utc_timestamp" ], "properties": { "event_id": { "type": "string", "description": "Unique identifier of an event." }, "org": { "$ref": "#/components/schemas/Id" }, "origin": { "type": "string", "description": "The origin header of the request that triggered this event" }, "request_id": { "type": "string", "description": "The ID of the request that triggered this event" }, "utc_timestamp": { "type": "integer", "format": "int64", "description": "The timestamp of the event (in milliseconds since the Unix Epoch)", "minimum": 0 } } } ], "description": "Representation of an event. This type is used to serialize events to CloudWatch Logs and to\ndeserialize them when analyzing the logs." }, "EventData": { "oneOf": [ { "allOf": [ { "$ref": "#/components/schemas/BillingArgs" }, { "type": "object", "required": [ "event" ], "properties": { "event": { "type": "string", "enum": [ "cubist::billing" ] } } } ] }, { "allOf": [ { "$ref": "#/components/schemas/OrgEventArgs" }, { "type": "object", "required": [ "event" ], "properties": { "event": { "type": "string", "enum": [ "cubist::org_event" ] } } } ] } ], "description": "Data associated with an event. Depending on the event type (i.e., billing or org event),\ndifferent fields are used.", "discriminator": { "propertyName": "event" } }, "EvmAddressInfo": { "type": "object", "description": "An EVM address and its chain.", "required": [ "address" ], "properties": { "address": { "type": "string", "description": "The EVM address.", "example": "0x52f6c0b306e66893c0414abb70951c4dac15a969" }, "chain": { "type": "string", "description": "The EVM chain this address belongs to **as a hex string**. The string\nmust start with \"0x\" and have an even length. If the chain is omitted,\nthe address is allowed to be used on any EVM chain, and is referred to\nas a global EVM address.", "example": "0x01", "nullable": true } } }, "EvmTxCmp": { "type": "object", "properties": { "grace": { "type": "integer", "format": "int64", "description": "To prevent replay attacks, any given MFA receipt is normally allowed to be used only once.\n\nIn this case, however, because EVM transactions already have a replay prevention mechanism\n(namely the 'nonce' property), we allow the user to specify a grace period (in seconds) to\nindicate how long an MFA receipt should remain valid after its first use.\n\nNote that we allow both 'grace' and 'ignore_nonce' to be set because once an MFA request\nenters its grace period we unconditionally set its 'ignore_nonce' property to 'false' to\nensure that any subsequent requests that claim the same receipt must sign for the same\nnonce as the request we signed originally with that receipt.\n\nAlso note that the grace period cannot extend the lifetime of an MFA request beyond its\noriginal expiration date.\n\nThe grace period must not be greater than 30 days.", "nullable": true, "minimum": 0 }, "ignore_gas": { "type": "boolean", "description": "Whether the 'gas' property of the EVM transaction is allowed to be different." }, "ignore_nonce": { "type": "boolean", "description": "Whether the 'nonce' property of the EVM transaction is allowed to be different." } } }, "EvmTxDepositErrorCode": { "type": "string", "enum": [ "EvmTxDepositReceiverMismatch", "EvmTxDepositEmptyData", "EvmTxDepositEmptyChainId", "EvmTxDepositEmptyReceiver", "EvmTxDepositUnexpectedValue", "EvmTxDepositUnexpectedDataLength", "EvmTxDepositNoAbi", "EvmTxDepositNoDepositFunction", "EvmTxDepositUnexpectedFunctionName", "EvmTxDepositUnexpectedValidatorKey", "EvmTxDepositInvalidValidatorKey", "EvmTxDepositMissingDepositArg", "EvmTxDepositWrongDepositArgType", "EvmTxDepositValidatorKeyNotInRole", "EvmTxDepositUnexpectedWithdrawalCredentials", "EvmTxDepositUnresolvedRole", "EvmTxDepositInvalidDepositEncoding" ] }, "ExecutionSource": { "type": "string", "description": "The source of a policy execution, i.e. the reason it was executed.", "enum": [ "SignRequest", "UserInvocation" ] }, "FeeType": { "type": "string", "description": "This type specifies the interpretation of the `fee` field in Babylon\nstaking requests. If `sats`, the field is intpreted as a fixed value\nin sats. If `sats_pr_vb`, the field is interpreted as a rate and the\nfee is computed by estimating the weight of the output transaction.", "enum": [ "sats", "sats_per_kwu", "sats_per_vb" ] }, "FidoAssertAnswer": { "type": "object", "description": "Sent from the client to the server to answer a fido challenge", "required": [ "challenge_id", "credential" ], "properties": { "challenge_id": { "type": "string", "description": "The ID of the challenge that was returned from the POST endpoint" }, "credential": { "$ref": "#/components/schemas/PublicKeyCredential" } } }, "FidoAssertChallenge": { "allOf": [ { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialRequestOptions" } } } ], "description": "An extended form of `PublicKeyCredentialRequestOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, { "type": "object", "required": [ "challenge_id" ], "properties": { "challenge_id": { "type": "string", "description": "The id of the challenge. Must be supplied when answering the challenge." } } } ] }, "FidoCreateChallengeAnswer": { "type": "object", "description": "Sent from the client to the server to answer a fido challenge", "required": [ "challenge_id", "credential" ], "properties": { "challenge_id": { "type": "string", "description": "The ID of the challenge that was returned from the POST endpoint" }, "credential": { "$ref": "#/components/schemas/PublicKeyCredential" } } }, "FidoCreateChallengeResponse": { "allOf": [ { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialCreationOptions" } } } ], "description": "An extended form of `PublicKeyCredentialCreationOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, { "type": "object", "required": [ "challenge_id" ], "properties": { "challenge_id": { "type": "string", "description": "The id of the challenge. Must be supplied when answering the challenge." } } } ], "description": "Sent by the server to the client. Contains the challenge data that must be\nused to generate a new credential" }, "FidoCreateRequest": { "type": "object", "description": "Declares intent to register a new FIDO key", "required": [ "name" ], "properties": { "discoverable": { "type": "boolean", "description": "Whether this key can be used for passwordless login" }, "name": { "type": "string", "description": "A human-readable name for the new fido credential", "example": "Work Yubikey" }, "request_device_identifier": { "type": "boolean", "description": "Whether to request the unique authenticator device manufacturer identifier.\nThis information can be used to render the manufacturer name (e.g., \"YubiKey\",\nor \"Google Password Manager\", or \"1Password\", etc.). When requested, some user\nagents (e.g., Firefox) will ask the user to agree or disagree, whereas some\n(e.g., Chrome) will silently agree." } } }, "ForbiddenErrorCode": { "type": "string", "enum": [ "CannotAssumeIdentity", "SentryDisallowed", "PasskeyLoginDisabled", "PasskeyNotRegistered", "CannotCreateOrg", "WrongMfaEmailOtpJwt", "OrgFlagNotSet", "FidoRequiredToRemoveTotp", "OidcIdentityLimitReached", "OidcScopeCeilingMissing", "OidcIssuerNotAllowedForMemberRole", "OidcNoMemberRolesAllowed", "EmailOtpNotConfigured", "MfaChallengeExpired", "ChainIdNotAllowed", "InvalidOrg", "OrgIdMismatch", "SessionForWrongOrg", "SelfDelete", "SelfDisable", "InvalidOrgMembershipRoleChange", "UserDisabled", "OrgDisabled", "OrgNotFound", "OrgWithoutOwner", "OrphanedUser", "OidcUserNotFound", "UserNotInOrg", "UserNotOrgOwner", "UserNotKeyOwner", "InvalidRole", "DisabledRole", "KeyDisabled", "KeyNotInRole", "ContactNotInOrg", "UserExportRequestNotInOrg", "UserExportRequestInvalid", "UserExportDisabled", "UserNotOriginalKeyOwner", "UserNotInRole", "MustBeFullMember", "SessionExpired", "SessionChanged", "SessionRevoked", "ExpectedUserSession", "SessionRoleChanged", "ScopedNameNotFound", "SessionInvalidEpochToken", "SessionInvalidRefreshToken", "SessionRefreshTokenExpired", "InvalidAuthHeader", "SessionNotFound", "InvalidArn", "SessionInvalidAuthToken", "SessionAuthTokenExpired", "SessionPossiblyStolenToken", "MfaDisallowedIdentity", "MfaDisallowedApprover", "MfaTypeNotAllowed", "MfaNotApprovedYet", "MfaConfirmationCodeMismatch", "MfaHttpRequestMismatch", "MfaRemoveBelowMin", "MfaOrgRequirementNotMet", "MfaRegistrationDisallowed", "TotpAlreadyConfigured", "TotpConfigurationChanged", "MfaTotpBadConfiguration", "MfaTotpBadCode", "MfaTotpRateLimit", "ImproperSessionScope", "FullSessionRequired", "SessionWithoutAnyScopeUnder", "UserRoleUnprivileged", "MemberRoleForbidden", "MfaNotConfigured", "RemoveLastOidcIdentity", "OperationNotAllowed", "OrgExportRetrievalDisabled", "AutoAddBlsKeyToProtectedRole", "UserNotPolicyOwner", "UserNotContactOwner", "LegacySessionCannotHaveScopeCeiling", "RoleInParentOrgNotAllowed", "RemoveKeyFromRoleUserNotAllowed", "SiweChallengeExpired", "SiweMessageNotValid", "SiweMessageInvalidSignature" ] }, "Fork": { "type": "object", "description": "Specifies a fork of the `BeaconChain`, to prevent replay attacks.\nThe schema of `Fork` is defined in the [Beacon chain\nspec](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#fork).", "required": [ "previous_version", "current_version", "epoch" ], "properties": { "current_version": { "type": "string", "description": "Current fork version.", "example": "0x43434343" }, "epoch": { "$ref": "#/components/schemas/Epoch" }, "previous_version": { "type": "string", "description": "Previous fork version.", "example": "0x42424242" } }, "example": { "current_version": "0x00001020", "epoch": "0", "previous_version": "0x00001020" } }, "GenesisData": { "type": "object", "description": "Genesis data as defined in the [Beacon API\nspec](https://ethereum.github.io/beacon-APIs/#/Beacon/getGenesis).\nYou can get the genesis data from the Beacon node's `/eth/v1/beacon/genesis` end-point.\nThis struct definition is originally from lighthouse's eth2.", "required": [ "genesis_time", "genesis_validators_root", "genesis_fork_version" ], "properties": { "genesis_fork_version": { "type": "string", "description": "Genesis fork version.", "example": "0x42424242" }, "genesis_time": { "type": "string", "description": "Genesis time", "example": "1679326449" }, "genesis_validators_root": { "type": "string", "description": "Genesis validators root.", "example": "0x270d43e74ce340de4bca2b1936beca0f4f5408d9e78aec4850920baf659d5b69" } } }, "GetKeysInOrgRequest": { "type": "object", "properties": { "key_type": { "allOf": [ { "$ref": "#/components/schemas/KeyType" } ], "nullable": true } } }, "GetUserByEmailResponse": { "type": "object", "required": [ "users" ], "properties": { "users": { "type": "array", "items": { "$ref": "#/components/schemas/UserInOrgInfoWithIdentity" }, "description": "Typically, this array is either empty (if no user with a given email was found)\nor contains a single element, i.e., the user with a given email." } } }, "GetUserByOidcResponse": { "type": "object", "properties": { "user": { "allOf": [ { "$ref": "#/components/schemas/UserInOrgInfoWithIdentity" } ], "nullable": true } } }, "HeartbeatRequest": { "type": "object", "description": "Stats pertaining the the sender `cube3signer` instance", "required": [ "num_requests", "num_requests_failed", "num_requests_retried", "num_retries", "current_num_requests_active", "current_num_requests_processing" ], "properties": { "current_num_requests_active": { "type": "integer", "format": "int64", "description": "Number of requests currently active (received but not necessarily being processed yet)", "minimum": 0 }, "current_num_requests_processing": { "type": "integer", "format": "int64", "description": "Number of requests currently being processed by cube3signer", "minimum": 0 }, "ignore": { "type": "boolean", "description": "Do not record metric data from this heartbeat" }, "num_requests": { "type": "integer", "format": "int64", "description": "Number of new requests during this heartbeat period", "minimum": 0 }, "num_requests_failed": { "type": "integer", "format": "int64", "description": "Number of requests that failed during this heartbeat period", "minimum": 0 }, "num_requests_retried": { "type": "integer", "format": "int64", "description": "Number of requests were retried during this heartbeat period", "minimum": 0 }, "num_retries": { "type": "integer", "format": "int64", "description": "Number of retries during this heartbeat period", "minimum": 0 }, "num_token_refreshes": { "type": "integer", "format": "int64", "description": "Number of times auth token was refreshed during this heartbeat period", "minimum": 0 }, "num_token_refreshes_failed": { "type": "integer", "format": "int64", "description": "Number of times auth token refresh failed during this heartbeat period", "minimum": 0 }, "proxy_version": { "type": "string", "description": "Version of the proxy sending the heart beat request\n\nTODO: Make non-optional once we do not support proxies without version information", "nullable": true } } }, "HistoricalDataConfiguration": { "type": "object", "description": "Configuration governing whether and how to save historical data.", "required": [ "tx" ], "properties": { "tx": { "$ref": "#/components/schemas/HistoricalTxConfiguration" } } }, "HistoricalTx": { "type": "object", "description": "A recently signed transaction that we store in the DB.", "required": [ "key_id", "historical_tx_org_id", "operation", "request", "result", "date", "exp_epoch" ], "properties": { "date": { "$ref": "#/components/schemas/EpochDateTime" }, "exp_epoch": { "$ref": "#/components/schemas/EpochDateTime" }, "historical_tx_org_id": { "$ref": "#/components/schemas/Id" }, "key_id": { "$ref": "#/components/schemas/Id" }, "mfa_status": { "allOf": [ { "$ref": "#/components/schemas/Status" } ], "nullable": true }, "operation": { "$ref": "#/components/schemas/OperationKind" }, "request": { "$ref": "#/components/schemas/HttpRequest" }, "request_id": { "type": "string", "description": "Original request id", "nullable": true }, "result": { "description": "Operation-specific result" }, "role_id": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "user_id": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true } } }, "HistoricalTxConfiguration": { "type": "object", "description": "Configuration governing whether and how to save historical transactions.", "properties": { "lifetime": { "allOf": [ { "$ref": "#/components/schemas/Seconds" } ], "nullable": true } } }, "HttpRequest": { "type": "object", "description": "Information about the request.\n\nCaptures all the relevant info (including the request body) about requests that require MFA.\nWe use this to verify that when a request is resumed (after obtaining necessary MFA approvals)\nit is exactly the same as it originally was.", "required": [ "method", "path" ], "properties": { "body": { "type": "object", "description": "HTTP request body", "nullable": true }, "method": { "type": "string", "description": "HTTP method of the request" }, "path": { "type": "string", "description": "HTTP path of the request, excluding the host" } } }, "HttpRequestCmp": { "oneOf": [ { "type": "string", "description": "The requests must match exactly. Any given MFA receipt can be used at most once.", "enum": [ "Eq" ] }, { "type": "object", "required": [ "EvmTx" ], "properties": { "EvmTx": { "$ref": "#/components/schemas/EvmTxCmp" } } }, { "type": "object", "required": [ "SolanaTx" ], "properties": { "SolanaTx": { "$ref": "#/components/schemas/SolanaTxCmp" } } } ], "description": "How to compare HTTP requests when verifying MFA receipt (see [MfaRequest::verify_request])" }, "Id": { "type": "string" }, "IdentityInfo": { "allOf": [ { "$ref": "#/components/schemas/OidcIdentity" }, { "$ref": "#/components/schemas/OidcUserInfo" }, { "type": "object" } ], "description": "Information about a linked OIDC identity including unique identifiers and user info\n(e.g., email)" }, "IdentityProof": { "allOf": [ { "type": "object", "description": "Evidence is used in non-custodial deployments to prove to a third-party that\na user has indeed authenticated with CubeSigner.\n\nThis evidence can be obtained by either logging in with an OIDC token or with\na CubeSigner session token. In the latter case, no [Proof::aud] is set.", "required": [ "exp_epoch" ], "properties": { "aud": { "allOf": [ { "$ref": "#/components/schemas/Aud" } ], "nullable": true }, "email": { "type": "string", "description": "The email associated with the user", "example": "user@email.com", "nullable": true }, "exp_epoch": { "$ref": "#/components/schemas/EpochDateTime" }, "identity": { "allOf": [ { "$ref": "#/components/schemas/OidcIdentity" } ], "nullable": true }, "preferred_username": { "type": "string", "description": "The username (if any) associated with the user", "example": "cubistdev", "nullable": true }, "user_info": { "allOf": [ { "$ref": "#/components/schemas/CubeSignerUserInfo" } ], "nullable": true } } }, { "type": "object", "required": [ "id" ], "properties": { "id": { "type": "string", "description": "An opaque identifier for the proof" } } } ], "description": "Proof that an end-user provided CubeSigner with a valid auth token\n(either an OIDC token or a CubeSigner session token)" }, "IdpConfig": { "type": "object", "description": "IDP configuration", "properties": { "throttle": { "allOf": [ { "$ref": "#/components/schemas/ThrottleConfig" } ], "nullable": true }, "users": { "type": "array", "items": { "$ref": "#/components/schemas/MemberRole" }, "description": "Enable for certain user roles", "uniqueItems": true, "nullable": true } } }, "ImportKeyRequest": { "allOf": [ { "$ref": "#/components/schemas/KeyImportKey" }, { "$ref": "#/components/schemas/CreateAndUpdateKeyProperties" }, { "type": "object", "required": [ "key_material", "key_type" ], "properties": { "idempotent": { "type": "boolean", "description": "When false (the default), nothing is returned when an imported key already\nexists. When true, returns the KeyInfo struct for keys that already exist\nif caller is allowed to list that key." }, "key_material": { "type": "array", "items": { "$ref": "#/components/schemas/ImportKeyRequestMaterial" }, "description": "A set of encrypted keys to be imported", "maxItems": 32, "minItems": 1 }, "key_type": { "$ref": "#/components/schemas/KeyType" } } } ] }, "ImportKeyRequestMaterial": { "type": "object", "required": [ "ikm_enc", "salt", "client_public_key" ], "properties": { "client_public_key": { "type": "string", "description": "The client's ephemeral public key used to derive a shared key.\nThis is a base64-encoded, SEC1-encoded P384 public key." }, "ikm_enc": { "type": "string", "description": "The encrypted keying material to be imported.\nThis is a base64-encoded ciphertext." }, "salt": { "type": "string", "description": "A salt value used to derive a shared key.\nThis is a base64-encoded byte string." } } }, "ImportableSecrets": { "type": "object", "description": "Helper type for enforcing validation before having access to the configs and import key.", "properties": { "import_key": { "allOf": [ { "$ref": "#/components/schemas/KeyImportKey" } ], "nullable": true }, "secrets": { "type": "object", "description": "The policy secrets.", "additionalProperties": { "$ref": "#/components/schemas/SecretValue" }, "nullable": true } } }, "InternalErrorCode": { "type": "string", "enum": [ "NoMaterialId", "UnresolvedPolicyReference", "FidoKeyAssociatedWithMultipleUsers", "ClaimsParseError", "InvalidThrottleId", "InvalidEmailAddress", "EmailTemplateRender", "OidcIdentityHeaderMissing", "OidcIdentityParseError", "SystemTimeError", "PasswordHashParseError", "SendMailError", "ReqwestError", "EmailConstructionError", "TsWriteError", "TsQueryError", "DbQueryError", "DbGetError", "DbDeleteError", "DbPutError", "DbUpdateError", "SerdeError", "TestAndSetError", "DbGetItemsError", "DbWriteError", "CubistSignerError", "CwListMetricsError", "CwPutMetricDataError", "GetAwsSecretError", "SecretNotFound", "KmsGenerateRandomError", "MalformedTotpBytes", "KmsGenerateRandomNoResponseError", "CreateKeyError", "ParseDerivationPathError", "SplitSignerError", "CreateImportKeyError", "CreateEotsNoncesError", "EotsSignError", "BabylonCovSignError", "CognitoDeleteUserError", "CognitoListUsersError", "CognitoGetUserError", "MissingUserEmail", "CognitoResendUserInvitation", "CognitoSetUserPasswordError", "GenericInternalError", "OidcAuthWithoutOrg", "MissingKeyMetadata", "KmsEnableKeyError", "KmsDisableKeyError", "LambdaInvokeError", "LambdaNoResponseError", "LambdaFailure", "LambdaUnparsableResponse", "SerializeEncryptedExportKeyError", "DeserializeEncryptedExportKeyError", "ReEncryptUserExport", "S3UploadError", "S3DownloadError", "S3CopyError", "S3ListObjectsError", "S3DeleteObjectsError", "S3BuildError", "S3PresignedUrlError", "ManagedStateMissing", "InternalHeaderMissing", "InvalidInternalHeaderValue", "RequestLocalStateAlreadySet", "OidcOrgMismatch", "OidcIssuerInvalidJwk", "InvalidPkForMaterialId", "UncheckedOrg", "SessionOrgIdMissing", "AvaSignCredsMissing", "AvaSignSignatureMissing", "ExpectedRoleSession", "InvalidThirdPartyIdentity", "CognitoGetUser", "SnsSubscribeError", "SnsUnsubscribeError", "SnsGetSubscriptionAttributesError", "SnsSubscriptionAttributesMissing", "SnsSetSubscriptionAttributesError", "SnsPublishBatchError", "InconsistentMultiValueTestAndSet", "MaterialIdError", "InvalidBtcAddress", "HistoricalTxBodyMissing", "InvalidOperation", "ParentOrgNotFound", "OrgParentLoop", "ResolvedParentOrgWithNoScopeCeiling", "InvalidUploadObjectId", "PolicyEngineNotFound", "PolicyEngineError", "PolicySecretsEncryptionError", "CreatePolicyImportKeyError", "InvalidAlias", "EmptyUpdateModifiedObject", "EmptyUpdateModifiedActions", "DbContactAddressesInvalid" ] }, "InvitationAcceptRequest": { "type": "object", "required": [ "token", "auth" ], "properties": { "auth": { "$ref": "#/components/schemas/AuthSource" }, "token": { "type": "string", "description": "Invitation token" } } }, "InviteKind": { "type": "string", "description": "Indicates the auth sources allowed to an invited user", "enum": [ "Cognito", "IdpAndSso", "Sso" ] }, "InviteRequest": { "type": "object", "required": [ "email", "name" ], "properties": { "email": { "type": "string", "description": "The user's email address", "example": "alice@acme.com" }, "invite_kind": { "allOf": [ { "$ref": "#/components/schemas/InviteKind" } ], "nullable": true }, "mfa_policy": { "type": "object", "description": "Optional login MFA policy", "nullable": true }, "name": { "type": "string", "description": "The user's full name", "example": "Alice Wonderland" }, "role": { "allOf": [ { "$ref": "#/components/schemas/MemberRole" } ], "nullable": true }, "skip_email": { "type": "boolean", "description": "Skip sending an invitation email to this user if true.\n\nNOTE: this field is for internal testing use ONLY. If you do not\nsend an invitation email (and the invite kind is not SSO), the user will never be able to log in.", "example": "false" } } }, "InvokePolicyRequest": { "type": "object", "description": "A request containing the data that a Wasm policy should be invoked with.", "properties": { "key_id": { "type": "string", "description": "An optional Key ID. If defined, the policy will be invoked as if it is signing\nthe message with this key.", "nullable": true }, "request": { "description": "The \"request body\" that should be sent to the policy.", "nullable": true }, "role_id": { "type": "string", "description": "An optional Role ID. If `None`, the policy will be invoked from the current user session.", "nullable": true } } }, "InvokePolicyResponse": { "type": "object", "description": "The result of invoking a Wasm policy.", "required": [ "response", "stdout", "stderr" ], "properties": { "response": { "$ref": "#/components/schemas/WasmPolicyResponse" }, "stderr": { "type": "string", "description": "The bytes written to `stderr`, encoded as a hex-string.\nIn most cases, these bytes correspond to a UTF-8-encoded `String`." }, "stdout": { "type": "string", "description": "The bytes written to `stdout`, encoded as a hex-string.\nIn most cases, these bytes correspond to a UTF-8-encoded `String`." } } }, "JrpcResponse": { "allOf": [ { "$ref": "#/components/schemas/Response" }, { "type": "object" } ] }, "JsonKeyPackage": { "allOf": [ { "oneOf": [ { "type": "object", "description": "A raw key", "required": [ "secret", "material_type" ], "properties": { "material_type": { "type": "string", "enum": [ "raw_secret" ] }, "secret": { "type": "string", "description": "The value of the raw secret" } } }, { "type": "object", "description": "A key derived from a mnemonic", "required": [ "mnemonic", "password", "derivation_path", "material_type" ], "properties": { "derivation_path": { "type": "string", "description": "The derivation path" }, "material_type": { "type": "string", "enum": [ "english_mnemonic" ] }, "mnemonic": { "type": "string", "description": "The mnemonic" }, "password": { "type": "string", "description": "The password (which may be empty)" } } } ], "description": "Key material contained inside a [`JsonKeyPackage`], which can be either\na raw secret or a mnemonic, password, and derivation path.", "discriminator": { "propertyName": "material_type" } }, { "type": "object", "required": [ "key_type" ], "properties": { "key_type": { "type": "string", "description": "The type of key this package represents" } } } ], "description": "A [`KeyPackage`] serialized into a format that gives a tidier JSON\nrepresentation suitable for encryption in the user-export flow.\n\nWe construct values of this type rather than constructing `serde_json::Value`s\ndirectly with `json!()` because this allows us to zeroize values on drop, which\ndoesn't work with `serde_json::Value`.\n\nExamples of serialized material:\n\n- `JsonKeyMaterial::EnglishMnemonic`:\n\n```\nuse cubist_signer_utils::{\nDerivationPath, KeyPackage, Mnemonic, MnemonicPackage, Secp256k1Pkg,\n};\nuse serde_json::json;\n\nconst MNEMONIC: &str = \"deposit fiscal brain swarm surround cousin horn glare fix love render believe guide shuffle stem cram broccoli resemble beach artefact language gift jar permit\";\nconst DER_PATH: &str = \"m/44'/60'/0'/0/0\";\nconst KEY_TYPE: &str = \"ecdsa:secp256k1\";\n\nlet mne = Mnemonic::try_from(MNEMONIC).expect(\"good mnemonic\");\nlet derp = DerivationPath::try_from(DER_PATH).expect(\"good der path\");\nlet mne_pkg = MnemonicPackage::new(mne, \"\", derp);\nlet key_pkg = KeyPackage::::EnglishMnemonic(mne_pkg);\nlet json_pkg = key_pkg.into_json(KEY_TYPE);\n\nlet json_expect = json!({\n\"key_type\": KEY_TYPE,\n\"material_type\": \"english_mnemonic\",\n\"mnemonic\": MNEMONIC,\n\"password\": \"\",\n\"derivation_path\": DER_PATH,\n});\n\nassert_eq!(\nserde_json::to_value(&json_pkg).expect(\"json serialization\"),\njson_expect,\n);\n```\n\n- `JsonKeyMaterial::RawSecret`:\n\n```\nuse cubist_signer_utils::{\nget_random_byte_array, hex_encode, KeyPackage, RngCore, Secp256k1Pkg,\n};\nuse serde_json::json;\n\nconst KEY_TYPE: &str = \"ecdsa:secp256k1\";\n\n// random 32-byte secret\nlet sk: [u8; 32] = *get_random_byte_array();\n\nlet key_pkg = KeyPackage::::Secret(sk);\nlet json_pkg = key_pkg.into_json(KEY_TYPE);\n\nlet json_expect = json!({\n\"key_type\": KEY_TYPE,\n\"material_type\": \"raw_secret\",\n\"secret\": hex_encode(&sk),\n});\n\nassert_eq!(\nserde_json::to_value(&json_pkg).expect(\"json serialization\"),\njson_expect,\n);\n```" }, "JwkSetResponse": { "type": "object" }, "KeyCountDimensions": { "type": "object", "required": [ "org_id", "key_type" ], "properties": { "key_type": { "type": "string", "description": "The key type" }, "org_id": { "type": "string", "description": "All metrics must include 'org_id' as a dimension." } } }, "KeyDerivationInfo": { "type": "object", "description": "Derivation-related metadata for keys derived from a long-lived mnemonic", "required": [ "mnemonic_id", "derivation_path" ], "properties": { "derivation_path": { "type": "string", "description": "The derivation path used to derive this key" }, "mnemonic_id": { "type": "string", "description": "The mnemonic-id of the key's parent mnemonic" } } }, "KeyImportKey": { "type": "object", "description": "A wrapped key-import key", "required": [ "public_key", "sk_enc", "dk_enc", "expires" ], "properties": { "dk_enc": { "type": "string", "description": "Base64-encoded, encrypted data key." }, "expires": { "type": "integer", "format": "int64", "description": "Expiration timestamp expressed as seconds since the UNIX epoch.", "minimum": 0 }, "public_key": { "type": "string", "description": "The ephemeral public key to which an imported key should be encrypted.\nThis is a P384 public key in base64-encoded uncompressed SECG format." }, "sk_enc": { "type": "string", "description": "Base64-encoded, encrypted secret key." } } }, "KeyInRoleInfo": { "type": "object", "required": [ "role_id", "key_id" ], "properties": { "key_id": { "type": "string", "description": "Key ID", "example": "Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148" }, "key_info": { "allOf": [ { "$ref": "#/components/schemas/KeyInfo" } ], "nullable": true }, "policy": { "type": "array", "items": { "type": "object" }, "description": "Policies that are checked before this key is used on behalf of this role", "example": [ { "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa" }, { "TxDeposit": { "kind": "Canonical" } } ] }, "role_id": { "type": "string", "description": "Role ID", "example": "Role#e427c28a-9c5b-49cc-a257-878aea58a22c" } } }, "KeyInfo": { "allOf": [ { "$ref": "#/components/schemas/CommonFields" }, { "type": "object", "required": [ "key_type", "key_id", "material_id", "purpose", "enabled", "owner", "public_key", "policy" ], "properties": { "derivation_info": { "allOf": [ { "$ref": "#/components/schemas/KeyDerivationInfo" } ], "nullable": true }, "enabled": { "type": "boolean", "description": "Whether the key is enabled (only enabled keys may be used for signing)" }, "key_id": { "type": "string", "description": "The id of the key: \"Key#\" followed by a unique identifier specific to\nthe type of key (such as a public key for BLS or an ethereum address for Secp)", "example": "Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148" }, "key_type": { "$ref": "#/components/schemas/KeyType" }, "material_id": { "type": "string", "description": "A unique identifier specific to the type of key, such as a public key or an ethereum address", "example": "0x8e3484687e66cdd26cf04c3647633ab4f3570148" }, "owner": { "type": "string", "description": "Owner of the key", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" }, "policy": { "type": "array", "items": {}, "description": "Key policy", "example": [ "AllowRawBlobSigning", { "RequireMfa": { "count": 1 } } ] }, "public_key": { "type": "string", "description": "Hex-encoded, serialized public key. The format used depends on the key type:\n- Secp256k1 keys use 65-byte uncompressed SECG format;\n- Stark keys use 33-byte compressed SECG format;\n- BLS keys use 48-byte compressed BLS12-381 (ZCash) format;\n- Ed25519 keys use the canonical 32-byte encoding specified in RFC 8032.", "example": "0x04d2688b6bc2ce7f9879b9e745f3c4dc177908c5cef0c1b64cff19ae7ff27dee623c64fe9d9c325c7fbbc748bbd5f607ce14dd83e28ebbbb7d3e7f2ffb70a79431" }, "purpose": { "type": "string", "description": "The purpose for which the key can be used (e.g., chain id for which the key is allowed to sign messages)", "example": "Eth2Validator(1)" }, "region": { "type": "string", "description": "The region affinity for this key" } } } ] }, "KeyInfos": { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInfo" } } } }, "KeyType": { "type": "string", "enum": [ "SecpEthAddr", "SecpBtc", "SecpBtcTest", "SecpBtcLegacy", "SecpBtcLegacyTest", "SecpAvaAddr", "SecpAvaTestAddr", "BlsPub", "BlsInactive", "BlsAvaIcm", "Ed25519SolanaAddr", "Ed25519SuiAddr", "Ed25519AptosAddr", "Ed25519CardanoAddrVk", "Ed25519StellarAddr", "Ed25519SubstrateAddr", "Mnemonic", "Stark", "BabylonEots", "BabylonCov", "TaprootBtc", "TaprootBtcTest", "SecpCosmosAddr", "P256CosmosAddr", "P256OntologyAddr", "P256Neo3Addr", "Ed25519TendermintAddr", "SecpTronAddr", "Ed25519TonAddr", "SecpDogeAddr", "SecpDogeTestAddr", "SecpKaspaAddr", "SecpKaspaTestAddr", "SchnorrKaspaAddr", "SchnorrKaspaTestAddr", "SecpLtc", "SecpLtcTest", "SecpXrpAddr", "Ed25519XrpAddr", "BabyJubjub" ] }, "KeyTypeAndDerivationPath": { "type": "object", "required": [ "key_type", "derivation_path" ], "properties": { "derivation_path": { "type": "string", "description": "List of derivation paths for which to derive.", "example": "m/44'/60'/0'/0/0" }, "key_type": { "$ref": "#/components/schemas/KeyType" }, "policy": { "type": "array", "items": {}, "description": "Policies to apply to this key. It is an error to specify a policy\nthat is not compatible with `key_type`.", "example": [ "AllowRawBlobSigning", { "RequireMfa": { "count": 1 } } ], "nullable": true } } }, "LastEvalKey": { "type": "string", "description": "Wrapper around encrypted [UnencryptedLastEvalKey] bytes.\n\nWe serialize this into a base64url-encoded string and return to the user\nso that they can pass this back to us as a url query parameter." }, "ListIdentitiesResponse": { "type": "object", "description": "Third-party identities associated with the user's account", "required": [ "identities" ], "properties": { "identities": { "type": "array", "items": { "$ref": "#/components/schemas/IdentityInfo" } } } }, "ListMfaResponse": { "type": "object", "required": [ "mfa_requests" ], "properties": { "mfa_requests": { "type": "array", "items": { "$ref": "#/components/schemas/MfaRequestInfo" }, "description": "All pending MFA requests" } } }, "ListPendingMessagesResponse": { "type": "object", "description": "All pending MMI requests created by the current user.", "required": [ "pending_messages" ], "properties": { "pending_messages": { "type": "array", "items": { "$ref": "#/components/schemas/PendingMessageInfo" }, "description": "All pending messages for a user." } } }, "LoginRequest": { "$ref": "#/components/schemas/OidcLoginRequest" }, "MemberRole": { "type": "string", "description": "Describes whether a user in an org is an Owner or just a regular member", "enum": [ "Alien", "Member", "Owner" ] }, "MembershipStatus": { "type": "string", "enum": [ "enabled", "disabled" ] }, "MetricName": { "oneOf": [ { "$ref": "#/components/schemas/OrgMetricDiscriminants" }, { "$ref": "#/components/schemas/TsQueryName" } ], "description": "The name of the metric to compute" }, "MfaPolicy": { "type": "object", "properties": { "allowed_approvers": { "type": "array", "items": { "type": "string" }, "description": "Users who are allowed to approve. If empty at creation time, default to the current user." }, "allowed_mfa_types": { "type": "array", "items": { "$ref": "#/components/schemas/MfaType" }, "description": "Allowed approval types. When omitted, defaults to any.", "nullable": true }, "count": { "type": "integer", "format": "int32", "description": "How many users to require to approve (defaults to 1).", "minimum": 0 }, "lifetime": { "$ref": "#/components/schemas/Seconds" }, "num_auth_factors": { "type": "integer", "format": "int32", "description": "How many auth factors to require per user (defaults to 1).", "minimum": 0 }, "request_comparer": { "$ref": "#/components/schemas/HttpRequestCmp" }, "restricted_operations": { "type": "array", "items": { "$ref": "#/components/schemas/OperationKind" }, "description": "CubeSigner operations to which this policy should apply.\nWhen omitted, applies to all operations.", "nullable": true }, "time_delay": { "$ref": "#/components/schemas/Seconds" } }, "example": { "allowed_approvers": [ "User#fabc3f88-04e0-471b-9657-0ae12a3cd73e", "User#d796c369-9974-473b-ab9e-e4a2418d2d07" ], "count": 2, "lifetime": 900 } }, "MfaProtectedAction": { "type": "string", "description": "MFA-protected actions whose MFA requirements are configurable by org owners.\n\nSpecifying the 'CubeSigner' MFA type is never allowed for any of these actions.", "enum": [ "Default", "RegisterMfa", "Login", "ExtendSession", "AddIdentity", "KeyExport" ] }, "MfaRequestInfo": { "type": "object", "description": "Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp').", "required": [ "id", "expires_at", "request", "status", "created_by", "provenance" ], "properties": { "created_at": { "$ref": "#/components/schemas/EpochDateTime" }, "created_by": { "type": "string", "description": "The session identity (user or role) that created this request." }, "expires_at": { "$ref": "#/components/schemas/EpochDateTime" }, "id": { "type": "string", "description": "Approval request ID." }, "not_valid_until": { "$ref": "#/components/schemas/EpochDateTime" }, "provenance": { "type": "string", "description": "MFA policy provenance", "enum": [ "Key", "KeyInRole", "Role", "User", "EditPolicy" ] }, "receipt": { "allOf": [ { "$ref": "#/components/schemas/Receipt" } ], "nullable": true }, "region": { "type": "string", "description": "The region this MFA request was created in. It can only be redeemed from the same region." }, "related_ids": { "type": "array", "items": { "type": "string" }, "description": "If set, contains the IDs of all MFA requests (including this one!) that\nwere generated at once for the same CubeSigner operation.\n\nIf not set, it means that this was the lone MFA request generated for `request`.\n\nThis is useful so that a client can discover all the MFAs whose receipts must\nbe submitted together to carry out the original CubeSigner operation." }, "request": { "$ref": "#/components/schemas/HttpRequest" }, "status": { "$ref": "#/components/schemas/Status" } } }, "MfaRequirements": { "type": "object", "description": "Org-wide MFA requirements.", "properties": { "alien_login_requirement": { "$ref": "#/components/schemas/SecondFactorRequirement" }, "allowed_mfa_types": { "$ref": "#/components/schemas/AllowedMfaMap" }, "member_login_requirement": { "$ref": "#/components/schemas/SecondFactorRequirement" } } }, "MfaResetRequest": { "type": "object", "required": [ "user_id" ], "properties": { "user_id": { "type": "string", "description": "The id of the user you want to reset MFA for", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" } } }, "MfaType": { "type": "string", "format": "'CubeSigner' | 'Fido' | `FidoKey#${string}` | 'Totp' | 'EmailOtp' | `EmailOtp#${number}`", "description": "Different types that can be used to approve an MFA request", "pattern": "^(CubeSigner|Totp|EmailOtp|EmailOtp#\\d+|Fido|FidoKey#[^#\\s]+)$" }, "MfaVote": { "type": "string", "enum": [ "approve", "reject" ] }, "MigrateIdentityItem": { "allOf": [ { "$ref": "#/components/schemas/OidcIdentity" }, { "type": "object", "required": [ "user_id" ], "properties": { "user_id": { "type": "string", "description": "The id of the user you want to operate on" } } } ], "description": "An individual item in a MigrateIdentityRequest" }, "MigrateIdentityRequest": { "type": "array", "items": { "$ref": "#/components/schemas/MigrateIdentityItem" }, "description": "A request to add or remove an OIDC identities for an existing user" }, "MigrateUpdateUserItem": { "type": "object", "description": "A request to update an existing user.", "required": [ "user_id" ], "properties": { "user_id": { "type": "string", "description": "The id of the user you want to operate on" }, "verified_email": { "type": "string", "description": "Override user's verified email in this org. Use an empty string to indicate that this user's\nverified email should be cleared (and fallback to their display email).", "nullable": true } } }, "MigrateUpdateUsersRequest": { "type": "array", "items": { "$ref": "#/components/schemas/MigrateUpdateUserItem" } }, "MmiMetadata": { "allOf": [ { "allOf": [ { "$ref": "#/components/schemas/MmiMetadataExt" } ], "nullable": true }, { "type": "object", "properties": { "chainId": { "type": "string", "description": "Chain ID (not required when signing a personal message (EIP-191))", "nullable": true }, "custodianPublishesTransaction": { "type": "boolean", "description": "If the custodian should publish the transaction", "nullable": true }, "note": { "type": "string", "description": "A note to be attached to the transaction which can be specified by the user", "nullable": true }, "originUrl": { "type": "string", "description": "The web page/dapp where the transaction originated", "nullable": true }, "rpcUrl": { "type": "string", "description": "User's preferred RPC URL, and it should be the same as the RPC URL for the network corresponding to the Chain ID", "nullable": true }, "transactionCategory": { "type": "string", "description": "The category of transaction, as best can be determined by the wallet", "nullable": true } } } ] }, "MmiMetadataExt": { "allOf": [ { "type": "object", "required": [ "customerId", "customerName" ], "properties": { "accounts": { "type": "array", "items": { "type": "object", "required": [ "name", "address" ], "properties": { "address": { "type": "string", "description": "An Ethereum address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "metadata": { "description": "Account metadata" }, "name": { "type": "string", "description": "Account name" }, "tags": { "type": "array", "items": { "type": "object", "required": [ "name", "value" ], "properties": { "name": { "type": "string", "description": "Tag name" }, "value": { "type": "string", "description": "Tag value" } } }, "description": "Ordered list of name-value pairs" } } }, "description": "All accounts the user can access.\nOnly set when requested explicitly, i.e., via 'customer_listAccountsSigned'.", "nullable": true }, "customerId": { "type": "string", "description": "The customer ID of the user, i.e., the customer's organization ID.", "nullable": true }, "customerName": { "type": "string", "description": "A human readable name of the corresponding organization, if any.", "nullable": true } } }, { "type": "object", "required": [ "userId" ], "properties": { "userId": { "type": "string", "description": "This must match the `sub` claim of the customer proof of\nthe user or role session which created the transaction.", "nullable": true } } } ] }, "MmiRejectRequest": { "type": "object", "properties": { "reason": { "type": "string", "description": "Optional reason for rejecting.", "nullable": true } } }, "MmiStatus": { "type": "object", "required": [ "finished", "signed", "success", "displayText" ], "properties": { "displayText": { "type": "string", "description": "Short text to display to the user" }, "finished": { "type": "boolean", "description": "Whether the signed message has finished, e.g. it is completed, failed or cancelled" }, "reason": { "type": "string", "description": "The reason for the signed message status", "nullable": true }, "signed": { "type": "boolean", "description": "Whether the message was signed" }, "submitted": { "type": "boolean", "description": "Whether the transaction was submitted to the blockchain" }, "success": { "type": "boolean", "description": "Whether the transaction was successful, i.e. it was included in a block and not reverted" } } }, "MsgSignature": { "type": "object", "description": "Information about a signed message", "required": [ "signature" ], "properties": { "signature": { "type": "string", "description": "The signature" } } }, "MsgStatus": { "oneOf": [ { "type": "object", "required": [ "status" ], "properties": { "status": { "type": "string", "enum": [ "Pending" ] } } }, { "type": "object", "description": "The message has been signed, including the signature information.", "required": [ "sig", "status" ], "properties": { "sig": { "type": "object", "description": "Information about a signed message", "required": [ "signature" ], "properties": { "signature": { "type": "string", "description": "The signature" } } }, "status": { "type": "string", "enum": [ "Signed" ] } } }, { "type": "object", "description": "The message has been rejected, including the reason for the rejection.", "required": [ "reason", "status" ], "properties": { "reason": { "type": "string" }, "status": { "type": "string", "enum": [ "Rejected" ] } } } ], "description": "A struct representing the pending message status", "discriminator": { "propertyName": "status" } }, "Network": { "type": "string", "description": "Network name ('mainnet', 'holesky')", "enum": [ "mainnet", "holesky", "hoodi" ], "example": "holesky" }, "NewSessionResponse": { "type": "object", "description": "Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.).", "required": [ "token", "refresh_token", "session_info" ], "properties": { "expiration": { "type": "integer", "format": "int64", "description": "Session expiration (in seconds since UNIX epoch), beyond which it cannot be refreshed.", "example": 1701879640, "minimum": 0 }, "org_id": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "refresh_token": { "type": "string", "description": "Token that can be used to refresh this session." }, "session_info": { "$ref": "#/components/schemas/ClientSessionInfo" }, "token": { "type": "string", "description": "New token to be used for authentication. Requests to signing endpoints\nshould include this value in the `Authorization` header." } } }, "NonceValue": { "type": "string", "format": "binary" }, "NotFoundErrorCode": { "type": "string", "enum": [ "UriSegmentMissing", "UriSegmentInvalid", "TotpNotConfigured", "FidoKeyNotFound", "FidoChallengeNotFound", "TotpChallengeNotFound", "UserExportRequestNotFound", "UserExportCiphertextNotFound", "OrgExportCiphertextNotFound", "UploadObjectNotFound", "PolicySecretNotFound", "TimestreamDisabled" ] }, "NotificationEndpoint": { "allOf": [ { "$ref": "#/components/schemas/NotificationEndpointSubscription" }, { "type": "object", "required": [ "status" ], "properties": { "status": { "$ref": "#/components/schemas/SubscriptionStatus" } } } ], "description": "The configuration and status of a notification endpoint" }, "NotificationEndpointConfiguration": { "type": "object", "description": "The configuration for an org event endpoint", "required": [ "url" ], "properties": { "filter": { "$ref": "#/components/schemas/OrgEventFilter" }, "url": { "type": "string", "description": "URL of the endpoint" } } }, "NotificationEndpointSubscription": { "type": "object", "description": "A notification endpoint subscription", "required": [ "arn", "config" ], "properties": { "arn": { "type": "string", "description": "The ARN of the subscription" }, "config": { "$ref": "#/components/schemas/NotificationEndpointConfiguration" } } }, "OidcClaims": { "allOf": [ { "$ref": "#/components/schemas/OidcUserInfo" }, { "$ref": "#/components/schemas/OidcIdentity" }, { "type": "object", "required": [ "aud" ], "properties": { "aud": { "type": "string", "description": "Audience(s) that this ID Token is intended for. It MUST contain the\nOAuth 2.0 client_id of the Relying Party as an audience value. It MAY\nalso contain identifiers for other audiences.\nThis value is opaque according to the OIDC spec, but for example Google\naudiences look like `1234987819200.apps.googleusercontent.com`", "example": "1234987819200.apps.googleusercontent.com" }, "cubesigner_scope_ceiling": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "An optional restriction on the set of scopes allowed with this token", "nullable": true } } } ], "description": "Represents the data extracted from the OIDC token" }, "OidcIdentity": { "type": "object", "description": "Represents a globally unique OIDC-authorized user by expressing the full \"path\" to a user. That is:\n\n(iss) (sub)\nIssuer -> Subresource", "required": [ "iss", "sub" ], "properties": { "iss": { "type": "string", "description": "The root-level issuer who administrates this user. From the OIDC spec:\nIssuer Identifier for the Issuer of the response. The iss\nvalue is a case sensitive URL using the https scheme that contains\nscheme, host, and optionally, port number and path components and\nno query or fragment components.", "example": "https://accounts.google.com" }, "sub": { "type": "string", "description": "From the OIDC spec:\n\nA locally unique and never reassigned identifier within the Issuer for\nthe End-User, which is intended to be consumed by the Client, e.g.,\n24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed\n255 ASCII characters in length. The sub value is a case sensitive\nstring.", "example": "10769150350006150715113082367" } } }, "OidcIssuerInfo": { "type": "object", "description": "Information about an explicitly configured (allowlisted) OpenID provider for an org", "required": [ "issuer", "audiences", "users" ], "properties": { "audiences": { "type": "array", "items": { "type": "string" }, "description": "Intended audiences (client IDs)" }, "issuer": { "type": "string", "description": "Issuer URL" }, "nickname": { "type": "string", "description": "Optional issuer nickname", "nullable": true }, "users": { "type": "array", "items": { "$ref": "#/components/schemas/MemberRole" }, "description": "The user roles allowed to use this IDP", "uniqueItems": true } } }, "OidcLoginDimensions": { "type": "object", "required": [ "org_id", "issuer" ], "properties": { "issuer": { "type": "string", "description": "The OIDC issuer (provider)" }, "org_id": { "type": "string", "description": "All metrics must include 'org_id' as a dimension." } } }, "OidcLoginRequest": { "allOf": [ { "$ref": "#/components/schemas/ClientSessionMetadata" }, { "type": "object", "required": [ "scopes" ], "properties": { "purpose": { "type": "string", "description": "A human readable description of the purpose of the session", "nullable": true }, "scopes": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "Controls what capabilities this session will have.", "example": [ "sign:*" ], "minItems": 1 }, "tokens": { "$ref": "#/components/schemas/RatchetConfig" } } } ], "description": "OIDC login request" }, "OidcUserInfo": { "type": "object", "properties": { "email": { "type": "string", "description": "The email associated with the user", "example": "user@email.com", "nullable": true }, "preferred_username": { "type": "string", "description": "The user name (if any) associated with the user", "example": "dril", "nullable": true } } }, "OperationKind": { "type": "string", "description": "All different kinds of sensitive operations", "enum": [ "AvaSign", "AvaChainTxSign", "BabylonCovSign", "BabylonRegistration", "BabylonStaking", "BlobSign", "BtcMessageSign", "BtcSign", "DiffieHellman", "PsbtSign", "TaprootSign", "Eip191Sign", "Eip712Sign", "EotsNonces", "EotsSign", "Eth1Sign", "Eth2Sign", "Eth2Stake", "Eth2Unstake", "SolanaSign", "SuiSign", "TendermintSign", "RoleUpdate" ] }, "OrgAlertsPrefs": { "type": "object", "properties": { "alert_recipients": { "type": "array", "items": { "$ref": "#/components/schemas/Id" }, "description": "Recipient users for org-level alerts", "nullable": true }, "subscribed_alerts": { "type": "array", "items": { "$ref": "#/components/schemas/AlertKind" }, "description": "Org-level alerts to send emails for", "nullable": true } } }, "OrgData": { "type": "object", "required": [ "org_id" ], "properties": { "org_id": { "type": "string", "description": "The id of the org", "example": "Org#123..." }, "org_name": { "type": "string", "description": "The human-readable name for the org", "example": "my_org_name", "nullable": true } } }, "OrgEventArgs": { "allOf": [ { "$ref": "#/components/schemas/OrgEventData" }, { "type": "object", "required": [ "triggered_by" ], "properties": { "triggered_by": { "type": "string", "description": "The identity that triggered the event" } } } ] }, "OrgEventData": { "oneOf": [ { "type": "object", "required": [ "billing_event", "org_event" ], "properties": { "billing_event": { "$ref": "#/components/schemas/BillingEvent" }, "key": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "org_event": { "type": "string", "enum": [ "Billing" ] }, "role": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "user": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true } } }, { "type": "object", "required": [ "operation", "method", "uri", "status", "duration_ms", "org_event" ], "properties": { "duration_ms": { "type": "integer", "description": "The duration of the request in milliseconds", "minimum": 0 }, "method": { "type": "string", "description": "The HTTP request method" }, "operation": { "$ref": "#/components/schemas/BillingEvent" }, "org_event": { "type": "string", "enum": [ "Response" ] }, "status": { "type": "integer", "format": "int32", "description": "The HTTP response status", "minimum": 0 }, "uri": { "type": "string", "description": "The HTTP request path + query parameters" } } }, { "type": "object", "required": [ "user_info", "membership", "scopes", "org_event" ], "properties": { "membership": { "$ref": "#/components/schemas/MemberRole" }, "org_event": { "type": "string", "enum": [ "OidcAuth" ] }, "purpose": { "type": "string", "nullable": true }, "scopes": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" } }, "user_info": { "$ref": "#/components/schemas/OidcClaims" } } }, { "type": "object", "required": [ "operation", "key_type", "key_material_id", "org_event" ], "properties": { "key_material_id": { "type": "string", "description": "The material id (address) of the key used for signing" }, "key_type": { "$ref": "#/components/schemas/KeyType" }, "operation": { "$ref": "#/components/schemas/OperationKind" }, "org_event": { "type": "string", "enum": [ "Signed" ] } } }, { "type": "object", "required": [ "key_id", "chain_id", "prev_block_height", "prev_signing_hash", "req_block_height", "req_signing_hash", "org_event" ], "properties": { "chain_id": { "$ref": "#/components/schemas/Id" }, "key_id": { "$ref": "#/components/schemas/Id" }, "org_event": { "type": "string", "enum": [ "BabylonEotsConcurrentSigning" ] }, "prev_block_height": { "type": "integer", "format": "int64", "minimum": 0 }, "prev_signing_hash": { "type": "string" }, "req_block_height": { "type": "integer", "format": "int64", "minimum": 0 }, "req_signing_hash": { "type": "string" } } }, { "type": "object", "required": [ "key", "attestation", "org_event" ], "properties": { "attestation": { "type": "object", "required": [ "source_epoch", "target_epoch", "signing_root" ], "properties": { "signing_root": { "type": "string", "description": "The hash that was signed" }, "source_epoch": { "type": "integer", "format": "int64", "description": "The attestation.data.source.epoch of the signed attestation", "minimum": 0 }, "target_epoch": { "type": "integer", "format": "int64", "description": "The attestation.data.target.epoch of the signed attestation", "minimum": 0 } } }, "key": { "$ref": "#/components/schemas/Id" }, "material_id": { "type": "string", "nullable": true }, "org_event": { "type": "string", "enum": [ "Eth2ConcurrentAttestationSigning" ] } } }, { "type": "object", "required": [ "key", "block", "org_event" ], "properties": { "block": { "type": "object", "required": [ "slot", "signing_root" ], "properties": { "signing_root": { "type": "string", "description": "The hash that was signed" }, "slot": { "type": "integer", "format": "int64", "description": "The slot number of the block that was signed", "minimum": 0 } } }, "key": { "$ref": "#/components/schemas/Id" }, "material_id": { "type": "string", "nullable": true }, "org_event": { "type": "string", "enum": [ "Eth2ConcurrentBlockSigning" ] } } }, { "type": "object", "required": [ "slot", "signing_root", "last_slot", "last_signing_root", "enforced", "org_event" ], "properties": { "enforced": { "type": "boolean" }, "last_signing_root": { "type": "string" }, "last_slot": { "type": "integer", "format": "int64", "minimum": 0 }, "org_event": { "type": "string", "enum": [ "Eth2InvalidBlockProposerSlotTooLow" ] }, "signing_root": { "type": "string" }, "slot": { "type": "integer", "format": "int64", "minimum": 0 } } }, { "type": "object", "required": [ "source_epoch", "signing_root", "last_target_epoch", "last_signing_root", "enforced", "org_event" ], "properties": { "enforced": { "type": "boolean" }, "last_signing_root": { "type": "string" }, "last_target_epoch": { "type": "integer", "format": "int64", "minimum": 0 }, "org_event": { "type": "string", "enum": [ "Eth2InvalidAttestationSourceEpochTooLow" ] }, "signing_root": { "type": "string" }, "source_epoch": { "type": "integer", "format": "int64", "minimum": 0 } } }, { "type": "object", "required": [ "target_epoch", "signing_root", "last_target_epoch", "last_signing_root", "enforced", "org_event" ], "properties": { "enforced": { "type": "boolean" }, "last_signing_root": { "type": "string" }, "last_target_epoch": { "type": "integer", "format": "int64", "minimum": 0 }, "org_event": { "type": "string", "enum": [ "Eth2InvalidAttestationTargetEpochTooLow" ] }, "signing_root": { "type": "string" }, "target_epoch": { "type": "integer", "format": "int64", "minimum": 0 } } }, { "type": "object", "required": [ "key_id", "pubkey", "validator_index", "daily_unstake_count", "org_event" ], "properties": { "daily_unstake_count": { "type": "integer", "format": "int32", "minimum": 0 }, "key_id": { "$ref": "#/components/schemas/Id" }, "org_event": { "type": "string", "enum": [ "Eth2Unstake" ] }, "pubkey": { "type": "string" }, "validator_index": { "type": "integer", "format": "int64", "minimum": 0 } } }, { "type": "object", "required": [ "max", "date", "org_event" ], "properties": { "date": {}, "max": { "type": "integer", "format": "int32", "minimum": 0 }, "org_event": { "type": "string", "enum": [ "Eth2ExceededMaxUnstake" ] } } }, { "type": "object", "description": "Emitted when one or more keys are created/imported (in a single request)", "required": [ "key_type", "owner_id", "key_ids", "org_event" ], "properties": { "key_ids": { "type": "array", "items": { "type": "string" }, "description": "Key ids" }, "key_type": { "$ref": "#/components/schemas/KeyType" }, "org_event": { "type": "string", "enum": [ "KeyCreated" ] }, "owner_id": { "$ref": "#/components/schemas/Id" } } }, { "type": "object", "description": "Emitted when an MFA request is rejected", "required": [ "mfa_request", "rejected_by", "rejected_with_mfa_type", "org_event" ], "properties": { "mfa_request": { "$ref": "#/components/schemas/MfaRequestInfo" }, "org_event": { "type": "string", "enum": [ "MfaRejected" ] }, "rejected_by": { "$ref": "#/components/schemas/Id" }, "rejected_mfa_id": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "rejected_with_mfa_type": { "$ref": "#/components/schemas/MfaType" } } }, { "type": "object", "description": "Emitted when the org policy is changed", "required": [ "changed_by", "new_policy", "org_event" ], "properties": { "changed_by": { "$ref": "#/components/schemas/Id" }, "new_policy": { "type": "array", "items": {}, "description": "The new policy" }, "org_event": { "type": "string", "enum": [ "PolicyChanged" ] } } }, { "type": "object", "required": [ "key_id", "chain_id", "last_state", "current_state", "org_event" ], "properties": { "chain_id": { "type": "string", "description": "Chain id" }, "current_state": { "description": "The state of the current request" }, "key_id": { "$ref": "#/components/schemas/Id" }, "last_state": { "description": "The state of the last signed message" }, "org_event": { "type": "string", "enum": [ "TendermintConcurrentSigning" ] } } }, { "type": "object", "required": [ "key_id", "valid_epoch", "org_event" ], "properties": { "key_id": { "$ref": "#/components/schemas/Id" }, "org_event": { "type": "string", "enum": [ "UserExportInit" ] }, "valid_epoch": { "$ref": "#/components/schemas/EpochDateTime" } } }, { "type": "object", "required": [ "key_id", "org_event" ], "properties": { "key_id": { "$ref": "#/components/schemas/Id" }, "org_event": { "type": "string", "enum": [ "UserExportComplete" ] } } }, { "type": "object", "required": [ "source", "policy", "policy_hash", "stdout", "stderr", "response", "org_event" ], "properties": { "error": { "type": "string", "description": "The error from the policy engine (when response is equal to 'Error')", "nullable": true }, "key_id": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "org_event": { "type": "string", "enum": [ "WasmPolicyExecuted" ] }, "policy": { "type": "string", "description": "Policy name or id" }, "policy_hash": { "type": "string", "description": "Policy hash" }, "reason": { "type": "string", "description": "The reason for the denial (when response is equal to 'Deny')", "nullable": true }, "response": { "type": "string", "description": "Auto-generated discriminant enum variants", "enum": [ "Allow", "Deny", "Error" ] }, "source": { "type": "string", "description": "The source of a policy execution, i.e. the reason it was executed.", "enum": [ "SignRequest", "UserInvocation" ] }, "stderr": { "type": "string", "description": "Policy error output" }, "stdout": { "type": "string", "description": "Policy standard output" } } } ], "description": "Org-level events that we notify our customers about", "discriminator": { "propertyName": "org_event" } }, "OrgEventDiscriminants": { "type": "string", "description": "Auto-generated discriminant enum variants", "enum": [ "Billing", "Response", "OidcAuth", "Signed", "BabylonEotsConcurrentSigning", "Eth2ConcurrentAttestationSigning", "Eth2ConcurrentBlockSigning", "Eth2InvalidBlockProposerSlotTooLow", "Eth2InvalidAttestationSourceEpochTooLow", "Eth2InvalidAttestationTargetEpochTooLow", "Eth2Unstake", "Eth2ExceededMaxUnstake", "KeyCreated", "MfaRejected", "PolicyChanged", "TendermintConcurrentSigning", "UserExportInit", "UserExportComplete", "WasmPolicyExecuted" ] }, "OrgEventFilter": { "oneOf": [ { "type": "string", "description": "Do not filter any org events", "enum": [ "All" ] }, { "type": "object", "required": [ "AllExcept" ], "properties": { "AllExcept": { "type": "array", "items": { "$ref": "#/components/schemas/OrgEventDiscriminants" }, "description": "Accepts all org events other than the ones listed" } } }, { "type": "object", "required": [ "OneOf" ], "properties": { "OneOf": { "type": "array", "items": { "$ref": "#/components/schemas/OrgEventDiscriminants" }, "description": "Only accepts org events that are one of the listed events" } } } ], "description": "Filter for org events" }, "OrgExportResponse": { "type": "object", "description": "An org-export ciphertext retrieved via the org-export API.", "required": [ "ciphertext" ], "properties": { "ciphertext": { "type": "string", "description": "A base64-encoded export ciphertext." } } }, "OrgInfo": { "allOf": [ { "$ref": "#/components/schemas/MfaRequirements" }, { "type": "object", "required": [ "org_id", "access_model", "enabled", "last_unstake", "last_unstake_day_count", "kwk_id", "user_export_delay", "user_export_window", "totp_failure_limit" ], "properties": { "access_model": { "$ref": "#/components/schemas/AccessModel" }, "default_invite_kind": { "$ref": "#/components/schemas/InviteKind" }, "email_preferences": { "$ref": "#/components/schemas/EmailPreferences" }, "enabled": { "type": "boolean", "description": "When false, all cryptographic operations involving keys in this org are disabled." }, "historical_data_configuration": { "$ref": "#/components/schemas/HistoricalDataConfiguration" }, "idp_configuration": { "$ref": "#/components/schemas/IdpConfig" }, "key_import_key": { "type": "string", "description": "Deprecated: this field should be ignored.", "nullable": true }, "kwk_id": { "type": "string", "description": "The organization's universally unique key-wrapping-key identifier.\nThis value is required when setting up key export.", "example": "mrk-fce09525e81587d23520f11e07e2e9d9" }, "last_unstake": { "type": "string", "description": "Date/time (in UTC) when last 'unstake' was performed. Unix epoch if none.", "example": "TODO" }, "last_unstake_day_count": { "type": "integer", "format": "int32", "description": "How many 'unstake' calls happened on the day when `last_unstake` was performed.", "minimum": 0 }, "metrics_enabled": { "type": "boolean", "description": "Whether metrics are collected for this org" }, "name": { "type": "string", "description": "The human-readable name for the org", "example": "my_org_name", "nullable": true }, "notification_endpoints": { "type": "array", "items": { "$ref": "#/components/schemas/NotificationEndpoint" }, "description": "The organization's notification endpoints, which are HTTPS URLs are notified about a\nconfigurable set of events in an organization. For each event, CubeSigner sends a POST\nrequest with a JSON-formatted body that contains the event details.", "example": [ { "arn": "arn:aws:sns:us-east-1:012345678901:OrgEventsTopic:12345678-0000-0000-0000-000000000001", "config": { "url": "https://example.com/endpoint1" }, "status": "Confirmed" }, { "arn": "arn:aws:sns:us-east-1:012345678901:OrgEventsTopic:12345678-0000-0000-0000-000000000002", "config": { "filter": { "OneOf": [ "Eth2ConcurrentAttestationSigning", "Eth2ConcurrentBlockSigning" ] }, "url": "https://example.com/endpoint2" }, "status": "Pending" } ] }, "org_id": { "type": "string", "description": "The ID of the organization", "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, "passkey_configuration": { "$ref": "#/components/schemas/PasskeyConfig" }, "policy": { "type": "array", "items": { "type": "object" }, "description": "Org-wide policies that are checked before a key is used for signing", "example": [ { "MaxDailyUnstake": 5 } ] }, "policy_engine_configuration": { "$ref": "#/components/schemas/PolicyEngineConfiguration" }, "totp_failure_limit": { "type": "integer", "format": "int32", "description": "The organization's currently configured TOTP failure limit, i.e., the number\nof times a user can provide an incorrect TOTP code before being rate limited.\nThis value can be between 1 and 5 (inclusive).", "minimum": 0 }, "user_export_delay": { "type": "integer", "format": "int64", "description": "The organization's currently configured user-export delay, i.e., the minimum\namount of time (in seconds) between when a user-export is initiated and when\nit may be completed. (This value is meaningless for organizations that use\norg-wide export.)", "minimum": 0 }, "user_export_disabled": { "type": "boolean", "description": "Whether user export is disabled" }, "user_export_window": { "type": "integer", "format": "int64", "description": "The organization's currently configured user-export window, i.e., the amount\nof time (in seconds) between when the user-export delay is completed and when\nthe user export request has expired and can no longer be completed. (This value\nis meaningless for organizations that use org-wide export.)", "minimum": 0 }, "webapp_enabled": { "type": "boolean", "description": "If set, the official webapp origin is automatically allowed" } } } ] }, "OrgMetric": { "oneOf": [ { "type": "object", "required": [ "BillingEvent" ], "properties": { "BillingEvent": { "$ref": "#/components/schemas/BillingDimensions" } } }, { "type": "object", "required": [ "OidcLoginEvent" ], "properties": { "OidcLoginEvent": { "$ref": "#/components/schemas/OidcLoginDimensions" } } }, { "type": "object", "required": [ "SignEvent" ], "properties": { "SignEvent": { "$ref": "#/components/schemas/SignDimensions" } } }, { "type": "object", "required": [ "UserCount" ], "properties": { "UserCount": { "$ref": "#/components/schemas/UserCountDimensions" } } }, { "type": "object", "required": [ "KeyCount" ], "properties": { "KeyCount": { "$ref": "#/components/schemas/KeyCountDimensions" } } } ], "description": "Supported org metrics." }, "OrgMetricData": { "type": "object", "required": [ "dimensions", "data" ], "properties": { "data": { "type": "object", "description": "The data points, one for each time period (time periods for which the value is 0 are omitted).", "additionalProperties": { "type": "number", "format": "double" } }, "dimensions": { "type": "object", "description": "The metric dimensions.", "additionalProperties": { "type": "string" } } } }, "OrgMetricDiscriminants": { "type": "string", "description": "Auto-generated discriminant enum variants", "enum": [ "BillingEvent", "OidcLoginEvent", "SignEvent", "UserCount", "KeyCount" ] }, "OrgMetricStat": { "type": "string", "description": "Available statistics to compute", "enum": [ "Sum", "Average" ] }, "OsInfo": { "type": "object", "description": "OS information set in [`ClientSessionMetadata`] and reflected in [`SessionMetadata`]", "properties": { "architecture": { "type": "string", "example": "arm64", "nullable": true }, "name": { "type": "string", "example": "Mac OS", "nullable": true }, "version": { "type": "string", "example": "14.5.0", "nullable": true }, "word_size": { "type": "string", "example": "64-bit", "nullable": true } } }, "Page": { "type": "object", "description": "The rocket query parameter representing the page from which to start a paginated query.\n\nMUST be named `` in rocket url spec so that 'serde(rename = \"page.*\")' below continues to work", "properties": { "page.size": { "type": "integer", "format": "int32", "description": "Max number of items to return per page.\n\nIf the actual number of returned items may be less that this, even if there exist more\ndata in the result set. To reliably determine if more data is left in the result set,\ninspect the [UnencryptedLastEvalKey] value in the response object.", "minimum": 0 }, "page.start": { "type": "string", "description": "The start of the page. Omit to start from the beginning; otherwise, only specify a\nthe exact value previously returned as 'last_evaluated_key' from the same endpoint.", "nullable": true } } }, "PaginatedGetUsersInOrgResponse": { "allOf": [ { "type": "object", "required": [ "users" ], "properties": { "users": { "type": "array", "items": { "$ref": "#/components/schemas/UserInOrgInfo" }, "description": "The list of users in the org" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListContactsResponse": { "allOf": [ { "type": "object", "required": [ "contacts" ], "properties": { "contacts": { "type": "array", "items": { "$ref": "#/components/schemas/ContactInfoResponse" }, "description": "A list of contacts in the organization, matching any provided queries." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListHistoricalTxResponse": { "allOf": [ { "type": "object", "required": [ "txs" ], "properties": { "txs": { "type": "array", "items": { "$ref": "#/components/schemas/HistoricalTx" }, "description": "Historical transactions signed with the requested key, sorted from most to least recent." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListKeyRolesResponse": { "allOf": [ { "type": "object", "required": [ "roles" ], "properties": { "roles": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInRoleInfo" }, "description": "All roles the key is in" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListKeysResponse": { "allOf": [ { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInfo" } } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListPoliciesResponse": { "allOf": [ { "type": "object", "description": "Reponse to a request for listing all of an Org's named policies.", "required": [ "policies" ], "properties": { "policies": { "type": "array", "items": { "$ref": "#/components/schemas/PolicyInfo" }, "description": "The Org's named policies." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListRoleKeysResponse": { "allOf": [ { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInRoleInfo" }, "description": "All keys in a role" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListRoleUsersResponse": { "allOf": [ { "type": "object", "required": [ "users" ], "properties": { "users": { "type": "array", "items": { "$ref": "#/components/schemas/UserInRoleInfo" }, "description": "All users in a role" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedListRolesResponse": { "allOf": [ { "type": "object", "required": [ "roles" ], "properties": { "roles": { "type": "array", "items": { "$ref": "#/components/schemas/RoleInfo" }, "description": "All roles in an organization." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedPolicyLogsResponse": { "allOf": [ { "type": "object", "description": "A set of logs for a Wasm policy.", "required": [ "logs" ], "properties": { "logs": { "type": "array", "items": { "type": "object", "additionalProperties": { "type": "string" } }, "description": "The policy execution logs" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedQueryMetricsResponse": { "allOf": [ { "type": "object", "description": "The metric data points.", "required": [ "results", "raw_data" ], "properties": { "messages": { "type": "array", "items": { "type": "string" }, "description": "Advisory messages (e.g., if max number of results is reached)." }, "period": { "type": "integer", "format": "int64", "description": "The period for which the statistic is computed, if any (not all metrics support splitting the requested time range into bins).\nIf set, equals to the value from the request rounded up to the closest multiple of 60.", "minimum": 0 }, "raw_data": { "type": "array", "items": { "type": "object", "additionalProperties": { "type": "string" } }, "description": "Some metrics can optionally return the raw data, when requested." }, "results": { "type": "array", "items": { "type": "object", "required": [ "dimensions", "data" ], "properties": { "data": { "type": "object", "description": "The data points, one for each time period (time periods for which the value is 0 are omitted).", "additionalProperties": { "type": "number", "format": "double" } }, "dimensions": { "type": "object", "description": "The metric dimensions.", "additionalProperties": { "type": "string" } } } }, "description": "Computed data points." }, "stat": { "allOf": [ { "$ref": "#/components/schemas/OrgMetricStat" } ], "nullable": true } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedSessionsResponse": { "allOf": [ { "type": "object", "description": "The response from any operation operating on multiple sessions", "required": [ "sessions" ], "properties": { "sessions": { "type": "array", "items": { "$ref": "#/components/schemas/SessionInfo" }, "description": "The list of sessions" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PaginatedUserExportListResponse": { "allOf": [ { "type": "object", "description": "Response to a request to list outstanding user-export requests", "required": [ "export_requests" ], "properties": { "export_requests": { "type": "array", "items": { "$ref": "#/components/schemas/UserExportInitResponse" } } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." }, "PasskeyAssertAnswer": { "type": "object", "description": "Sent from the client to the server to answer a fido challenge", "required": [ "challenge_id", "credential" ], "properties": { "challenge_id": { "type": "string", "description": "The ID of the challenge that was returned from the POST endpoint" }, "credential": { "$ref": "#/components/schemas/PublicKeyCredential" } } }, "PasskeyAssertChallenge": { "allOf": [ { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialRequestOptions" } } } ], "description": "An extended form of `PublicKeyCredentialRequestOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, { "type": "object", "required": [ "challenge_id" ], "properties": { "challenge_id": { "type": "string", "description": "The id of the challenge. Must be supplied when answering the challenge." } } } ] }, "PasskeyConfig": { "type": "object", "description": "Org-level passkey configuration", "properties": { "users": { "type": "array", "items": { "$ref": "#/components/schemas/MemberRole" }, "description": "Enable passkey login for certain user roles (disabled for everyone by default)", "uniqueItems": true } } }, "PasswordResetConfirmRequest": { "type": "object", "required": [ "token", "new_password" ], "properties": { "new_password": { "type": "string", "description": "The new password to set." }, "token": { "type": "string", "description": "Invitation token, constructed by concatenating the \"partial token\"\n(i.e., `{header}.{payload}.`) returned by the `idp_password_reset_request` endpoint\nand the signature sent to the user's email." } } }, "PasswordResetRequest": { "type": "object", "description": "The request body for the idp password reset endpoint", "required": [ "email" ], "properties": { "email": { "type": "string", "description": "The email address of the user requesting to reset their password", "example": "alice@example.com" } } }, "PendingMessageInfo": { "allOf": [ { "type": "object", "description": "This is the payload we should post to MMI [webhook](https://docs.metamask-institutional.io/custodian-integration/integration-docs/transactions/webhooks/#webhook-specification)", "required": [ "metadata" ], "properties": { "metadata": { "$ref": "#/components/schemas/MmiMetadata" }, "signedMessage": { "allOf": [ { "$ref": "#/components/schemas/SignedMessage" } ], "nullable": true }, "transaction": { "allOf": [ { "$ref": "#/components/schemas/TransactionAndStatus" } ], "nullable": true } } }, { "type": "object", "required": [ "id", "identity", "expires_at", "created_at" ], "properties": { "created_at": { "$ref": "#/components/schemas/EpochDateTime" }, "expires_at": { "$ref": "#/components/schemas/EpochDateTime" }, "id": { "type": "string", "description": "The ID of the pending message" }, "identity": { "type": "string", "description": "The identity (a user or a role id) which created this message." }, "message_eip191": { "allOf": [ { "type": "object", "required": [ "address", "message" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "message": { "type": "string", "description": "Hex-encoded (including a '0x' prefix) message to sign." } } } ], "nullable": true }, "message_eip712": { "allOf": [ { "type": "object", "required": [ "address", "data", "version" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "data": { "$ref": "#/components/schemas/TypedData" }, "version": { "type": "string", "enum": [ "v3", "v4" ] } } } ], "nullable": true }, "message_tx": { "allOf": [ { "$ref": "#/components/schemas/TypedTransaction" } ], "nullable": true } } } ], "description": "Extended information about an existing MMI request." }, "PendingMessageSignResponse": { "allOf": [ { "allOf": [ { "type": "object", "description": "This is the payload we should post to MMI [webhook](https://docs.metamask-institutional.io/custodian-integration/integration-docs/transactions/webhooks/#webhook-specification)", "required": [ "metadata" ], "properties": { "metadata": { "$ref": "#/components/schemas/MmiMetadata" }, "signedMessage": { "allOf": [ { "$ref": "#/components/schemas/SignedMessage" } ], "nullable": true }, "transaction": { "allOf": [ { "$ref": "#/components/schemas/TransactionAndStatus" } ], "nullable": true } } }, { "type": "object", "required": [ "id", "identity", "expires_at", "created_at" ], "properties": { "created_at": { "$ref": "#/components/schemas/EpochDateTime" }, "expires_at": { "$ref": "#/components/schemas/EpochDateTime" }, "id": { "type": "string", "description": "The ID of the pending message" }, "identity": { "type": "string", "description": "The identity (a user or a role id) which created this message." }, "message_eip191": { "allOf": [ { "type": "object", "required": [ "address", "message" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "message": { "type": "string", "description": "Hex-encoded (including a '0x' prefix) message to sign." } } } ], "nullable": true }, "message_eip712": { "allOf": [ { "type": "object", "required": [ "address", "data", "version" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "data": { "$ref": "#/components/schemas/TypedData" }, "version": { "type": "string", "enum": [ "v3", "v4" ] } } } ], "nullable": true }, "message_tx": { "allOf": [ { "$ref": "#/components/schemas/TypedTransaction" } ], "nullable": true } } } ], "description": "Extended information about an existing MMI request." }, { "type": "object" } ], "description": "Extended information about an existing MMI message, including the signature." }, "PolicyAttachedToId": { "oneOf": [ { "type": "object", "required": [ "key_id", "role_id" ], "properties": { "key_id": { "type": "string", "description": "The id of the key in the role the policy should be attached to.", "example": "Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148" }, "role_id": { "type": "string", "description": "The id of the role the key is in.", "example": "Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b" } } }, { "type": "object", "required": [ "key_id" ], "properties": { "key_id": { "type": "string", "description": "The id of the key the policy should be attached to.", "example": "Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148" } } }, { "type": "object", "required": [ "role_id" ], "properties": { "role_id": { "type": "string", "description": "The id of the role the policy should be attached to.", "example": "Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b" } } } ], "description": "The id for attaching a named policy to a key, role, or key in role." }, "PolicyEngineConfiguration": { "type": "object", "description": "A struct containing Org-level configurations for the workings of the Policy Engine.", "required": [ "allowed_http_authorities" ], "properties": { "allowed_http_authorities": { "type": "array", "items": { "type": "string" }, "description": "Allowed domains for HTTP requests", "example": [ "cubist.dev:443" ] } } }, "PolicyErrorCode": { "oneOf": [ { "$ref": "#/components/schemas/PolicyErrorOwnCodes" }, { "$ref": "#/components/schemas/EvmTxDepositErrorCode" } ] }, "PolicyErrorOwnCodes": { "type": "string", "enum": [ "SuiTxReceiversDisallowedTransactionKind", "SuiTxReceiversDisallowedTransferAddress", "SuiTxReceiversDisallowedCommand", "BtcTxDisallowedOutputs", "BtcSignatureExceededValue", "BtcValueOverflow", "BtcSighashTypeDisallowed", "EvmTxReceiverMismatch", "EvmTxSenderMismatch", "EvmTxExceededValue", "EvmTxExceededGasCost", "EvmTxGasCostUndefined", "EvmDataDisallowed", "Erc20DataInvalid", "EvmContractAddressUndefined", "EvmContractChainIdUndefined", "EvmDataNotDefined", "EvmDataInvalid", "EvmContractNotInAllowlist", "Erc20ExceededTransferLimit", "Erc20ReceiverMismatch", "Erc20ExceededApproveLimit", "Erc20SpenderMismatch", "EvmFunctionNotInAllowlist", "EvmFunctionCallInvalid", "PolicyDisjunctionError", "PolicyNegationError", "Eth2ExceededMaxUnstake", "Eth2ConcurrentUnstaking", "NotInIpv4Allowlist", "NotInOriginAllowlist", "InvalidSourceIp", "RawSigningNotAllowed", "DiffieHellmanExchangeNotAllowed", "Eip712SigningNotAllowed", "OidcSourceNotAllowed", "NoOidcAuthSourcesDefined", "AddKeyToRoleDisallowed", "KeysAlreadyInRole", "KeyInMultipleRoles", "KeyAccessError", "RequireRoleSessionKeyAccessError", "BtcMessageSigningNotAllowed", "Eip191SigningNotAllowed", "TaprootSigningDisallowed", "SegwitSigningDisallowed", "PsbtSigningDisallowed", "BabylonStakingDisallowed", "TimeLocked", "BabylonStakingNetwork", "BabylonStakingParamsVersion", "BabylonStakingExplicitParams", "BabylonStakingStakerPk", "BabylonStakingFinalityProviderPk", "BabylonStakingLockTime", "BabylonStakingValue", "BabylonStakingChangeAddress", "BabylonStakingFee", "BabylonStakingWithdrawalAddress", "BabylonStakingBbnAddress", "SolanaInstructionCountLow", "SolanaInstructionCountHigh", "SolanaNotInInstructionAllowlist", "SolanaInstructionMismatch", "WasmPoliciesDisabled", "WasmPolicyDenied", "WasmPolicyFailed", "WebhookPoliciesDisabled", "DeniedByWebhook" ] }, "PolicyInfo": { "type": "object", "description": "A struct containing all the information about a specific version of a policy.", "required": [ "policy_id", "rules", "version", "name", "policy_type", "created", "owner", "attached_to" ], "properties": { "attached_to": { "type": "array", "items": { "$ref": "#/components/schemas/PolicyAttachedToId" }, "description": "A list of entities (keys, roles, etc.) the policy is attached to." }, "created": { "$ref": "#/components/schemas/EpochDateTime" }, "edit_policy": { "$ref": "#/components/schemas/EditPolicy" }, "metadata": { "description": "User-defined metadata for the named policy." }, "name": { "type": "string", "description": "The name of the policy." }, "owner": { "$ref": "#/components/schemas/Id" }, "policy_id": { "type": "string", "description": "The policy id" }, "policy_type": { "$ref": "#/components/schemas/PolicyType" }, "rules": { "type": "array", "items": {}, "description": "The policy rule." }, "version": { "type": "integer", "format": "int64", "description": "The policy rule's version.", "minimum": 0 } } }, "PolicyLogsRequest": { "type": "object", "description": "A request for querying Wasm policy logs.", "properties": { "end_time": { "type": "integer", "format": "int64", "description": "End time in seconds since unix epoch. If omitted, defaults to 'now'.", "nullable": true, "minimum": 0 }, "start_time": { "type": "integer", "format": "int64", "description": "Start time in seconds since unix epoch. If omitted, defaults to 24 hours ago.", "nullable": true, "minimum": 0 }, "version": { "type": "string", "description": "The version of the policy to get the logs for.\nIf omitted, all policy logs are retrieved.", "nullable": true } } }, "PolicyResultResponse": { "type": "object", "description": "PolicyResultResponse is a wrapper on PolicyResult with two important\nproperties:\n* derives OkToLogResponse, so that it can be used in the rocket handler.\n* derives ToSchema and ToResponse, with the `val` field with value_type\nObject, so that we don't have to provide all of the OpenAPI type\ndescriptions of a PolicyResult.\n\nThe PolicyResult includes enums and other standard types (e.g.\nstd::time::Interval) which are nontrivial to represent in OpenAPI. Since\nthis endpoint is just for testing, we don't really care about how accurate\nthe schema is, and can lean on serde_json when decoding this response to a\nPolicyResult in a client. Note that there is a bug in utoipa where the\nvalue_type annotation will not work for a tuple-struct, only a struct with\nfields.", "required": [ "val" ], "properties": { "val": { "type": "object" } } }, "PolicySecretsInfo": { "allOf": [ { "$ref": "#/components/schemas/CommonFields" }, { "type": "object", "required": [ "names" ], "properties": { "names": { "type": "array", "items": { "type": "string" }, "description": "The names of the secrets.,", "uniqueItems": true } } } ], "description": "A struct containing all non-secret information about policy secrets." }, "PolicyType": { "type": "string", "description": "The type of a [NamedPolicy].\n\nThe type of a policy is set at creation time, and is used to offer guarantees\nabout the current and all future versions of a [NamedPolicy].", "enum": [ "Key", "Role", "Wasm" ] }, "PreconditionErrorCode": { "oneOf": [ { "$ref": "#/components/schemas/PreconditionErrorOwnCodes" }, { "$ref": "#/components/schemas/PolicyErrorCode" } ] }, "PreconditionErrorOwnCodes": { "type": "string", "enum": [ "KeyRegionLocked", "MfaRegionLocked", "Eth2ProposerSlotTooLow", "Eth2AttestationSourceEpochTooLow", "Eth2AttestationTargetEpochTooLow", "Eth2ConcurrentBlockSigning", "Eth2ConcurrentAttestationSigning", "Eth2MultiDepositToNonGeneratedKey", "Eth2MultiDepositUnknownInitialDeposit", "Eth2MultiDepositWithdrawalAddressMismatch", "ConcurrentSigningWhenTimeLimitPolicyIsDefined", "BabylonEotsConcurrentSigning", "TendermintStateError", "TendermintConcurrentSigning", "MfaApprovalsNotYetValid" ] }, "PrevOutputs": { "oneOf": [ { "type": "object", "required": [ "One" ], "properties": { "One": { "type": "object", "description": "`One` variant allows provision of the single previous output needed. It's useful,\nfor example, when modifier `SIGHASH_ANYONECANPAY` is provided, only previous output\nof the current input is needed. The first `index` argument is the input index\nthis output is referring to.", "required": [ "index", "tx_out" ], "properties": { "index": { "type": "integer", "minimum": 0 }, "tx_out": { "$ref": "#/components/schemas/BtcTxOut" } } } } }, { "type": "object", "required": [ "All" ], "properties": { "All": { "type": "array", "items": { "$ref": "#/components/schemas/BtcTxOut" }, "description": "When `SIGHASH_ANYONECANPAY` is not provided, or when the caller is giving all\nprevious outputs so the same variable can be used for multiple inputs." } } } ], "description": "Contains outputs of previous transactions." }, "PsbtSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "psbt" ], "properties": { "psbt": { "type": "string", "description": "A hex-serialized PSBT (version 0), with or without leading 0x prefix.\nThis PSBT must contain the transaction inputs and outputs, plus all\ninformation needed to sign (e.g., taproot path and leaf information)." }, "sign_all_scripts": { "type": "boolean", "description": "When true, unconditionally sign every input to the PSBT controlled by a script\nspend. Otherwise (false, the default), this endpoint uses a heuristic to decide\nwhether the script controlling a given UTXO requires a signature from this key." } } } ], "description": "A request to sign a PSBT" }, "PsbtSignResponse": { "type": "object", "description": "Response to a PSBT signing request", "required": [ "psbt" ], "properties": { "psbt": { "type": "string", "description": "The PSBT in standard hex serialization, without leading \"0x\".", "example": "70736274ff01005e..." } } }, "PublicKeyCredential": { "type": "object", "description": "This type represents a wire-encodable form of the PublicKeyCredential interface\nClients may need to manually encode into this format to communicate with the server\n\nThe PublicKeyCredential interface inherits from Credential\n[CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to\nthe caller when a new credential is created, or a new assertion is\nrequested.\n\nhttps://www.w3.org/TR/webauthn-2/#iface-pkcredential", "required": [ "id", "response" ], "properties": { "clientExtensionResults": { "type": "object", "description": "This internal slot contains the results of processing client extensions\nrequested by the Relying Party upon the Relying Party's invocation of\neither navigator.credentials.create() or navigator.credentials.get().\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredential-clientextensionsresults-slot\n\nIMPLEMENTATION NOTE: The type for this field comes from the type of getClientExtensionResults() which as the following doc:\n\nThis operation returns the value of [[clientExtensionsResults]], which is a map containing extension identifier → client extension output entries produced by the extension’s client extension processing.\nhttps://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredential-getclientextensionresults\n\n", "nullable": true }, "id": { "type": "string", "description": "This internal slot contains the credential ID, chosen by the\nauthenticator. The credential ID is used to look up credentials for use,\nand is therefore expected to be globally unique with high probability\nacross all credentials of the same type, across all authenticators.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredential-identifier-slot" }, "response": { "oneOf": [ { "$ref": "#/components/schemas/AuthenticatorAttestationResponse" }, { "$ref": "#/components/schemas/AuthenticatorAssertionResponse" } ], "description": "Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface" } } }, "PublicKeyCredentialCreationOptions": { "type": "object", "description": "Defines the parameters for the creation of a new public key credential\n\nhttps://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialcreationoptions", "required": [ "rp", "user", "challenge", "pubKeyCredParams" ], "properties": { "attestation": { "$ref": "#/components/schemas/AttestationConveyancePreference" }, "authenticatorSelection": { "allOf": [ { "$ref": "#/components/schemas/AuthenticatorSelectionCriteria" } ], "nullable": true }, "challenge": { "type": "string", "description": "This member contains a challenge intended to be used for generating the\nnewly created credential’s attestation object. See the § 13.4.3\nCryptographic Challenges security consideration.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-challenge" }, "excludeCredentials": { "type": "array", "items": { "$ref": "#/components/schemas/PublicKeyCredentialDescriptor" }, "description": "This member is intended for use by Relying Parties that wish to limit\nthe creation of multiple credentials for the same account on a single\nauthenticator. The client is requested to return an error if the new\ncredential would be created on an authenticator that also contains one\nof the credentials enumerated in this parameter.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials" }, "extensions": { "type": "object", "description": "This member contains additional parameters requesting additional\nprocessing by the client and authenticator. For example, the caller may\nrequest that only authenticators with certain capabilities be used to\ncreate the credential, or that particular information be returned in the\nattestation object. Some extensions are defined in § 9 WebAuthn\nExtensions; consult the IANA \"WebAuthn Extension Identifiers\" registry\n[IANA-WebAuthn-Registries] established by [RFC8809] for an up-to-date\nlist of registered WebAuthn Extensions.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-extensions", "nullable": true }, "pubKeyCredParams": { "type": "array", "items": { "$ref": "#/components/schemas/PublicKeyCredentialParameters" }, "description": "This member contains information about the desired properties of the\ncredential to be created. The sequence is ordered from most preferred to\nleast preferred. The client makes a best-effort to create the most\npreferred credential that it can.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-pubkeycredparams" }, "rp": { "$ref": "#/components/schemas/PublicKeyCredentialRpEntity" }, "timeout": { "type": "integer", "format": "int32", "description": "This member specifies a time, in milliseconds, that the caller is\nwilling to wait for the call to complete. This is treated as a hint, and\nMAY be overridden by the client.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-timeout", "nullable": true, "minimum": 0 }, "user": { "$ref": "#/components/schemas/PublicKeyCredentialUserEntity" } } }, "PublicKeyCredentialDescriptor": { "type": "object", "description": "This dictionary contains the attributes that are specified by a caller when\nreferring to a public key credential as an input parameter to the create()\nor get() methods. It mirrors the fields of the PublicKeyCredential object\nreturned by the latter methods.\n\nhttps://www.w3.org/TR/webauthn-2/#dictionary-credential-descriptor", "required": [ "type", "id" ], "properties": { "id": { "type": "string", "description": "This member contains the credential ID of the public key credential the caller is referring to.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialdescriptor-id" }, "transports": { "type": "array", "items": { "$ref": "#/components/schemas/AuthenticatorTransport" }, "description": "This OPTIONAL member contains a hint as to how the client might\ncommunicate with the managing authenticator of the public key credential\nthe caller is referring to. The values SHOULD be members of\nAuthenticatorTransport but client platforms MUST ignore unknown values.\n\nThe getTransports() operation can provide suitable values for this\nmember. When registering a new credential, the Relying Party SHOULD\nstore the value returned from getTransports(). When creating a\nPublicKeyCredentialDescriptor for that credential, the Relying Party\nSHOULD retrieve that stored value and set it as the value of the\ntransports member.", "nullable": true }, "type": { "$ref": "#/components/schemas/PublicKeyCredentialType" } } }, "PublicKeyCredentialParameters": { "type": "object", "description": "This dictionary is used to supply additional parameters when creating a new\ncredential.\n\nhttps://www.w3.org/TR/webauthn-2/#dictionary-credential-params", "required": [ "type", "alg" ], "properties": { "alg": { "type": "integer", "format": "int64", "description": "This member specifies the cryptographic signature algorithm with which\nthe newly generated credential will be used, and thus also the type of\nasymmetric key pair to be generated, e.g., RSA or Elliptic Curve." }, "type": { "$ref": "#/components/schemas/PublicKeyCredentialType" } } }, "PublicKeyCredentialRequestOptions": { "type": "object", "description": "The `PublicKeyCredentialRequestOptions` dictionary supplies get() with the\ndata it needs to generate an assertion. Its challenge member MUST be\npresent, while its other members are OPTIONAL.\n\nThis struct is also used as part of the verification procedure for assertions", "required": [ "challenge" ], "properties": { "allowCredentials": { "type": "array", "items": { "$ref": "#/components/schemas/PublicKeyCredentialDescriptor" }, "description": "This OPTIONAL member contains a list of PublicKeyCredentialDescriptor\nobjects representing public key credentials acceptable to the caller, in\ndescending order of the caller’s preference (the first item in the list\nis the most preferred credential, and so on down the list).\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-allowcredentials" }, "challenge": { "type": "string", "description": "This member represents a challenge that the selected authenticator\nsigns, along with other data, when producing an authentication\nassertion.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-challenge" }, "extensions": { "type": "object", "nullable": true }, "rpId": { "type": "string", "description": "This OPTIONAL member specifies the relying party identifier claimed by\nthe caller. If omitted, its value will be the CredentialsContainer\nobject’s relevant settings object's origin's effective domain.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid", "nullable": true }, "timeout": { "type": "integer", "format": "int32", "description": "This OPTIONAL member specifies a time, in milliseconds, that the caller\nis willing to wait for the call to complete. The value is treated as a\nhint, and MAY be overridden by the client.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-timeout", "nullable": true, "minimum": 0 }, "userVerification": { "$ref": "#/components/schemas/UserVerificationRequirement" } } }, "PublicKeyCredentialRpEntity": { "type": "object", "description": "The PublicKeyCredentialRpEntity dictionary is used to supply additional\nRelying Party attributes when creating a new credential.\n\nhttps://www.w3.org/TR/webauthn-2/#dictionary-rp-credential-params", "required": [ "name" ], "properties": { "id": { "type": "string", "description": "A unique identifier for the Relying Party entity, which sets the RP ID.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id", "nullable": true }, "name": { "type": "string", "description": "A human-palatable name for the entity. Its function depends on what the\nPublicKeyCredentialEntity represents: When inherited by\nPublicKeyCredentialRpEntity it is a human-palatable identifier for the\nRelying Party, intended only for display. For example, \"ACME\nCorporation\", \"Wonderful Widgets, Inc.\" or \"ОАО Примертех\".\n\nRelying Parties SHOULD perform enforcement, as prescribed in Section 2.3\nof [RFC8266] for the Nickname Profile of the PRECIS FreeformClass\n[RFC8264], when setting name's value, or displaying the value to the\nuser.\n\nThis string MAY contain language and direction metadata. Relying Parties\nSHOULD consider providing this information. See § 6.4.2 Language and\nDirection Encoding about how this metadata is encoded." } } }, "PublicKeyCredentialType": { "type": "string", "description": "This enumeration defines the valid credential types. It is an extension\npoint; values can be added to it in the future, as more credential types are\ndefined. The values of this enumeration are used for versioning the\nAuthentication Assertion and attestation structures according to the type of\nthe authenticator. Currently one credential type is defined, namely\n\"public-key\".\n\nhttps://www.w3.org/TR/webauthn-2/#enumdef-publickeycredentialtype", "enum": [ "public-key" ] }, "PublicKeyCredentialUserEntity": { "type": "object", "description": "The PublicKeyCredentialUserEntity dictionary is used to supply additional\nuser account attributes when creating a new credential.", "required": [ "id", "displayName", "name" ], "properties": { "displayName": { "type": "string", "description": "A human-palatable name for the user account, intended only for display.\nFor example, \"Alex Müller\" or \"田中倫\". The Relying Party SHOULD let the\nuser choose this, and SHOULD NOT restrict the choice more than\nnecessary.\n\nRelying Parties SHOULD perform enforcement, as prescribed in Section 2.3\nof [RFC8266] for the Nickname Profile of the PRECIS FreeformClass\n[RFC8264], when setting displayName's value, or displaying the value to\nthe user.\n\nThis string MAY contain language and direction metadata. Relying Parties\nSHOULD consider providing this information. See § 6.4.2 Language and\nDirection Encoding about how this metadata is encoded.\n\nClients SHOULD perform enforcement, as prescribed in Section 2.3 of\n[RFC8266] for the Nickname Profile of the PRECIS FreeformClass\n[RFC8264], on displayName's value prior to displaying the value to the\nuser or including the value as a parameter of the\nauthenticatorMakeCredential operation.\n\nWhen clients, client platforms, or authenticators display a\ndisplayName's value, they should always use UI elements to provide a\nclear boundary around the displayed value, and not allow overflow into\nother elements [css-overflow-3].\n\nAuthenticators MUST accept and store a 64-byte minimum length for a\ndisplayName member’s value. Authenticators MAY truncate a displayName\nmember’s value so that it fits within 64 bytes. See § 6.4.1 String\nTruncation about truncation and other considerations.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-displayname" }, "id": { "type": "string", "description": "The user handle of the user account entity. A user handle is an opaque\nbyte sequence with a maximum size of 64 bytes, and is not meant to be\ndisplayed to the user.\n\nTo ensure secure operation, authentication and authorization decisions\nMUST be made on the basis of this id member, not the displayName nor\nname members. See Section 6.1 of [RFC8266].\n\nThe user handle MUST NOT contain personally identifying information\nabout the user, such as a username or e-mail address; see § 14.6.1 User\nHandle Contents for details. The user handle MUST NOT be empty, though\nit MAY be null.\n\nNote: the user handle ought not be a constant value across different\naccounts, even for non-discoverable credentials, because some\nauthenticators always create discoverable credentials. Thus a constant\nuser handle would prevent a user from using such an authenticator with\nmore than one account at the Relying Party.\n\nhttps://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id" }, "name": { "type": "string", "description": "When inherited by PublicKeyCredentialUserEntity, it is a human-palatable\nidentifier for a user account. It is intended only for display, i.e.,\naiding the user in determining the difference between user accounts with\nsimilar displayNames. For example, \"alexm\", \"alex.mueller@example.com\"\nor \"+14255551234\".\n\nThe Relying Party MAY let the user choose this value. The Relying Party\nSHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265]\nfor the UsernameCasePreserved Profile of the PRECIS IdentifierClass\n[RFC8264], when setting name's value, or displaying the value to the\nuser.\n\nThis string MAY contain language and direction metadata. Relying Parties\nSHOULD consider providing this information. See § 6.4.2 Language and\nDirection Encoding about how this metadata is encoded.\n\nClients SHOULD perform enforcement, as prescribed in Section 3.4.3 of [RFC8265] for the UsernameCasePreserved Profile of the PRECIS IdentifierClass [RFC8264], on name's value prior to displaying the value to the user or including the value as a parameter of the authenticatorMakeCredential operation." } } }, "PublicOrgInfo": { "type": "object", "description": "Public information about an organization.", "required": [ "org_id", "passkey_login_enabled", "oidc_issuers" ], "properties": { "oidc_issuers": { "type": "array", "items": { "type": "object", "description": "Information about an explicitly configured (allowlisted) OpenID provider for an org", "required": [ "issuer", "audiences", "users" ], "properties": { "audiences": { "type": "array", "items": { "type": "string" }, "description": "Intended audiences (client IDs)" }, "issuer": { "type": "string", "description": "Issuer URL" }, "nickname": { "type": "string", "description": "Optional issuer nickname", "nullable": true }, "users": { "type": "array", "items": { "$ref": "#/components/schemas/MemberRole" }, "description": "The user roles allowed to use this IDP", "uniqueItems": true } } }, "description": "Explicitly configured (allowlisted) OpenID providers for an org" }, "org_id": { "type": "string", "description": "Org identifier", "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, "passkey_login_enabled": { "type": "boolean", "description": "Whether logging in with just a passkey is allowed" } } }, "Purpose": { "type": "string", "enum": [ "otp", "mfa_reset", "otp_mfa", "alien_password_reset", "alien_invite" ] }, "QueryMetricsRequest": { "allOf": [ { "type": "object", "description": "The request type for querying metrics.", "required": [ "start_time" ], "properties": { "end_time": { "type": "integer", "format": "int64", "description": "End time in seconds since unix epoch. If omitted, defaults to 'now'.", "nullable": true, "minimum": 0 }, "period": { "type": "integer", "format": "int64", "description": "The granularity, in seconds, of the returned data points.\n\nThis value is automatically rounded up to a multiple of 3600 (i.e., 1 hour).\nIf omitted, defaults to the duration between `end_time` and `start_time`.\nMust be no less than 1 hour (3600 seconds) for \"event\" metrics, and 1 day\n(86400 seconds) for \"count\" metrics. Also, this period must not\ndivide the `end_time - start_time` period into more than 100 data points.", "nullable": true, "minimum": 3600 }, "raw_data": { "type": "boolean", "description": "Return the raw data instead of computing the metric values\n(not supported by all metrics)." }, "start_time": { "type": "integer", "format": "int64", "description": "Start time in seconds since unix epoch.", "minimum": 0 } } }, { "type": "object", "required": [ "metric_name" ], "properties": { "metric_name": { "$ref": "#/components/schemas/MetricName" } } } ], "description": "The request type for querying metrics." }, "QueryMetricsResponse": { "type": "object", "description": "The metric data points.", "required": [ "results", "raw_data" ], "properties": { "messages": { "type": "array", "items": { "type": "string" }, "description": "Advisory messages (e.g., if max number of results is reached)." }, "period": { "type": "integer", "format": "int64", "description": "The period for which the statistic is computed, if any (not all metrics support splitting the requested time range into bins).\nIf set, equals to the value from the request rounded up to the closest multiple of 60.", "minimum": 0 }, "raw_data": { "type": "array", "items": { "type": "object", "additionalProperties": { "type": "string" } }, "description": "Some metrics can optionally return the raw data, when requested." }, "results": { "type": "array", "items": { "type": "object", "required": [ "dimensions", "data" ], "properties": { "data": { "type": "object", "description": "The data points, one for each time period (time periods for which the value is 0 are omitted).", "additionalProperties": { "type": "number", "format": "double" } }, "dimensions": { "type": "object", "description": "The metric dimensions.", "additionalProperties": { "type": "string" } } } }, "description": "Computed data points." }, "stat": { "allOf": [ { "$ref": "#/components/schemas/OrgMetricStat" } ], "nullable": true } } }, "RatchetConfig": { "type": "object", "properties": { "auth_lifetime": { "type": "integer", "format": "int64", "description": "The lifetime (in seconds) of auth tokens for this session.\nAuth tokens can be refreshed (renewed) using a valid (unexpired)\nrefresh token, but not beyond the session lifetime.", "default": 300, "example": 3600, "minimum": 0 }, "grace_lifetime": { "type": "integer", "format": "int64", "description": "The amount of time (in seconds) that an auth token for this session remains\nvalid after it has been refreshed and a new auth token has been issued. This\nhelps to address concurrency hazards, for example, if one thread makes requests\nwith auth token while another refreshes it.", "default": 30, "example": 30, "minimum": 0 }, "refresh_lifetime": { "type": "integer", "format": "int64", "description": "The lifetime (in seconds) of refresh tokens for this session.\nIf this value is shorter than the session lifetime, inactive sessions\nwill become invalid once the auth and refresh tokens have both expired.", "default": 86400, "example": 43200, "minimum": 0 }, "session_lifetime": { "type": "integer", "format": "int64", "description": "The lifetime (in seconds) of the session.\nThe session cannot be extended beyond its original lifetime.", "default": 31536000, "example": 86400, "minimum": 0 } } }, "Receipt": { "type": "object", "description": "Receipt that an MFA request was approved.", "required": [ "confirmation", "final_approver", "timestamp" ], "properties": { "confirmation": { "type": "string", "description": "Confirmation code the user needs to present when resuming the original request.", "example": "ba1d75dd-d999-4c1b-944d-25c25440c8af" }, "final_approver": { "type": "string", "description": "The ID of the logged-in user whose action created this approval." }, "timestamp": { "$ref": "#/components/schemas/EpochDateTime" } } }, "RefreshGrantType": { "type": "string", "enum": [ "refresh_token" ] }, "Request": { "type": "object", "description": "JSON-RPC request object", "required": [ "jsonrpc", "method" ], "properties": { "id": { "description": "Request ID", "nullable": true }, "jsonrpc": { "type": "string", "description": "JSON-RPC version." }, "method": { "type": "string", "description": "Name of the method to be invoked." }, "params": { "description": "Parameter values of the request.", "nullable": true } } }, "RequestOptionsWithHash": { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialRequestOptions" } } } ], "description": "An extended form of `PublicKeyCredentialRequestOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, "ResidentKeyRequirement": { "type": "string", "description": "This enumeration’s values describe the Relying Party's requirements for\nclient-side discoverable credentials (formerly known as resident credentials\nor resident keys):\n\nhttps://www.w3.org/TR/webauthn-2/#enumdef-residentkeyrequirement", "enum": [ "discouraged", "preferred", "required" ] }, "Response": { "type": "object", "description": "JSON-RPC response object", "required": [ "jsonrpc" ], "properties": { "error": { "allOf": [ { "$ref": "#/components/schemas/ErrorObj" } ], "nullable": true }, "id": { "description": "ID from the corresponding request", "nullable": true }, "jsonrpc": { "type": "string", "description": "Constant \"2.0\"" }, "result": { "type": "object", "description": "Result, if success", "nullable": true } } }, "RestrictedActionsMap": { "type": "object", "description": "A map of actions to sets of membership roles", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/MemberRole" }, "uniqueItems": true } }, "RoleAction": { "type": "string", "description": "List of role actions that can be restricted to a set of member roles", "enum": [ "CreateToken", "GetKey" ] }, "RoleInfo": { "allOf": [ { "$ref": "#/components/schemas/CommonFields" }, { "type": "object", "required": [ "role_id", "enabled", "restricted_actions", "member" ], "properties": { "enabled": { "type": "boolean", "description": "Whether the role is enabled", "example": "true" }, "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInRoleInfo" }, "description": "Deprecated The CubeSigner IDs of at most 100 keys associated with this role", "nullable": true }, "member": { "type": "boolean", "description": "Whether the current user is a member of the role. This is always true,\nexcept for owners who can see roles they are not members of." }, "name": { "type": "string", "description": "The human-readable name for the role (must be alphanumeric)", "example": "my_role", "nullable": true }, "policy": { "type": "array", "items": { "type": "object" }, "description": "Policy that is checked whenever a key is accessed for signing via this role.", "example": [ { "SourceIpAllowlist": [ "123.456.78.9/16" ] }, { "RequireMfa": { "count": 1 } } ] }, "restricted_actions": { "$ref": "#/components/schemas/RestrictedActionsMap" }, "role_id": { "type": "string", "description": "The ID of the role", "example": "Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b" }, "users": { "type": "array", "items": { "type": "string" }, "description": "Deprecated. The list of at most 100 users with access to the role.", "nullable": true } } } ] }, "Scope": { "oneOf": [ { "type": "string", "title": "ExplicitScopes", "description": "Explicitly named scopes for accessing CubeSigner APIs", "enum": [ "sign:*", "sign:ava", "sign:blob", "sign:diffieHellman", "sign:btc:*", "sign:btc:segwit", "sign:btc:taproot", "sign:btc:psbt:*", "sign:btc:psbt:doge", "sign:btc:psbt:legacy", "sign:btc:psbt:segwit", "sign:btc:psbt:taproot", "sign:btc:psbt:ltcSegwit", "sign:btc:message:*", "sign:btc:message:segwit", "sign:btc:message:legacy", "sign:babylon:*", "sign:babylon:eots:*", "sign:babylon:eots:nonces", "sign:babylon:eots:sign", "sign:babylon:staking:*", "sign:babylon:staking:deposit", "sign:babylon:staking:unbond", "sign:babylon:staking:withdraw", "sign:babylon:staking:slash", "sign:babylon:registration", "sign:babylon:covenant", "sign:evm:*", "sign:evm:tx", "sign:evm:eip191", "sign:evm:eip712", "sign:eth2:*", "sign:eth2:validate", "sign:eth2:stake", "sign:eth2:unstake", "sign:solana", "sign:sui", "sign:tendermint", "sign:mmi", "manage:*", "manage:readonly", "manage:email", "manage:mfa:*", "manage:mfa:readonly", "manage:mfa:list", "manage:mfa:vote:*", "manage:mfa:vote:cs", "manage:mfa:vote:email", "manage:mfa:vote:fido", "manage:mfa:vote:totp", "manage:mfa:register:*", "manage:mfa:register:fido", "manage:mfa:register:totp", "manage:mfa:register:email", "manage:mfa:unregister:*", "manage:mfa:unregister:fido", "manage:mfa:unregister:totp", "manage:mfa:verify:*", "manage:mfa:verify:totp", "manage:key:*", "manage:key:readonly", "manage:key:get", "manage:key:listRoles", "manage:key:list", "manage:key:history:tx:list", "manage:key:create", "manage:key:import", "manage:key:update:*", "manage:key:update:owner", "manage:key:update:policy", "manage:key:update:enabled", "manage:key:update:metadata", "manage:key:update:editPolicy", "manage:key:delete", "manage:policy:*", "manage:policy:create", "manage:policy:get", "manage:policy:list", "manage:policy:delete", "manage:policy:update:*", "manage:policy:update:owner", "manage:policy:update:name", "manage:policy:update:editPolicy", "manage:policy:update:metadata", "manage:policy:update:rule", "manage:policy:invoke", "manage:policy:wasm:*", "manage:policy:wasm:upload", "manage:policy:secrets:*", "manage:policy:secrets:get", "manage:policy:secrets:update:*", "manage:policy:secrets:update:values", "manage:policy:secrets:update:editPolicy", "manage:contact:*", "manage:contact:create", "manage:contact:get", "manage:contact:list", "manage:contact:delete", "manage:contact:update:*", "manage:contact:update:name", "manage:contact:update:addresses", "manage:contact:update:owner", "manage:contact:update:metadata", "manage:contact:update:editPolicy", "manage:contact:lookup:*", "manage:contact:lookup:address", "manage:policy:createImportKey", "manage:role:*", "manage:role:readonly", "manage:role:create", "manage:role:delete", "manage:role:get:*", "manage:role:get:keys", "manage:role:get:keys:list", "manage:role:get:keys:get", "manage:role:get:users", "manage:role:list", "manage:role:update:*", "manage:role:update:enabled", "manage:role:update:policy", "manage:role:update:editPolicy", "manage:role:update:key:*", "manage:role:update:key:add", "manage:role:update:key:remove", "manage:role:update:user:*", "manage:role:update:user:add", "manage:role:update:user:remove", "manage:role:history:tx:list", "manage:identity:*", "manage:identity:verify", "manage:identity:add", "manage:identity:remove", "manage:identity:list", "manage:org:*", "manage:org:create", "manage:org:metrics:query", "manage:org:readonly", "manage:org:addUser", "manage:org:inviteUser", "manage:org:inviteAlien", "manage:org:updateMembership", "manage:org:listUsers", "manage:org:user:get", "manage:org:deleteUser", "manage:org:get", "manage:org:user:resetMfa", "manage:session:*", "manage:session:readonly", "manage:session:get", "manage:session:list", "manage:session:create", "manage:session:extend", "manage:session:revoke", "manage:export:*", "manage:export:org:*", "manage:export:org:get", "manage:export:user:*", "manage:export:user:delete", "manage:export:user:list", "manage:authMigration", "manage:authMigration:identity:add", "manage:authMigration:identity:remove", "manage:authMigration:user:update", "manage:mmi:*", "manage:mmi:readonly", "manage:mmi:get", "manage:mmi:list", "manage:mmi:reject", "manage:mmi:delete", "export:*", "export:user:*", "export:user:init", "export:user:complete", "mmi:*", "orgAccess:*", "orgAccess:child:*" ] }, { "type": "string", "title": "OtherScopes", "description": "Scopes including wildcard fragments for accessing CubeSigner APIs", "pattern": "^(orgAccess:child)(:[^:]+)?$" } ], "description": "All scopes for accessing CubeSigner APIs" }, "ScopeSet": { "oneOf": [ { "type": "string", "description": "All scopes", "enum": [ "All" ] }, { "type": "object", "required": [ "AllExcept" ], "properties": { "AllExcept": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "All scopes except these (including those transitively implied)." } } }, { "type": "object", "required": [ "AllOf" ], "properties": { "AllOf": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "All of these scopes (including those transitively implied)." } } } ], "description": "A set of scopes." }, "SecondFactorRequirement": { "type": "string", "description": "Represents the number of MFA approvals required for a given operation\n(e.g. login). Can be used to produce a concrete policy for a given user", "enum": [ "none", "if_registered", "required" ] }, "Seconds": { "type": "integer", "format": "int64", "description": "Duration measured in seconds\nA wrapper type for serialization that encodes a `Duration` as a `u64` representing the number of seconds.", "minimum": 0 }, "SecretValue": { "oneOf": [ { "type": "string", "description": "A secret value.\nConfig values are encrypted in transit and at rest." }, { "type": "object", "description": "A secret value encrypted to this organization's Wasm policy.\nEach value is encrypted with its own ephemeral key.", "required": [ "encrypted_value", "salt", "client_public_key" ], "properties": { "client_public_key": { "type": "string", "description": "The client's ephemeral public key used to derive a shared key.\nThis is a base64-encoded, SEC1-encoded P384 public key." }, "encrypted_value": { "type": "string", "description": "The encrypted secret value.\nThis is a base64-encoded ciphertext." }, "salt": { "type": "string", "description": "A salt value used to derive a shared key for AES-GCM.\nThis is a base64-encoded byte string." } } } ], "description": "The value of a policy secret." }, "SessionInfo": { "allOf": [ { "$ref": "#/components/schemas/SessionMetadata" }, { "type": "object", "required": [ "session_id", "purpose", "exp", "created_at" ], "properties": { "created_at": { "type": "integer", "format": "int64", "description": "Creation date (in seconds since unix epoch)", "minimum": 0 }, "exp": { "type": "integer", "format": "int64", "description": "Expiration date (in seconds since unix epoch)", "minimum": 0 }, "last_used": { "allOf": [ { "$ref": "#/components/schemas/WhereAndWhen" } ], "nullable": true }, "lifetimes": { "$ref": "#/components/schemas/RatchetConfig" }, "purpose": { "type": "string", "description": "A human-readable description for the session", "example": "OIDC login session" }, "scopes": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "Lists user permission and access for the session", "example": [ "sign:*", "manage:mfa:vote:cs" ] }, "session_id": { "type": "string", "description": "Session ID. Uniquely identifies the session, but cannot be used for auth.", "example": "77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e" } } } ] }, "SessionMetadata": { "type": "object", "description": "Collection of attributes related to a Session.\nThis is the backend variant of [`ClientSessionMetadata`] and works in tandem with its frontend counterpart.", "properties": { "client": { "$ref": "#/components/schemas/ClientProfile" }, "created_by": { "type": "string", "description": "The id of the user who created the session.", "example": "User#ef4136dd-d22f-45bc-a65c-12b4baa729d4" }, "os": { "type": "string", "description": "OS String for backwards compatibility, see os_info instead.", "nullable": true }, "os_info": { "$ref": "#/components/schemas/OsInfo" }, "source_ip": { "$ref": "#/components/schemas/SourceIp" }, "user_agent": { "type": "string", "description": "User agent that created the session.", "example": "Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0", "nullable": true } } }, "SessionsResponse": { "type": "object", "description": "The response from any operation operating on multiple sessions", "required": [ "sessions" ], "properties": { "sessions": { "type": "array", "items": { "$ref": "#/components/schemas/SessionInfo" }, "description": "The list of sessions" } } }, "SetPolicySecretRequest": { "type": "object", "description": "A request for setting an Org-level policy secret", "required": [ "value" ], "properties": { "import_key": { "allOf": [ { "$ref": "#/components/schemas/KeyImportKey" } ], "nullable": true }, "value": { "$ref": "#/components/schemas/SecretValue" } } }, "SignDimensions": { "type": "object", "required": [ "org_id", "operation" ], "properties": { "operation": { "type": "string", "description": "The sign operation" }, "org_id": { "type": "string", "description": "All metrics must include 'org_id' as a dimension." } } }, "SignResponse": { "type": "object", "required": [ "signature" ], "properties": { "signature": { "type": "string", "description": "The hex-encoded resulting signature." } } }, "SignatureVersion": { "type": "string", "enum": [ "eip_712_v3", "eip_712_v4", "personal_sign" ] }, "SignedMessage": { "type": "object", "required": [ "id", "address", "signatureVersion", "status" ], "properties": { "address": { "type": "string", "description": "The address of the signer, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "id": { "type": "string", "description": "The ID of the request record." }, "signature": { "type": "string", "description": "The signature, hex encoded, with leading '0x'", "nullable": true }, "signatureVersion": { "$ref": "#/components/schemas/SignatureVersion" }, "status": { "$ref": "#/components/schemas/MmiStatus" } } }, "SignerErrorCode": { "oneOf": [ { "$ref": "#/components/schemas/SignerErrorOwnCodes" }, { "$ref": "#/components/schemas/AcceptedValueCode" }, { "$ref": "#/components/schemas/BadRequestErrorCode" }, { "$ref": "#/components/schemas/BadGatewayErrorCode" }, { "$ref": "#/components/schemas/NotFoundErrorCode" }, { "$ref": "#/components/schemas/ForbiddenErrorCode" }, { "$ref": "#/components/schemas/UnauthorizedErrorCode" }, { "$ref": "#/components/schemas/PreconditionErrorCode" }, { "$ref": "#/components/schemas/TimeoutErrorCode" }, { "$ref": "#/components/schemas/ConflictErrorCode" }, { "$ref": "#/components/schemas/InternalErrorCode" } ] }, "SignerErrorOwnCodes": { "type": "string", "enum": [ "PreComputed", "StatusCodeWithMessage", "JrpcError", "UnhandledError", "ProxyStartError", "EnclaveError" ] }, "SiweCompleteRequest": { "type": "object", "description": "Answer to a Sign-in with Ethereum challenge.", "required": [ "challenge_id", "signature" ], "properties": { "challenge_id": { "$ref": "#/components/schemas/Id" }, "signature": { "type": "string", "description": "The hex-encoded EIP-191 signature of the message returned by the corresponding POST ('init') endpoint" } } }, "SiweCompleteResponse": { "type": "object", "description": "Returned upon a successful SIWE authentication.", "required": [ "id_token" ], "properties": { "id_token": { "type": "string", "description": "The OIDC token corresponding to the user with the requested SIWE identity." } } }, "SiweInitRequest": { "type": "object", "description": "Initialize the request to sign in with ethereum. The response will\ncontain a SIWE message that the client has to sign and submit via the\ncorresponding PATCH endpoint within 5 minutes.", "required": [ "address", "domain", "uri" ], "properties": { "address": { "type": "string", "description": "The Ethereum address performing the signing conformant to capitalization encoded checksum specified in EIP-55." }, "domain": { "type": "string", "description": "The RFC 3986 authority that is requesting the signing." }, "expiration_time": { "type": "string", "description": "The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid.", "nullable": true }, "not_before": { "type": "string", "description": "The ISO 8601 datetime string that, if present, indicates when the signed authentication message will become valid.", "nullable": true }, "request_id": { "type": "string", "description": "A system-specific identifier that may be used to uniquely refer to the sign-in request.", "nullable": true }, "resources": { "type": "array", "items": { "type": "string" }, "description": "A list of information or references to information the user wishes to have resolved as part of authentication by the relying party. They are expressed as RFC 3986 URIs separated by \"\\n- \" where \\n is the byte 0x0a." }, "statement": { "type": "string", "description": "A human-readable ASCII assertion that the user will sign, and it must not contain '\\n' (the byte 0x0a).", "nullable": true }, "uri": { "type": "string", "description": "An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim)." } } }, "SiweInitResponse": { "type": "object", "description": "A challenge returned in response to a Sign-In with Ethereum request.\n\nContains a message that the client must sign following EIP-191\nwith the requested key in order to complete authentication.\n\nThe client has until the message expires (but no more than 5 minutes) to complete the challenge.", "required": [ "challenge_id", "message" ], "properties": { "challenge_id": { "type": "string", "description": "The ID of the challenge (to include in the request when calling the PATCH ('complete') endpoint)" }, "message": { "type": "string", "description": "The message to sign following the EIP-191 standard." } } }, "SolanaSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "message_base64" ], "properties": { "message_base64": { "type": "string", "description": "Solana base64-encoded serialized Message" } } } ], "description": "Solana signing request", "example": { "message_base64": "AQABA8OKVzLEjststN4xXr39kLKHT8d58eQY1QEs6MeXwEFBrxTAlULX1troLbWxuAXQqgbQofGi6z8fJi7KAAIf7YMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJK0tn39k28s+X86W47EvbRRKnYBVQ8Q/l2m1EbfT7+vAQICAAEMAgAAAGQAAAAAAAAA" } }, "SolanaTxCmp": { "type": "object", "properties": { "ignore_blockhash": { "type": "boolean", "description": "Whether the 'recent_blockhash' property of the Solana transaction is allowed to be different." } } }, "SourceIp": { "type": "object", "required": [ "source_ip" ], "properties": { "source_ip": { "type": "string", "description": "The IP address of the caller." } } }, "StakeRequest": { "type": "object", "required": [ "chain_id", "withdrawal_addr", "deposit_type" ], "properties": { "chain_id": { "type": "integer", "format": "int64", "description": "The chain on which we will deposit", "example": 5, "minimum": 0 }, "deposit_type": { "$ref": "#/components/schemas/DepositType" }, "staking_amount_gwei": { "type": "integer", "format": "int64", "description": "Optional staking amount in GWEI.\nIf not specified, defaults to 32_000_000_000 (32 ETH).\nMust be between 1 ETH and 32 ETH.\nMust not be different from the default value when 'deposit_type' is \"Wrapper\".", "minimum": 0 }, "unsafe_conf": { "allOf": [ { "$ref": "#/components/schemas/UnsafeConf" } ], "nullable": true }, "validator_key": { "type": "string", "description": "The validator BLS public key to use, or `None` to generate a fresh one.", "example": "0xa99a76ed7796f7be22d5b7e85deeb7c5677e88e511e0b337618f8c4eb61349b4bf2d153f649f7b53359fe8b94a38e44c", "nullable": true }, "withdrawal_addr": { "type": "string", "description": "The ethereum address to which withdrawn funds go", "example": "0x8e3484687e66cdd26cf04c3647633ab4f3570148" } } }, "StakeResponse": { "type": "object", "required": [ "deposit_tx", "created_validator_key_id" ], "properties": { "created_validator_key_id": { "type": "string", "description": "The validator key id (\"Key#...\")", "example": "Key#db1731f8-3659-45c0-885b-e11e1f5b7be2" }, "deposit_tx": { "$ref": "#/components/schemas/DepositTxn" } } }, "Status": { "type": "object", "required": [ "count", "num_auth_factors", "allowed_approvers", "approved_by" ], "properties": { "allowed_approvers": { "type": "array", "items": { "type": "string" }, "description": "Users who are allowed to approve. Must be non-empty." }, "allowed_mfa_types": { "type": "array", "items": { "$ref": "#/components/schemas/MfaType" }, "description": "Allowed approval types. When omitted, defaults to any.", "nullable": true }, "approved_by": { "type": "object", "description": "Users who have already approved", "additionalProperties": { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/ApprovalInfo" } } }, "count": { "type": "integer", "format": "int32", "description": "How many users must approve", "minimum": 0 }, "num_auth_factors": { "type": "integer", "format": "int32", "description": "How many auth factors to require per user", "minimum": 0 }, "request_comparer": { "$ref": "#/components/schemas/HttpRequestCmp" } } }, "SubscriptionStatus": { "type": "string", "description": "The status of a subscription", "enum": [ "Confirmed", "Pending" ] }, "SuiAddressInfo": { "type": "object", "description": "A Sui address and its chain.", "required": [ "chain", "address" ], "properties": { "address": { "type": "string", "description": "The Sui address.", "example": "0x4e8712e38b09b5467c10fdc40fa7865a65563983eeb74b246df981e61a66b98d" }, "chain": { "$ref": "#/components/schemas/SuiChain" } } }, "SuiChain": { "type": "string", "description": "Supported Sui chains.", "enum": [ "mainnet", "devnet", "testnet" ] }, "SuiSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "tx" ], "properties": { "tx": { "type": "string", "description": "Base64-encoding of a BCS-serialized SUI transaction.\n\nWhen using the SUI TypeScript SDK, these bytes\nare returned by the `Transaction.build()` method." } } } ], "description": "Request to sign a serialized SUI transaction" }, "TaprootSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "sig_kind", "tx" ], "properties": { "sig_kind": { "$ref": "#/components/schemas/TaprootSignatureKind" }, "tx": { "$ref": "#/components/schemas/BtcTx" } } } ] }, "TaprootSignatureKind": { "type": "object", "required": [ "input_index", "prevouts", "sighash_type" ], "properties": { "annex": { "type": "string", "description": "Optional annex, as per BIP341", "nullable": true }, "input_index": { "type": "integer", "description": "Transaction input index", "example": 0, "minimum": 0 }, "leaf_hash_code_separator": { "allOf": [ { "$ref": "#/components/schemas/BtcLeafHashCodeSeparator" } ], "nullable": true }, "merkle_root": { "type": "string", "description": "If this field is not present or null, no tweak is applied. If the field is an\nempty string, the key is tweaked with an unspendable script path per BIP0341.\nOtherwise, this field must contain a base-64 string encoding 32 bytes that\nrepresent the Merkle root with which to tweak the key before signing.", "example": "F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=", "nullable": true }, "prevouts": { "$ref": "#/components/schemas/PrevOutputs" }, "sighash_type": { "type": "string", "description": "Hash type of an input's signature, encoded in the last byte of the signature.\nPossible values:\n- SIGHASH_ALL\n- SIGHASH_ALL|SIGHASH_ANYONECANPAY\n- SIGHASH_DEFAULT\n- SIGHASH_NONE\n- SIGHASH_NONE|SIGHASH_ANYONECANPAY\n- SIGHASH_SINGLE\n- SIGHASH_SINGLE|SIGHASH_ANYONECANPAY", "example": "SIGHASH_ALL" } } }, "TelegramAuthRequest": { "type": "object", "required": [ "tg_web_app_data", "bot_id", "environment" ], "properties": { "bot_id": { "type": "string", "description": "The telegram bot ID" }, "environment": { "$ref": "#/components/schemas/TelegramEnvironment" }, "tg_web_app_data": { "type": "string", "description": "The telegram webapp data (found in the `tgWebAppData` parameter encoded in the hash section of the URL)" } } }, "TelegramAuthResponse": { "type": "object", "required": [ "id_token" ], "properties": { "id_token": { "type": "string", "description": "The OIDC token corresponding to this telegram user" } } }, "TelegramEnvironment": { "type": "string", "description": "Telegram has two environments: production and test\nEach one has an associated public key for verifying signatures,\nand we assign each one a unique OIDC issuer", "enum": [ "production", "test" ] }, "TendermintSignRequest": { "allOf": [ { "type": "object", "properties": { "metadata": { "description": "Optional metadata. Passing additional information as metadata can be used to make reviewing\nof pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.", "nullable": true } } }, { "type": "object", "required": [ "message_base64" ], "properties": { "message_base64": { "type": "string", "description": "The bytes of the protobuf-encoded message to sign as a BASE64 string." } } } ], "description": "The request for using the Tendermint sign endpoint." }, "ThrottleConfig": { "type": "object", "description": "Configuration object for a throttle which limits the number of entities within a given time window", "required": [ "threshold", "window" ], "properties": { "threshold": { "type": "integer", "format": "int32", "description": "The number of entities allowed within the window", "minimum": 0 }, "window": { "$ref": "#/components/schemas/Seconds" } } }, "TimeoutErrorCode": { "type": "string", "enum": [ "PolicyEngineTimeout", "WasmPolicyExecutionTimeout" ] }, "TokenRequest": { "type": "object", "required": [ "grant_type", "refresh_token" ], "properties": { "grant_type": { "$ref": "#/components/schemas/RefreshGrantType" }, "refresh_token": { "type": "string", "description": "The refresh token issued to the client." } } }, "TokenResponse": { "allOf": [ { "type": "object", "description": "OAuth2 standard Token Response.\n\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2", "required": [ "access_token", "token_type", "expires_in" ], "properties": { "access_token": { "type": "string", "description": "The access token issued by the authorization server." }, "expires_in": { "$ref": "#/components/schemas/Seconds" }, "id_token": { "type": "string", "description": "An OIDC token issued by Cubist, containing user information", "nullable": true }, "refresh_token": { "type": "string", "description": "The refresh token issued by the authorization server.", "nullable": true }, "token_type": { "type": "string", "description": "The type of the token issued. Value is case insensitive." } }, "additionalProperties": { "description": "We don't inspect all values in the token response but we hold onto them\nto forward to the client" } }, { "type": "object" } ], "description": "OAuth2 standard Token Response.\n\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2" }, "TotpApproveRequest": { "type": "object", "required": [ "code" ], "properties": { "code": { "type": "string", "description": "TOTP verification code" } } }, "TotpChallengeAnswer": { "type": "object", "description": "Sent from the client to the server to answer a TOTP challenge", "required": [ "totp_id", "code" ], "properties": { "code": { "type": "string", "description": "The current TOTP code" }, "totp_id": { "type": "string", "description": "The ID of the challenge that was returned from the POST endpoint" } } }, "TotpInfo": { "type": "object", "required": [ "totp_id", "totp_url" ], "properties": { "totp_id": { "type": "string", "description": "The ID of the TOTP challenge.", "example": "TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286" }, "totp_url": { "type": "string", "description": "Standard TOTP url which includes everything needed to initialize TOTP.", "example": "otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist" } } }, "TotpResetRequest": { "type": "object", "description": "Request to reset TOTP.", "properties": { "issuer": { "type": "string", "description": "The name of the issuer; defaults to \"Cubist\".", "nullable": true } } }, "Transaction": { "$ref": "#/components/schemas/TypedTransaction" }, "TransactionAndStatus": { "allOf": [ { "$ref": "#/components/schemas/TypedTransaction" }, { "type": "object", "required": [ "id", "status" ], "properties": { "hash": { "type": "string", "description": "The hash of the transaction that was signed", "nullable": true }, "id": { "type": "string", "description": "The ID of the request record." }, "nonce": { "type": "string", "description": "The nonce (computed right before signing)", "nullable": true }, "signedRawTransaction": { "type": "string", "description": "The signature", "nullable": true }, "status": { "$ref": "#/components/schemas/MmiStatus" } } } ] }, "TsQueryName": { "type": "string", "description": "Supported queries", "enum": [ "ActiveKeys", "ActiveUsers", "UniqueSignIns", "UserCount", "LatestUserCount", "KeyCount", "LatestKeyCount", "BillingEvents", "OidcLogins", "SignEvents" ] }, "TxSignature": { "type": "object", "description": "Information about a signed transaction", "required": [ "signed_tx", "hash", "nonce" ], "properties": { "hash": { "type": "string", "description": "Keccak 256 Hash of the RLP encoding of the transaction" }, "nonce": { "type": "string", "description": "The nonce (either provided explicitly or computed right before signing)" }, "signed_tx": { "type": "string", "description": "The signed raw transaction", "example": "0xdb33b03c2b8103e2a8c361d3b4f5abc67f96c6921df6e151d53087a5e12b1e4f" } } }, "TxStatus": { "oneOf": [ { "type": "object", "required": [ "status" ], "properties": { "status": { "type": "string", "enum": [ "Pending" ] } } }, { "type": "object", "description": "The message has been signed, including the signature information.", "required": [ "sig", "status" ], "properties": { "sig": { "type": "object", "description": "Information about a signed transaction", "required": [ "signed_tx", "hash", "nonce" ], "properties": { "hash": { "type": "string", "description": "Keccak 256 Hash of the RLP encoding of the transaction" }, "nonce": { "type": "string", "description": "The nonce (either provided explicitly or computed right before signing)" }, "signed_tx": { "type": "string", "description": "The signed raw transaction", "example": "0xdb33b03c2b8103e2a8c361d3b4f5abc67f96c6921df6e151d53087a5e12b1e4f" } } }, "status": { "type": "string", "enum": [ "Signed" ] } } }, { "type": "object", "description": "The message has been rejected, including the reason for the rejection.", "required": [ "reason", "status" ], "properties": { "reason": { "type": "string" }, "status": { "type": "string", "enum": [ "Rejected" ] } } } ], "description": "A struct representing the pending message status", "discriminator": { "propertyName": "status" } }, "TypedData": { "type": "object", "description": "Represents the [EIP-712](https://eips.ethereum.org/EIPS/eip-712) typed data object.\n\nTyped data is a JSON object containing type information, domain separator parameters and the\nmessage object.", "required": [ "domain", "primaryType", "message", "types" ], "properties": { "domain": { "type": "object", "description": "Represents the [EIP-712](https://eips.ethereum.org/EIPS/eip-712) EIP712Domain object.\n\nEIP712Domain is a JSON object with one or more of the below fields. Protocol designers only need to include the fields that make sense for their signing domain.", "properties": { "chainId": { "type": "string", "description": "The EIP-155 chain id. The user-agent should refuse signing if it does not match the\ncurrently active chain.", "example": "0x1", "nullable": true }, "name": { "type": "string", "description": "The user readable name of signing domain, i.e., the name of the DApp or the protocol.", "example": "Ether Mail", "nullable": true }, "salt": { "oneOf": [ { "type": "string", "description": "Hex-encoded byte array of length 32", "example": "0xa5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5" }, { "type": "array", "items": { "type": "number", "example": 165 }, "description": "Byte array of length 32", "example": [ 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165, 165 ] } ], "description": "A disambiguating salt for the protocol. This can be used as a domain separator of last resort. Can be either a hex-encoded string or byte array" }, "verifyingContract": { "type": "string", "description": "The address of the contract that will verify the signature.", "example": "0xCcCCccccCCCCcCCCCCCcCcCccCcCCCcCcccccccC", "nullable": true }, "version": { "type": "string", "description": "The current major version of the signing domain. Signatures from different versions are not\ncompatible.", "example": "1", "nullable": true } } }, "message": { "type": "object", "description": "The message to be signed.", "additionalProperties": {} }, "primaryType": { "type": "string", "description": "The type of the message." }, "types": { "type": "object", "description": "The custom types used by this message.", "additionalProperties": { "type": "array", "items": { "type": "object", "description": "Represents the name and type pair", "required": [ "name", "type" ], "properties": { "name": { "type": "string", "example": "name" }, "type": { "type": "string", "example": "type" } }, "example": { "name": "name", "type": "type" } } } } } }, "TypedTransaction": { "oneOf": [ { "type": "object", "description": "Legacy (pre EIP-2718) Ethereum transaction type", "required": [ "type" ], "properties": { "data": { "type": "string", "example": "0x01" }, "from": { "type": "string", "example": "0x4cf18a8a6a1ffe77fec600da2b90ec35ba050b07" }, "gas": { "type": "string", "example": "0x1" }, "gasPrice": { "type": "string", "example": "0x1" }, "nonce": { "type": "string", "example": "0x1" }, "to": { "type": "string", "example": "0x068bd529426f4f27e248baf36e4558e440738fbb" }, "type": { "type": "string", "example": "0x00" }, "value": { "type": "string", "example": "0x1" } }, "example": { "data": "0x01", "from": "0x4cf18a8a6a1ffe77fec600da2b90ec35ba050b07", "gas": "0x1", "gasPrice": "0x1", "nonce": "0x1", "to": "0x068bd529426f4f27e248baf36e4558e440738fbb", "type": "0x00", "value": "0x1" } }, { "type": "object", "description": "EIP-1559 Ethereum transaction type", "required": [ "type" ], "properties": { "accessList": { "type": "array", "items": { "type": "object", "properties": { "address": { "type": "string", "example": "0x0000000000000000000000000000000000000000" }, "storageKeys": { "type": "array", "items": { "type": "string", "example": "0x0000000000000000000000000000000000000000000000000000000000000000" }, "example": [ "0x0000000000000000000000000000000000000000000000000000000000000000" ] } }, "example": { "address": "0x0000000000000000000000000000000000000000", "storageKeys": [ "0x0000000000000000000000000000000000000000000000000000000000000000" ] } }, "example": [ { "address": "0x0000000000000000000000000000000000000000", "storageKeys": [ "0x0000000000000000000000000000000000000000000000000000000000000000" ] } ] }, "data": { "type": "string", "example": "0x01" }, "from": { "type": "string", "example": "0x4cf18a8a7a1ffe77fec600da2b90ec35ba050b07" }, "gas": { "type": "string", "example": "0x61a80" }, "maxFeePerGas": { "type": "string", "example": "0x9502f900" }, "maxPriorityFeePerGas": { "type": "string", "example": "0x9502f900" }, "nonce": { "type": "string", "example": "0xb" }, "to": { "type": "string", "example": "0x068bd539426f4f27e248baf36e4558e440738fbb" }, "type": { "type": "string", "example": "0x02" }, "value": { "type": "string", "example": "0x1" } }, "example": { "accessList": [ { "address": "0x0000000000000000000000000000000000000000", "storageKeys": [ "0x0000000000000000000000000000000000000000000000000000000000000000" ] } ], "data": "0x01", "from": "0x4cf18a8a7a1ffe77fec600da2b90ec35ba050b07", "gas": "0x61a80", "maxFeePerGas": "0x9502f900", "maxPriorityFeePerGas": "0x9502f900", "nonce": "0xb", "to": "0x068bd539426f4f27e248baf36e4558e440738fbb", "type": "0x02", "value": "0x1" } } ], "description": "EIP-2718 typed transaction, including EIP-1559 transactions (`{ \"type\": \"0x02\" ... }`), and legacy transactions (`{ \"type\": \"0x00\" ... }`). All values in the transaction are expected to be (0x-prefixed or not) hex strings or byte arrays." }, "UnauthorizedErrorCode": { "type": "string", "enum": [ "AuthorizationHeaderMissing", "EndpointRequiresUserSession", "RefreshTokenMissing" ] }, "UnsafeConf": { "type": "object", "description": "Options that should be set only for local devnet testing.", "properties": { "deposit_contract_addr": { "type": "string", "description": "The hex-encoded address of the deposit contract. If omitted, inferred from `chain_id`", "example": "0xff50ed3d0ec03ac01d4c79aad74928bff48a7b2b", "nullable": true }, "genesis_fork_version": { "type": "string", "description": "The hex-encoded 4-byte fork version", "example": "0x00001020", "nullable": true } } }, "UnstakeRequest": { "type": "object", "description": "Unstake message request.", "required": [ "network", "fork", "validator_index", "genesis_data" ], "properties": { "epoch": { "allOf": [ { "$ref": "#/components/schemas/Epoch" } ], "nullable": true }, "fork": { "$ref": "#/components/schemas/Fork" }, "genesis_data": { "$ref": "#/components/schemas/GenesisData" }, "network": { "$ref": "#/components/schemas/Network" }, "validator_index": { "type": "string", "description": "Validator index (`uint64`) to exit. You can get the validator index from the Beacon node's\n`/eth/v1/beacon/states/head/validators/{pubkey}` end-point. This end point returns an\nobject that contains information about the validator (whose public key is `{pubkey}`),\nincluding the validator index. The schema of this end-point is defined\n[here](https://ethereum.github.io/beacon-APIs/#/Beacon/getStateValidator).", "example": "31337" } } }, "UnstakeResponse": { "type": "object", "description": "Unstake responses are signed voluntary exit messages.\nThe schema for this message is defined\n[here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).\nThis message can be directly POSTed to the Beacon node's\n`/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema\n[here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).", "required": [ "message", "signature" ], "properties": { "message": { "$ref": "#/components/schemas/VoluntaryExit" }, "signature": { "type": "string", "description": "BLS signature.", "example": "0x910c7cd537ed91cc8c4a82f3cbd832e9be8c24a22e9c86df479f7ce42025ea6a09619b418b666a060e260d2aae31b8e50e9d05ca3442c7eed3b507e5207e14674275f68c2ba84c4bf6b8dd364a304acac8cfab3681e2514b4400f9242bc61164" } } }, "UpdateContactRequest": { "type": "object", "description": "The information needed to update a Contact.", "properties": { "addresses": { "allOf": [ { "$ref": "#/components/schemas/AddressMap" } ], "nullable": true }, "edit_policy": { "allOf": [ { "$ref": "#/components/schemas/EditPolicy" } ], "nullable": true }, "metadata": { "description": "A new value for the optional user-defined metadata about the contact.", "nullable": true }, "name": { "type": "string", "description": "A new name for the contact. Must be a unique name among contacts in the\norg. Name must consist of alphanumeric characters, spaces, `.` and `-`,\nand cannot be longer than 50 characters.", "example": "Satoshi Nakamoto", "nullable": true }, "owner": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true } } }, "UpdateKeyRequest": { "allOf": [ { "$ref": "#/components/schemas/CreateAndUpdateKeyProperties" }, { "type": "object", "properties": { "enabled": { "type": "boolean", "description": "If set, updates the key's `enabled` property to this value.\nOnce disabled, a key cannot be used for signing.", "nullable": true }, "version": { "type": "integer", "format": "int64", "description": "If set, updating the metadata only succeeds if the version matches this value.", "nullable": true, "minimum": 0 } } } ] }, "UpdateOrgRequest": { "type": "object", "properties": { "alien_login_requirement": { "allOf": [ { "$ref": "#/components/schemas/SecondFactorRequirement" } ], "nullable": true }, "allowed_mfa_types": { "type": "object", "description": "MFA types that are allowed to be used for implicitly security-sensitive\noperations (like logging in, adding an MFA factor, exporting keys, etc.).", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/MfaType" }, "uniqueItems": true }, "example": { "Default": [ "Fido", "Totp", "EmailOtp" ], "KeyExport": [ "Fido" ] }, "nullable": true }, "default_invite_kind": { "allOf": [ { "$ref": "#/components/schemas/InviteKind" } ], "nullable": true }, "email_preferences": { "allOf": [ { "$ref": "#/components/schemas/EmailPreferences" } ], "nullable": true }, "enabled": { "type": "boolean", "description": "If set, update this org's `enabled` field to this value.", "nullable": true }, "historical_data_configuration": { "allOf": [ { "$ref": "#/components/schemas/HistoricalDataConfiguration" } ], "nullable": true }, "idp_configuration": { "allOf": [ { "$ref": "#/components/schemas/IdpConfig" } ], "nullable": true }, "member_login_requirement": { "allOf": [ { "$ref": "#/components/schemas/SecondFactorRequirement" } ], "nullable": true }, "notification_endpoints": { "type": "array", "items": { "$ref": "#/components/schemas/NotificationEndpointConfiguration" }, "description": "If set, update this org's notification endpoints. Notification endpoints are expected to be\nHTTPS URLs, which accept POST requests. The body of the requests sent to these endpoints are\nare formatted in JSON and have the following format:\n\n```json\n{\n\"org\": \"...\",\n\"utc_timestamp\": \"...\",\n\"org_event\": \"...\",\n...\n}\n```\n\n`org` is the org id, `utc_timestamp` is the UTC timestamp of the event in milliseconds, and\n`org_event` is a string identifying the type of event that has occurred. The rest of the\nfields provide additional information related to the type of the event.\n\nEndpoints can optionally include filters to customize the org events that they are notified\nabout. Currently, the only supported filter type is `OneOf`, which expects a list of org\nevent types to send to the endpoint. If no filter is configured, the system sends all org\nevents to the endpoint.", "example": [ { "url:": "https://example.com/endpoint1" }, { "filter": { "OneOf": [ "Eth2ConcurrentAttestationSigning", "Eth2ConcurrentBlockSigning" ] }, "url:": "https://example.com/endpoint2" } ], "nullable": true }, "passkey_configuration": { "allOf": [ { "$ref": "#/components/schemas/PasskeyConfig" } ], "nullable": true }, "policy": { "type": "array", "items": { "type": "object" }, "description": "If set, update this org's policies (old policies will be overwritten!).", "example": [ { "MaxDailyUnstake": 5 }, { "OriginAllowlist": [ "https://example.com" ] }, { "SourceIpAllowlist": [ "10.1.2.3/8", "169.254.17.1/16" ] } ], "nullable": true }, "policy_engine_configuration": { "allOf": [ { "$ref": "#/components/schemas/PolicyEngineConfiguration" } ], "nullable": true }, "require_scope_ceiling": { "type": "boolean", "description": "If set, all user logins will require the claim `cubesigner_scope_ceiling` to be present in\nthe user's token. This claim is an array of scopes (e.g. `[ \"manage:keys:list\", \"sign:evm:tx\" ]`),\nwhich define a maximum set of scopes the user may request. If the user's token does not contain\nthis claim, the login will be rejected.\n\nOwners of the org are exempt from this requirement.", "nullable": true }, "totp_failure_limit": { "type": "integer", "format": "int32", "description": "If set, update this org's TOTP failure limit. After this many failures,\nthe user is rate limited until the next 30-second TOTP window.", "nullable": true, "maximum": 5, "minimum": 1 }, "user_export_delay": { "type": "integer", "format": "int64", "description": "If set, update this org's user-export delay, i.e., the amount of time\n(in seconds) between a user's initiating an export and the time when\nexport is allowed. For security, this delay cannot be set to less than\n172800, i.e., 2 days.", "nullable": true, "minimum": 0 }, "user_export_disabled": { "type": "boolean", "description": "If set, turn this org's user export off (by passing `true`) or on (by passing `false`).", "nullable": true }, "user_export_window": { "type": "integer", "format": "int64", "description": "If set, update this org's user-export window, i.e., the amount of time\n(in seconds) that export is allowed after the user-export delay. After\nthis amount of time, the export is canceled and must be re-initiated.\nFor security, this window cannot be set to greater than 259200, i.e.,\n3 days.", "nullable": true, "minimum": 0 } } }, "UpdateOrgResponse": { "type": "object", "required": [ "org_id" ], "properties": { "alien_login_requirement": { "allOf": [ { "$ref": "#/components/schemas/SecondFactorRequirement" } ], "nullable": true }, "allowed_mfa_types": { "type": "object", "description": "MFA types that are allowed to be used for implicitly security-sensitive\noperations (like logging in, adding an MFA factor, exporting keys, etc.).", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/MfaType" }, "uniqueItems": true }, "nullable": true }, "default_invite_kind": { "allOf": [ { "$ref": "#/components/schemas/InviteKind" } ], "nullable": true }, "email_preferences": { "allOf": [ { "$ref": "#/components/schemas/EmailPreferences" } ], "nullable": true }, "enabled": { "type": "boolean", "description": "The new value of the 'enabled' property", "nullable": true }, "historical_data_configuration": { "allOf": [ { "$ref": "#/components/schemas/HistoricalDataConfiguration" } ], "nullable": true }, "idp_configuration": { "allOf": [ { "$ref": "#/components/schemas/IdpConfig" } ], "nullable": true }, "member_login_requirement": { "allOf": [ { "$ref": "#/components/schemas/SecondFactorRequirement" } ], "nullable": true }, "name": { "type": "string", "description": "The new human-readable name for the org (must be alphanumeric)", "example": "my_org_name", "nullable": true }, "notification_endpoints": { "type": "array", "items": { "$ref": "#/components/schemas/NotificationEndpointConfiguration" }, "description": "The new notification endpoint configurations", "example": [ { "url": "https://example.com/endpoint" } ], "nullable": true }, "org_id": { "type": "string", "description": "The ID of the organization", "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, "passkey_configuration": { "allOf": [ { "$ref": "#/components/schemas/PasskeyConfig" } ], "nullable": true }, "policy": { "type": "array", "items": { "type": "object" }, "description": "The new value of org-wide policies", "example": [ { "MaxDailyUnstake": 5 }, { "OriginAllowlist": [ "https://example.com" ] } ], "nullable": true }, "policy_engine_configuration": { "allOf": [ { "$ref": "#/components/schemas/PolicyEngineConfiguration" } ], "nullable": true }, "require_scope_ceiling": { "type": "boolean", "description": "The new value of require_scope_ceiling", "nullable": true }, "totp_failure_limit": { "type": "integer", "format": "int32", "description": "The new value of the TOTP failure limit", "nullable": true, "minimum": 0 }, "user_export_delay": { "type": "integer", "format": "int64", "description": "The new value of user-export delay", "nullable": true, "minimum": 0 }, "user_export_disabled": { "type": "boolean", "description": "The new value of user-export disabled", "nullable": true }, "user_export_window": { "type": "integer", "format": "int64", "description": "The new value of user-export window", "nullable": true, "minimum": 0 } } }, "UpdatePolicyRequest": { "type": "object", "description": "Request body for updating a named policy.", "properties": { "edit_policy": { "allOf": [ { "$ref": "#/components/schemas/EditPolicy" } ], "nullable": true }, "metadata": { "description": "A new metadata.", "nullable": true }, "name": { "type": "string", "description": "A new name for the policy.", "nullable": true }, "owner": { "type": "string", "description": "A new owner for the policy.", "nullable": true }, "rules": { "type": "array", "items": {}, "description": "New policy rules.", "nullable": true } } }, "UpdatePolicySecretsRequest": { "allOf": [ { "$ref": "#/components/schemas/ImportableSecrets" }, { "type": "object", "properties": { "edit_policy": { "allOf": [ { "$ref": "#/components/schemas/EditPolicy" } ], "nullable": true } } } ], "description": "A request for updating Org-level policy secrets" }, "UpdateRoleRequest": { "type": "object", "properties": { "edit_policy": { "allOf": [ { "$ref": "#/components/schemas/EditPolicy" } ], "nullable": true }, "enabled": { "type": "boolean", "description": "If set, updates the role's `enabled` property to this value.\nOnce disabled, a role cannot be used; and it's tokens cannot be used for signing.", "nullable": true }, "policy": { "type": "array", "items": {}, "description": "If set, update this role's key policies (old policies will be overwritten!).\nOnly \"deny\" style policies may be set.", "example": [ { "SourceIpAllowlist": [ "123.456.78.9/16" ] } ], "nullable": true }, "restricted_actions": { "type": "object", "description": "If set, update this role's settings for restricting which member roles are allowed to\nperform actions on this role.", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/MemberRole" }, "uniqueItems": true }, "example": { "CreateToken": [ "Owner" ] }, "nullable": true } } }, "UpdateUserMembershipRequest": { "type": "object", "description": "Request to update an existing user", "properties": { "disabled": { "type": "boolean", "description": "Enable or disable user", "nullable": true }, "role": { "allOf": [ { "$ref": "#/components/schemas/MemberRole" } ], "nullable": true } } }, "UploadObjectHash": { "type": "string", "format": "binary", "description": "The SHA-256 hash of the object for an [UploadRequest]." }, "UploadWasmPolicyRequest": { "type": "object", "description": "Request for uploading a wasm policy", "required": [ "hash" ], "properties": { "hash": { "$ref": "#/components/schemas/UploadObjectHash" } } }, "UploadWasmPolicyResponse": { "type": "object", "description": "The response to a request for uploading a wasm policy", "required": [ "signed_url" ], "properties": { "signed_url": { "type": "string", "description": "A signed URL for uploading the requested wasm policy." } } }, "UserCountDimensions": { "type": "object", "required": [ "org_id", "membership" ], "properties": { "membership": { "type": "string", "description": "User's membership in the org" }, "org_id": { "type": "string", "description": "All metrics must include 'org_id' as a dimension." } } }, "UserExportCompleteRequest": { "type": "object", "description": "A request to complete a user export", "required": [ "key_id", "public_key" ], "properties": { "key_id": { "type": "string", "description": "The id of the key to be exported. The key-id must correspond to the one in\nthe specified export request, and the caller must own this key.", "example": "Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8" }, "public_key": { "type": "string", "description": "The NIST P-256 public key (base64-encoded SEC1 with or without compression)\nto which the export will be encrypted. If a public key was provided when\n`user_export_init` was called, this key must match that one.", "example": "AkpLT/3dXApJzXSduaPQ7apyT0ADBwqkt1es/aT0iWWf" } } }, "UserExportCompleteResponse": { "type": "object", "description": "An encrypted user-export", "required": [ "encrypted_key_material", "ephemeral_public_key", "user_id" ], "properties": { "encrypted_key_material": { "type": "string", "description": "The exported key material, encrypted with AES-256-GCM under a key\nderived from the public key supplied in the request via HPKE (RFC9180)\nwith DHKEM(P-256, HKDF-SHA256) and base64 encoded." }, "ephemeral_public_key": { "type": "string", "description": "The ephemeral public key used for HPKE key derivation as base64-encoded\nuncompressed SEC1 serialization." }, "user_id": { "type": "string", "description": "The user-id to which this key belongs." } } }, "UserExportInitRequest": { "type": "object", "description": "A request to initiate a user export", "required": [ "key_id" ], "properties": { "key_id": { "type": "string", "description": "The id of the key to be exported. This key must be owned by the caller.", "example": "Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8" }, "public_key": { "type": "string", "description": "An optional NIST P-256 public key (base64-encoded SEC1 with or without\ncompression) to which the export will be encrypted. If provided, this\npublic key MUST be the one used to encrypt the export once the delay has\nexpired. Otherwise, the user can provide any public key when completing\nthe export request post delay.\n\nThis option may provide extra security when the user has a secure hardware\ndevice (e.g., a phone's secure element or a YubiKey) in which a NIST P-256\nsecret key can be generated. Providing the corresponding public key here\nensures that only that specific device will be capable of decrypting\nthe export ciphertext.\n\nIf no secure hardware device is available to store the secret key, this\noption SHOULD NOT be used because of the risk of secret key theft during\nthe export delay period.", "example": "AkpLT/3dXApJzXSduaPQ7apyT0ADBwqkt1es/aT0iWWf", "nullable": true } } }, "UserExportInitResponse": { "allOf": [ { "$ref": "#/components/schemas/UserExportRequest" }, { "type": "object", "required": [ "key_id" ], "properties": { "key_id": { "type": "string", "description": "The key-id being requested.", "example": "Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8" } } } ], "description": "The response to a successful user-export init request" }, "UserExportRequest": { "type": "object", "description": "Pending user-export request as stored in the database.", "required": [ "org_id", "valid_epoch", "exp_epoch" ], "properties": { "exp_epoch": { "$ref": "#/components/schemas/EpochDateTime" }, "org_id": { "type": "string", "description": "The org-id in which the key is housed.", "example": "Org#f361ed6b-5d19-4ccf-a4d5-eba935dc0b90" }, "public_key_hash": { "type": "string", "description": "The SHA-256 hash of the public key provided at export initiation,\nif any. If a key was provided, only that key can be used to complete\nthe export procedure. Otherwise, any key can be used.\n\nIMPORTANT: if a public key is supplied at export initiation, it is\nSTRONGLY RECOMMENDED that the corresponding secret key be stored in\na secure hardware device, e.g., a YubiKey or a phone's secure element.\nIf no such hardware is available, supplying a public key at export\ninitiation is STRONGLY DISCOURAGED because of the risk of theft during\nthe export delay period.\n\n(See also the comment in the `public_key` field of `UserInitRequest`.)", "example": "df457a98d5538540f54d1316b597a0f39b8d96f488f10a2e31a955c146fdf1d3", "nullable": true }, "valid_epoch": { "$ref": "#/components/schemas/EpochDateTime" } } }, "UserInOrgInfo": { "type": "object", "required": [ "id", "membership", "status" ], "properties": { "email": { "type": "string", "description": "The user's email (optional)", "example": "alice@example.com", "nullable": true }, "id": { "type": "string", "description": "The id of the user", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" }, "initialized": { "type": "boolean", "description": "Whether the user has ever successfully logged in" }, "membership": { "$ref": "#/components/schemas/MemberRole" }, "name": { "type": "string", "description": "Optional user name.", "nullable": true }, "status": { "$ref": "#/components/schemas/MembershipStatus" }, "verified_email": { "allOf": [ { "$ref": "#/components/schemas/VerifiedEmail" } ], "nullable": true } } }, "UserInOrgInfoWithIdentity": { "allOf": [ { "type": "object", "required": [ "id", "membership", "status" ], "properties": { "email": { "type": "string", "description": "The user's email (optional)", "example": "alice@example.com", "nullable": true }, "id": { "type": "string", "description": "The id of the user", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" }, "initialized": { "type": "boolean", "description": "Whether the user has ever successfully logged in" }, "membership": { "$ref": "#/components/schemas/MemberRole" }, "name": { "type": "string", "description": "Optional user name.", "nullable": true }, "status": { "$ref": "#/components/schemas/MembershipStatus" }, "verified_email": { "allOf": [ { "$ref": "#/components/schemas/VerifiedEmail" } ], "nullable": true } } }, { "type": "object", "properties": { "identities": { "type": "array", "items": { "$ref": "#/components/schemas/IdentityInfo" }, "description": "Optional third-party identities via which the user was found" } } } ] }, "UserInOrgMembership": { "type": "object", "description": "Information about a user's membership in an organization\n(without including any info about the user)", "required": [ "org_id", "membership", "status" ], "properties": { "membership": { "$ref": "#/components/schemas/MemberRole" }, "org_id": { "type": "string", "description": "Organization id", "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, "status": { "$ref": "#/components/schemas/MembershipStatus" } } }, "UserInRoleInfo": { "type": "object", "required": [ "user_id" ], "properties": { "user_id": { "type": "string" } } }, "UserInfo": { "type": "object", "required": [ "user_id", "org_ids", "orgs", "mfa" ], "properties": { "email": { "type": "string", "description": "Optional email", "example": "alice@example.com", "nullable": true }, "mfa": { "type": "array", "items": { "$ref": "#/components/schemas/ConfiguredMfa" }, "description": "All multi-factor authentication methods configured for this user" }, "mfa_policy": { "allOf": [ { "$ref": "#/components/schemas/MfaPolicy" } ], "nullable": true }, "name": { "type": "string", "description": "Optional name", "example": "Alice", "nullable": true }, "org_ids": { "type": "array", "items": { "type": "string" }, "description": "All organizations the user belongs to. Deprecated in favor of 'orgs'.", "deprecated": true, "example": [ "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" ] }, "orgs": { "type": "array", "items": { "$ref": "#/components/schemas/UserInOrgMembership" }, "description": "All organizations the user belongs to, including the membership role in each." }, "user_id": { "type": "string", "description": "The id of the currently logged in user", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" }, "verified_email": { "allOf": [ { "$ref": "#/components/schemas/VerifiedEmail" } ], "nullable": true } } }, "UserOrgsResponse": { "type": "object", "description": "The response to the user/orgs endpoint", "required": [ "orgs" ], "properties": { "orgs": { "type": "array", "items": { "$ref": "#/components/schemas/OrgData" }, "description": "The list of orgs this user is a member of" } } }, "UserVerificationRequirement": { "type": "string", "description": "A WebAuthn Relying Party may require user verification for some of its\noperations but not for others, and may use this type to express its needs.\n\nhttps://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement", "enum": [ "required", "discouraged", "preferred" ] }, "VerifiedEmail": { "type": "object", "required": [ "email", "updated_at" ], "properties": { "email": { "type": "string", "description": "Email address" }, "updated_at": { "type": "integer", "format": "int64", "description": "Last time this record was updated (in seconds since unix epoch)", "minimum": 0 } } }, "VoluntaryExit": { "type": "object", "description": "An exit voluntarily submitted a validator who wishes to withdraw.\nThe schema for this message is defined\n[here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).", "required": [ "epoch", "validator_index" ], "properties": { "epoch": { "$ref": "#/components/schemas/Epoch" }, "validator_index": { "type": "string", "description": "Index of the exiting validator.", "example": "256" } } }, "WasmPolicyResponse": { "oneOf": [ { "type": "object", "required": [ "response" ], "properties": { "response": { "type": "string", "enum": [ "Allow" ] } } }, { "type": "object", "description": "The policy denied signing the transaction.", "required": [ "reason", "response" ], "properties": { "reason": { "type": "string", "description": "The reason for the denial." }, "response": { "type": "string", "enum": [ "Deny" ] } } }, { "type": "object", "description": "The policy failed to execute successfully, and exited with an error.", "required": [ "error", "response" ], "properties": { "error": { "type": "string", "description": "The error from the Policy Engine." }, "response": { "type": "string", "enum": [ "Error" ] } } } ], "description": "The response from invoking a Wasm policy.", "discriminator": { "propertyName": "response" } }, "WasmRule": { "type": "object", "description": "A wasm policy rule that can be executed in the wasm engine.", "required": [ "policy_id", "hash" ], "properties": { "hash": { "type": "string", "description": "The SHA-256 hash of a wasm policy that can be used to look it up in the policy store." }, "policy_id": { "type": "string", "description": "The Id of the policy this wasm rule belongs to." } } }, "WebhookMethod": { "type": "string", "description": "Allowed webhook methods", "enum": [ "GET", "POST" ] }, "WebhookPayload": { "type": "object", "description": "The payload that is sent to the webhook.\n\nThe webhook should respond with HTTP status code 200 if the operation is permitted.\n\nAll non-200 status codes imply that the operation is denied; any response body returned\nby the webhook will be included in the error response sent back to the client.", "required": [ "key_type", "key_address", "operation" ], "properties": { "key_address": { "type": "string", "description": "The address (material id) of the key used to sign the request" }, "key_type": { "$ref": "#/components/schemas/KeyType" }, "operation": { "$ref": "#/components/schemas/OperationKind" }, "request": { "description": "The payload (if any) of the sign operation", "nullable": true } } }, "WebhookPolicyParams": { "type": "object", "description": "Parameters for the [Deny::Webhook] policy.", "required": [ "url" ], "properties": { "headers": { "type": "object", "description": "Optional HTTP headers to set", "additionalProperties": { "type": "string" } }, "method": { "type": "string", "description": "Optional HTTP method to use. Defaults to POST." }, "restricted_operations": { "type": "array", "items": { "$ref": "#/components/schemas/OperationKind" }, "description": "CubeSigner operations to which this policy should apply.\nWhen omitted, applies to all operations.", "nullable": true }, "timeout": { "type": "integer", "format": "int64", "description": "Request execution timeout in seconds; must not exceed 5 seconds.", "maximum": 5, "minimum": 1 }, "url": { "type": "string", "description": "The url of the webhook" } } }, "WhereAndWhen": { "allOf": [ { "$ref": "#/components/schemas/SourceIp" }, { "type": "object", "required": [ "time" ], "properties": { "time": { "$ref": "#/components/schemas/EpochDateTime" } } } ] } }, "responses": { "AddThirdPartyUserResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "user_id" ], "properties": { "user_id": { "type": "string", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" } } } } } }, "AuthenticationResponse": { "description": "The response to the idp authenticate endpoint", "content": { "application/json": { "schema": { "type": "object", "description": "The response to the idp authenticate endpoint", "required": [ "id_token" ], "properties": { "id_token": { "type": "string", "description": "An OIDC token that can be used to authenticate with CubeSigner" } } } } } }, "BabylonCovSignResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "slashing_transactions_signatures", "unbonding_transaction_signature", "slash_unbonding_transactions_signatures" ], "properties": { "slash_unbonding_transactions_signatures": { "type": "array", "items": { "type": "string" }, "description": "The slash-unbonding transaction signatures as an array of hex strings with no 0x prefix", "example": [ "02e21a7b0519539ef670f79d1c25a54f90b0c6d9fdb56a7de813fb207033032fffad8aaafeb1b77dd9ea8f17dadcf297696bbf5a4133292f3515b86bb9c2d78d9c" ] }, "slashing_transactions_signatures": { "type": "array", "items": { "type": "string" }, "description": "The slashing transaction signatures as an array of hex strings with no 0x prefix", "example": [ "03075eca9d176d1605d6c096c111e9a4f8d8739ac9708c1df3ed516106e7ab1387a3924a6652acf2e3524359731ca1fbb338a3afb1a67f6ea19c207b6ff466a5ad", "022224493f4cffad5b84076db32dd8c49a28ff48af4e19e2bcc9953ff80347ba6e8343cf7a44e74a96ff71ea59a03b40166e85b0d1355954e04a4427dc8d637ff0" ] }, "stake_expansion_transaction_signature": { "type": "string", "description": "The signature that allows expanding a stake by spending the current active\nstake transaction into a new staking transaction. A value is present iff the\ncorresponding request included a `stake_expansion` value.", "example": "b573e318803fd7aee1be5b6b18d496cc60ecc52429dbd477a879217c3ed26a795cb4f4e880aaff3a6ad66335e5404fa51caeb4964f0c9f7562737864e3bde5bc", "nullable": true }, "unbonding_transaction_signature": { "type": "string", "description": "The unbonding transaction signature as hex string with no 0x prefix", "example": "b573e318803fd7aee1be5b6b18d496cc60ecc52429dbd477a879217c3ed26a795cb4f4e880aaff3a6ad66335e5404fa51caeb4964f0c9f7562737864e3bde5bc" } } } } } }, "BabylonRegistrationResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "deposit", "deposit_fee", "unbond", "slash_deposit", "slash_deposit_sig", "slash_unbond", "slash_unbond_sig", "pop", "bbn_addr" ], "properties": { "bbn_addr": { "type": "string", "description": "The Babylon address that will receive the staking rewards for this deposit.\n\nThis value will correspond to the `bbn_addr` value specified in the request,\nbut it will always have a `bbn` human-readable part.", "example": "bbn1n5anmc0kkrh70yjy7f6f399c74yd09xl5teffm" }, "deposit": { "type": "string", "description": "The deposit transaction PSBT. This PSBT includes signatures on any\ninputs controlled by the staker taproot key specified in the request." }, "deposit_fee": { "type": "integer", "format": "int64", "description": "The deposit transaction fee in sats.", "example": "1337", "minimum": 0 }, "pop": { "type": "string", "description": "The proof of possession, i.e., a BIP322 signature on the staker's\nBabylon address signed by the staker taproot key. This is a Bitcoin\nwitness stack in Bitcoin consensus hex encoding." }, "slash_deposit": { "type": "string", "description": "The slash-deposit transaction in Bitcoin consensus hex encoding." }, "slash_deposit_sig": { "type": "string", "description": "The staker taproot key's signature on the slash-deposit transaction.\nThis is a BIP340 signature in hex format." }, "slash_unbond": { "type": "string", "description": "The slash-unbond transaction in Bitcoin consensus hex encoding." }, "slash_unbond_sig": { "type": "string", "description": "The staker taproot key's signature on the slash-unbond transaction.\nThis is a BIP340 signature in hex format." }, "unbond": { "type": "string", "description": "The (unsigned) unbonding transaction in Bitcoin consensus hex encoding." } } } } } }, "BabylonStakingResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "psbt", "fee" ], "properties": { "fee": { "type": "integer", "format": "int64", "description": "The transaction fee in sats", "example": "1337", "minimum": 0 }, "psbt": { "type": "string", "description": "The PSBT in either hex or base64 serialization", "example": "70736274ff01005e..." } } } } } }, "BtcMessageSignResponse": { "description": "BTC message signing response", "content": { "application/json": { "schema": { "type": "object", "description": "BTC message signing response", "required": [ "sig" ], "properties": { "sig": { "type": "string", "description": "The base64-encoded signature in BIP137 format." } } } } } }, "ComputeCountsResponse": { "description": "The number of users and keys in an org, organized by user role and key type", "content": { "application/json": { "schema": { "type": "object", "description": "The number of users and keys in an org, organized by user role and key type", "required": [ "users", "keys" ], "properties": { "keys": { "type": "object", "description": "A map of a `KeyType` to the amount of keys with that type in the org.", "additionalProperties": { "type": "integer", "minimum": 0 }, "example": { "SecpBtc": 3, "SecpEthAddr": 1 } }, "users": { "type": "object", "description": "A map of a `MemberRole` to the amount of number of users with that role in the org.", "additionalProperties": { "type": "integer", "minimum": 0 }, "example": { "Member": 10, "Owner": 1 } } } } } } }, "ContactInfoResponse": { "description": "Information about a Contact.", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/Contact" }, { "type": "object", "required": [ "id", "addresses" ], "properties": { "addresses": { "$ref": "#/components/schemas/AddressMap" }, "id": { "$ref": "#/components/schemas/Id" } } } ], "description": "Information about a Contact." } } } }, "CreateKeyImportKeyResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/KeyImportKey" }, { "type": "object", "required": [ "enclave_attestation", "enclave_signature" ], "properties": { "enclave_attestation": { "type": "string", "description": "An attestation document from a secure enclave, including an\nRSA signing key used to sign the contents of this message." }, "enclave_signature": { "type": "string", "description": "An RSA-PSS-SHA256 signature on the public key and encrypted\nsecrets attesting to their generation inside a secure enclave." } } } ] } } } }, "CreateKeyResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInfo" }, "description": "The info about the created keys" } } } } } }, "CreatePolicyImportKeyResponse": { "description": "The response to [create_import_key] containing the generated key and enclave\nattestations.", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/KeyImportKey" }, { "type": "object", "required": [ "enclave_attestation", "enclave_signature" ], "properties": { "enclave_attestation": { "type": "string", "description": "An attestation document from a secure enclave, including an\nRSA signing key used to sign the contents of this message." }, "enclave_signature": { "type": "string", "description": "An RSA-PSS-SHA256 signature on the public key and encrypted\nsecrets attesting to their generation inside a secure enclave." } } } ], "description": "The response to [create_import_key] containing the generated key and enclave\nattestations." } } } }, "CreateRoleResponse": { "description": "The newly created role information", "content": { "application/json": { "schema": { "type": "object", "description": "The newly created role information", "required": [ "role_id" ], "properties": { "name": { "type": "string", "description": "A human-readable name for the role.", "example": "my_role", "nullable": true, "pattern": "^[a-zA-Z0-9_]{3,30}$" }, "role_id": { "type": "string", "description": "The id of the newly created role", "example": "Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b" } } } } } }, "DiffieHellmanResponse": { "description": "The result of a Diffie Hellman key exchange", "content": { "application/json": { "schema": { "oneOf": [ { "type": "object", "required": [ "points", "response_type" ], "properties": { "points": { "type": "array", "items": { "type": "string" }, "description": "The resulting points as base64-encoded byte strings in a key-type--dependent format." }, "response_type": { "type": "string", "enum": [ "masked" ] } } }, { "type": "object", "required": [ "encrypted_shared_secrets", "ephemeral_public_key", "response_type" ], "properties": { "encrypted_shared_secrets": { "type": "string", "description": "A ciphertext containing the resulting points. The enclosed plaintext is a sequence\nof base64-encoded byte strings in a key-type--dependent format." }, "ephemeral_public_key": { "type": "string", "description": "The ephemeral public key used for HPKE key derivation in base64-encoded\nuncompressed SEC1 serialization." }, "response_type": { "type": "string", "enum": [ "encrypted" ] } } } ], "description": "The result of a Diffie Hellman key exchange", "discriminator": { "propertyName": "response_type" } } } } }, "EmailOtpResponse": { "description": "The HTTP response to an email OTP request.\n\nThis response contains an OIDC token without a signature.\nThe signature is sent to the end-user in an email.\nThe token can be reconstructed by concatenating the `partial_token` with the signature.", "content": { "application/json": { "schema": { "type": "object", "description": "The HTTP response to an email OTP request.\n\nThis response contains an OIDC token without a signature.\nThe signature is sent to the end-user in an email.\nThe token can be reconstructed by concatenating the `partial_token` with the signature.", "required": [ "partial_token" ], "properties": { "partial_token": { "type": "string", "description": "The OIDC token without the signature.\n(The signature, which is actually a MAC, is sent to the end-user in an email)" } } } } } }, "EmptyImpl": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "status" ], "properties": { "status": { "type": "string" } } } } } }, "EotsCreateNonceResponse": { "description": "Response generated when creating EOTS nonces", "content": { "application/json": { "schema": { "type": "object", "description": "Response generated when creating EOTS nonces", "required": [ "nonces" ], "properties": { "nonces": { "type": "array", "items": { "type": "string" }, "description": "The generated nonces as an array of 0x-prefixed hex strings", "example": [ "0xb393bf39e71a16d784853d58255a296222a99fd3c87aa7ca206c5230c188f1c7", "0xe01936584b4f0c0e97f0d3018c4f9db2bf7de41395c6403a48fd0dff0ef7b40d" ] } } } } } }, "EsploraResponse": { "description": "Response to [EsploraRequest]", "content": { "application/json": { "schema": {} } } }, "Eth1SignResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "rlp_signed_tx" ], "properties": { "rlp_signed_tx": { "type": "string", "description": "Hex-encoded RLP encoding of the transaction and its signature", "example": "0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001201d58656b0e22aaa68fdc692db41979098c3886ed33015d7467de9211609cdac000000000000000000000000000000000000000000000000000000000000000308b0c2900324d3ff9adfba7fdfe5af3f9b2cdbeef7b280437bbf1b1c59a093d615afe3e5dfed9622b540cdd9b49b3c5ad00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002001000000000000000000000049011adbcc3bc9c0307bb07f37dda1a1a9c69d2e0000000000000000000000000000000000000000000000000000000000000060903db8525674b8e7904f9b7d7d9ec55a0a42d33cf58be25469b0c21bbb6d06172bc5bb5fd1aed8e4f35936968958116b0619553c2cb1c52e7323074c6f8eb3d5a7074fc6580148df907837fa3b164ad7fbc2288dad1e8a5b021095b57c8a36d4" } } } } } }, "Eth2SignResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "signature" ], "properties": { "signature": { "type": "string", "description": "Hex encoded signature prefixed with 0x e.g. \"0x0000...\"", "example": "0xb4f2ef9d12a54e1f569596c07c97d6d730535b6ffc0d287761dc78103a86326782471a04c75ce7a6faea08ca9a4a0830031cdcb893da8711d54aa22619f1a7e71b8185ddf4c6bfd9babbd735960e35e56bd6eeb89625b04850e7a9ef8846e549" } } } } } }, "FidoAssertChallenge": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialRequestOptions" } } } ], "description": "An extended form of `PublicKeyCredentialRequestOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, { "type": "object", "required": [ "challenge_id" ], "properties": { "challenge_id": { "type": "string", "description": "The id of the challenge. Must be supplied when answering the challenge." } } } ] } } } }, "FidoCreateChallengeResponse": { "description": "Sent by the server to the client. Contains the challenge data that must be\nused to generate a new credential", "content": { "application/json": { "schema": { "allOf": [ { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialCreationOptions" } } } ], "description": "An extended form of `PublicKeyCredentialCreationOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, { "type": "object", "required": [ "challenge_id" ], "properties": { "challenge_id": { "type": "string", "description": "The id of the challenge. Must be supplied when answering the challenge." } } } ], "description": "Sent by the server to the client. Contains the challenge data that must be\nused to generate a new credential" } } } }, "GetUserByEmailResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "users" ], "properties": { "users": { "type": "array", "items": { "$ref": "#/components/schemas/UserInOrgInfoWithIdentity" }, "description": "Typically, this array is either empty (if no user with a given email was found)\nor contains a single element, i.e., the user with a given email." } } } } } }, "GetUserByOidcResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "properties": { "user": { "allOf": [ { "$ref": "#/components/schemas/UserInOrgInfoWithIdentity" } ], "nullable": true } } } } } }, "IdentityProof": { "description": "Proof that an end-user provided CubeSigner with a valid auth token\n(either an OIDC token or a CubeSigner session token)", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "Evidence is used in non-custodial deployments to prove to a third-party that\na user has indeed authenticated with CubeSigner.\n\nThis evidence can be obtained by either logging in with an OIDC token or with\na CubeSigner session token. In the latter case, no [Proof::aud] is set.", "required": [ "exp_epoch" ], "properties": { "aud": { "allOf": [ { "$ref": "#/components/schemas/Aud" } ], "nullable": true }, "email": { "type": "string", "description": "The email associated with the user", "example": "user@email.com", "nullable": true }, "exp_epoch": { "$ref": "#/components/schemas/EpochDateTime" }, "identity": { "allOf": [ { "$ref": "#/components/schemas/OidcIdentity" } ], "nullable": true }, "preferred_username": { "type": "string", "description": "The username (if any) associated with the user", "example": "cubistdev", "nullable": true }, "user_info": { "allOf": [ { "$ref": "#/components/schemas/CubeSignerUserInfo" } ], "nullable": true } } }, { "type": "object", "required": [ "id" ], "properties": { "id": { "type": "string", "description": "An opaque identifier for the proof" } } } ], "description": "Proof that an end-user provided CubeSigner with a valid auth token\n(either an OIDC token or a CubeSigner session token)" } } } }, "InvokePolicyResponse": { "description": "The result of invoking a Wasm policy.", "content": { "application/json": { "schema": { "type": "object", "description": "The result of invoking a Wasm policy.", "required": [ "response", "stdout", "stderr" ], "properties": { "response": { "$ref": "#/components/schemas/WasmPolicyResponse" }, "stderr": { "type": "string", "description": "The bytes written to `stderr`, encoded as a hex-string.\nIn most cases, these bytes correspond to a UTF-8-encoded `String`." }, "stdout": { "type": "string", "description": "The bytes written to `stdout`, encoded as a hex-string.\nIn most cases, these bytes correspond to a UTF-8-encoded `String`." } } } } } }, "JrpcResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/Response" }, { "type": "object" } ] } } } }, "JwkSetResponse": { "description": "A JSON Web Key set describing the key used to sign JSON Web Tokens for MMI", "content": { "application/json": { "schema": { "type": "object" } } } }, "KeyDerivationInfo": { "description": "Derivation-related metadata for keys derived from a long-lived mnemonic", "content": { "application/json": { "schema": { "type": "object", "description": "Derivation-related metadata for keys derived from a long-lived mnemonic", "required": [ "mnemonic_id", "derivation_path" ], "properties": { "derivation_path": { "type": "string", "description": "The derivation path used to derive this key" }, "mnemonic_id": { "type": "string", "description": "The mnemonic-id of the key's parent mnemonic" } } } } } }, "KeyImportKey": { "description": "A wrapped key-import key", "content": { "application/json": { "schema": { "type": "object", "description": "A wrapped key-import key", "required": [ "public_key", "sk_enc", "dk_enc", "expires" ], "properties": { "dk_enc": { "type": "string", "description": "Base64-encoded, encrypted data key." }, "expires": { "type": "integer", "format": "int64", "description": "Expiration timestamp expressed as seconds since the UNIX epoch.", "minimum": 0 }, "public_key": { "type": "string", "description": "The ephemeral public key to which an imported key should be encrypted.\nThis is a P384 public key in base64-encoded uncompressed SECG format." }, "sk_enc": { "type": "string", "description": "Base64-encoded, encrypted secret key." } } } } } }, "KeyInRoleInfo": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "role_id", "key_id" ], "properties": { "key_id": { "type": "string", "description": "Key ID", "example": "Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148" }, "key_info": { "allOf": [ { "$ref": "#/components/schemas/KeyInfo" } ], "nullable": true }, "policy": { "type": "array", "items": { "type": "object" }, "description": "Policies that are checked before this key is used on behalf of this role", "example": [ { "TxReceiver": "0x8c594691c0e592ffa21f153a16ae41db5befcaaa" }, { "TxDeposit": { "kind": "Canonical" } } ] }, "role_id": { "type": "string", "description": "Role ID", "example": "Role#e427c28a-9c5b-49cc-a257-878aea58a22c" } } } } } }, "KeyInfo": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/CommonFields" }, { "type": "object", "required": [ "key_type", "key_id", "material_id", "purpose", "enabled", "owner", "public_key", "policy" ], "properties": { "derivation_info": { "allOf": [ { "$ref": "#/components/schemas/KeyDerivationInfo" } ], "nullable": true }, "enabled": { "type": "boolean", "description": "Whether the key is enabled (only enabled keys may be used for signing)" }, "key_id": { "type": "string", "description": "The id of the key: \"Key#\" followed by a unique identifier specific to\nthe type of key (such as a public key for BLS or an ethereum address for Secp)", "example": "Key#0x8e3484687e66cdd26cf04c3647633ab4f3570148" }, "key_type": { "$ref": "#/components/schemas/KeyType" }, "material_id": { "type": "string", "description": "A unique identifier specific to the type of key, such as a public key or an ethereum address", "example": "0x8e3484687e66cdd26cf04c3647633ab4f3570148" }, "owner": { "type": "string", "description": "Owner of the key", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" }, "policy": { "type": "array", "items": {}, "description": "Key policy", "example": [ "AllowRawBlobSigning", { "RequireMfa": { "count": 1 } } ] }, "public_key": { "type": "string", "description": "Hex-encoded, serialized public key. The format used depends on the key type:\n- Secp256k1 keys use 65-byte uncompressed SECG format;\n- Stark keys use 33-byte compressed SECG format;\n- BLS keys use 48-byte compressed BLS12-381 (ZCash) format;\n- Ed25519 keys use the canonical 32-byte encoding specified in RFC 8032.", "example": "0x04d2688b6bc2ce7f9879b9e745f3c4dc177908c5cef0c1b64cff19ae7ff27dee623c64fe9d9c325c7fbbc748bbd5f607ce14dd83e28ebbbb7d3e7f2ffb70a79431" }, "purpose": { "type": "string", "description": "The purpose for which the key can be used (e.g., chain id for which the key is allowed to sign messages)", "example": "Eth2Validator(1)" }, "region": { "type": "string", "description": "The region affinity for this key" } } } ] } } } }, "KeyInfos": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInfo" } } } } } } }, "ListIdentitiesResponse": { "description": "Third-party identities associated with the user's account", "content": { "application/json": { "schema": { "type": "object", "description": "Third-party identities associated with the user's account", "required": [ "identities" ], "properties": { "identities": { "type": "array", "items": { "$ref": "#/components/schemas/IdentityInfo" } } } } } } }, "ListMfaResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "mfa_requests" ], "properties": { "mfa_requests": { "type": "array", "items": { "$ref": "#/components/schemas/MfaRequestInfo" }, "description": "All pending MFA requests" } } } } } }, "ListPendingMessagesResponse": { "description": "All pending MMI requests created by the current user.", "content": { "application/json": { "schema": { "type": "object", "description": "All pending MMI requests created by the current user.", "required": [ "pending_messages" ], "properties": { "pending_messages": { "type": "array", "items": { "$ref": "#/components/schemas/PendingMessageInfo" }, "description": "All pending messages for a user." } } } } } }, "MfaRequestInfo": { "description": "Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp').", "content": { "application/json": { "schema": { "type": "object", "description": "Returned as a response from multiple routes (e.g., 'get mfa', 'approve mfa', 'approve totp').", "required": [ "id", "expires_at", "request", "status", "created_by", "provenance" ], "properties": { "created_at": { "$ref": "#/components/schemas/EpochDateTime" }, "created_by": { "type": "string", "description": "The session identity (user or role) that created this request." }, "expires_at": { "$ref": "#/components/schemas/EpochDateTime" }, "id": { "type": "string", "description": "Approval request ID." }, "not_valid_until": { "$ref": "#/components/schemas/EpochDateTime" }, "provenance": { "type": "string", "description": "MFA policy provenance", "enum": [ "Key", "KeyInRole", "Role", "User", "EditPolicy" ] }, "receipt": { "allOf": [ { "$ref": "#/components/schemas/Receipt" } ], "nullable": true }, "region": { "type": "string", "description": "The region this MFA request was created in. It can only be redeemed from the same region." }, "related_ids": { "type": "array", "items": { "type": "string" }, "description": "If set, contains the IDs of all MFA requests (including this one!) that\nwere generated at once for the same CubeSigner operation.\n\nIf not set, it means that this was the lone MFA request generated for `request`.\n\nThis is useful so that a client can discover all the MFAs whose receipts must\nbe submitted together to carry out the original CubeSigner operation." }, "request": { "$ref": "#/components/schemas/HttpRequest" }, "status": { "$ref": "#/components/schemas/Status" } } } } } }, "NewSessionResponse": { "description": "Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.).", "content": { "application/json": { "schema": { "type": "object", "description": "Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.).", "required": [ "token", "refresh_token", "session_info" ], "properties": { "expiration": { "type": "integer", "format": "int64", "description": "Session expiration (in seconds since UNIX epoch), beyond which it cannot be refreshed.", "example": 1701879640, "minimum": 0 }, "org_id": { "allOf": [ { "$ref": "#/components/schemas/Id" } ], "nullable": true }, "refresh_token": { "type": "string", "description": "Token that can be used to refresh this session." }, "session_info": { "$ref": "#/components/schemas/ClientSessionInfo" }, "token": { "type": "string", "description": "New token to be used for authentication. Requests to signing endpoints\nshould include this value in the `Authorization` header." } } } } } }, "OrgExportResponse": { "description": "An org-export ciphertext retrieved via the org-export API.", "content": { "application/json": { "schema": { "type": "object", "description": "An org-export ciphertext retrieved via the org-export API.", "required": [ "ciphertext" ], "properties": { "ciphertext": { "type": "string", "description": "A base64-encoded export ciphertext." } } } } } }, "OrgInfo": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/MfaRequirements" }, { "type": "object", "required": [ "org_id", "access_model", "enabled", "last_unstake", "last_unstake_day_count", "kwk_id", "user_export_delay", "user_export_window", "totp_failure_limit" ], "properties": { "access_model": { "$ref": "#/components/schemas/AccessModel" }, "default_invite_kind": { "$ref": "#/components/schemas/InviteKind" }, "email_preferences": { "$ref": "#/components/schemas/EmailPreferences" }, "enabled": { "type": "boolean", "description": "When false, all cryptographic operations involving keys in this org are disabled." }, "historical_data_configuration": { "$ref": "#/components/schemas/HistoricalDataConfiguration" }, "idp_configuration": { "$ref": "#/components/schemas/IdpConfig" }, "key_import_key": { "type": "string", "description": "Deprecated: this field should be ignored.", "nullable": true }, "kwk_id": { "type": "string", "description": "The organization's universally unique key-wrapping-key identifier.\nThis value is required when setting up key export.", "example": "mrk-fce09525e81587d23520f11e07e2e9d9" }, "last_unstake": { "type": "string", "description": "Date/time (in UTC) when last 'unstake' was performed. Unix epoch if none.", "example": "TODO" }, "last_unstake_day_count": { "type": "integer", "format": "int32", "description": "How many 'unstake' calls happened on the day when `last_unstake` was performed.", "minimum": 0 }, "metrics_enabled": { "type": "boolean", "description": "Whether metrics are collected for this org" }, "name": { "type": "string", "description": "The human-readable name for the org", "example": "my_org_name", "nullable": true }, "notification_endpoints": { "type": "array", "items": { "$ref": "#/components/schemas/NotificationEndpoint" }, "description": "The organization's notification endpoints, which are HTTPS URLs are notified about a\nconfigurable set of events in an organization. For each event, CubeSigner sends a POST\nrequest with a JSON-formatted body that contains the event details.", "example": [ { "arn": "arn:aws:sns:us-east-1:012345678901:OrgEventsTopic:12345678-0000-0000-0000-000000000001", "config": { "url": "https://example.com/endpoint1" }, "status": "Confirmed" }, { "arn": "arn:aws:sns:us-east-1:012345678901:OrgEventsTopic:12345678-0000-0000-0000-000000000002", "config": { "filter": { "OneOf": [ "Eth2ConcurrentAttestationSigning", "Eth2ConcurrentBlockSigning" ] }, "url": "https://example.com/endpoint2" }, "status": "Pending" } ] }, "org_id": { "type": "string", "description": "The ID of the organization", "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, "passkey_configuration": { "$ref": "#/components/schemas/PasskeyConfig" }, "policy": { "type": "array", "items": { "type": "object" }, "description": "Org-wide policies that are checked before a key is used for signing", "example": [ { "MaxDailyUnstake": 5 } ] }, "policy_engine_configuration": { "$ref": "#/components/schemas/PolicyEngineConfiguration" }, "totp_failure_limit": { "type": "integer", "format": "int32", "description": "The organization's currently configured TOTP failure limit, i.e., the number\nof times a user can provide an incorrect TOTP code before being rate limited.\nThis value can be between 1 and 5 (inclusive).", "minimum": 0 }, "user_export_delay": { "type": "integer", "format": "int64", "description": "The organization's currently configured user-export delay, i.e., the minimum\namount of time (in seconds) between when a user-export is initiated and when\nit may be completed. (This value is meaningless for organizations that use\norg-wide export.)", "minimum": 0 }, "user_export_disabled": { "type": "boolean", "description": "Whether user export is disabled" }, "user_export_window": { "type": "integer", "format": "int64", "description": "The organization's currently configured user-export window, i.e., the amount\nof time (in seconds) between when the user-export delay is completed and when\nthe user export request has expired and can no longer be completed. (This value\nis meaningless for organizations that use org-wide export.)", "minimum": 0 }, "webapp_enabled": { "type": "boolean", "description": "If set, the official webapp origin is automatically allowed" } } } ] } } } }, "PaginatedGetUsersInOrgResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "users" ], "properties": { "users": { "type": "array", "items": { "$ref": "#/components/schemas/UserInOrgInfo" }, "description": "The list of users in the org" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListContactsResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "contacts" ], "properties": { "contacts": { "type": "array", "items": { "$ref": "#/components/schemas/ContactInfoResponse" }, "description": "A list of contacts in the organization, matching any provided queries." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListHistoricalTxResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "txs" ], "properties": { "txs": { "type": "array", "items": { "$ref": "#/components/schemas/HistoricalTx" }, "description": "Historical transactions signed with the requested key, sorted from most to least recent." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListKeyRolesResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "roles" ], "properties": { "roles": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInRoleInfo" }, "description": "All roles the key is in" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListKeysResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInfo" } } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListPoliciesResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "Reponse to a request for listing all of an Org's named policies.", "required": [ "policies" ], "properties": { "policies": { "type": "array", "items": { "$ref": "#/components/schemas/PolicyInfo" }, "description": "The Org's named policies." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListRoleKeysResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "keys" ], "properties": { "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInRoleInfo" }, "description": "All keys in a role" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListRoleUsersResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "users" ], "properties": { "users": { "type": "array", "items": { "$ref": "#/components/schemas/UserInRoleInfo" }, "description": "All users in a role" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedListRolesResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "required": [ "roles" ], "properties": { "roles": { "type": "array", "items": { "$ref": "#/components/schemas/RoleInfo" }, "description": "All roles in an organization." } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedPolicyLogsResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "A set of logs for a Wasm policy.", "required": [ "logs" ], "properties": { "logs": { "type": "array", "items": { "type": "object", "additionalProperties": { "type": "string" } }, "description": "The policy execution logs" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedQueryMetricsResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "The metric data points.", "required": [ "results", "raw_data" ], "properties": { "messages": { "type": "array", "items": { "type": "string" }, "description": "Advisory messages (e.g., if max number of results is reached)." }, "period": { "type": "integer", "format": "int64", "description": "The period for which the statistic is computed, if any (not all metrics support splitting the requested time range into bins).\nIf set, equals to the value from the request rounded up to the closest multiple of 60.", "minimum": 0 }, "raw_data": { "type": "array", "items": { "type": "object", "additionalProperties": { "type": "string" } }, "description": "Some metrics can optionally return the raw data, when requested." }, "results": { "type": "array", "items": { "type": "object", "required": [ "dimensions", "data" ], "properties": { "data": { "type": "object", "description": "The data points, one for each time period (time periods for which the value is 0 are omitted).", "additionalProperties": { "type": "number", "format": "double" } }, "dimensions": { "type": "object", "description": "The metric dimensions.", "additionalProperties": { "type": "string" } } } }, "description": "Computed data points." }, "stat": { "allOf": [ { "$ref": "#/components/schemas/OrgMetricStat" } ], "nullable": true } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedSessionsResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "The response from any operation operating on multiple sessions", "required": [ "sessions" ], "properties": { "sessions": { "type": "array", "items": { "$ref": "#/components/schemas/SessionInfo" }, "description": "The list of sessions" } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PaginatedUserExportListResponse": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "Response to a request to list outstanding user-export requests", "required": [ "export_requests" ], "properties": { "export_requests": { "type": "array", "items": { "$ref": "#/components/schemas/UserExportInitResponse" } } } }, { "type": "object", "properties": { "last_evaluated_key": { "type": "string", "description": "If set, the content of `response` does not contain the entire result set.\nTo fetch the next page of the result set, call the same endpoint\nbut specify this value as the 'page.start' query parameter.", "nullable": true } } } ], "description": "Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`\nvalue (which can the user pass back to use as a url query parameter to continue pagination)." } } } }, "PasskeyAssertChallenge": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "allOf": [ { "$ref": "#/components/schemas/ChallengePieces" }, { "type": "object", "required": [ "options" ], "properties": { "options": { "$ref": "#/components/schemas/PublicKeyCredentialRequestOptions" } } } ], "description": "An extended form of `PublicKeyCredentialRequestOptions` that allows clients to derive the WebAuthn challenge\nfrom a structured preimage.\n\nThis ensures that the webuathn signature can only be used for a specific purpose" }, { "type": "object", "required": [ "challenge_id" ], "properties": { "challenge_id": { "type": "string", "description": "The id of the challenge. Must be supplied when answering the challenge." } } } ] } } } }, "PendingMessageInfo": { "description": "Extended information about an existing MMI request.", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "This is the payload we should post to MMI [webhook](https://docs.metamask-institutional.io/custodian-integration/integration-docs/transactions/webhooks/#webhook-specification)", "required": [ "metadata" ], "properties": { "metadata": { "$ref": "#/components/schemas/MmiMetadata" }, "signedMessage": { "allOf": [ { "$ref": "#/components/schemas/SignedMessage" } ], "nullable": true }, "transaction": { "allOf": [ { "$ref": "#/components/schemas/TransactionAndStatus" } ], "nullable": true } } }, { "type": "object", "required": [ "id", "identity", "expires_at", "created_at" ], "properties": { "created_at": { "$ref": "#/components/schemas/EpochDateTime" }, "expires_at": { "$ref": "#/components/schemas/EpochDateTime" }, "id": { "type": "string", "description": "The ID of the pending message" }, "identity": { "type": "string", "description": "The identity (a user or a role id) which created this message." }, "message_eip191": { "allOf": [ { "type": "object", "required": [ "address", "message" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "message": { "type": "string", "description": "Hex-encoded (including a '0x' prefix) message to sign." } } } ], "nullable": true }, "message_eip712": { "allOf": [ { "type": "object", "required": [ "address", "data", "version" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "data": { "$ref": "#/components/schemas/TypedData" }, "version": { "type": "string", "enum": [ "v3", "v4" ] } } } ], "nullable": true }, "message_tx": { "allOf": [ { "$ref": "#/components/schemas/TypedTransaction" } ], "nullable": true } } } ], "description": "Extended information about an existing MMI request." } } } }, "PendingMessageSignResponse": { "description": "Extended information about an existing MMI message, including the signature.", "content": { "application/json": { "schema": { "allOf": [ { "allOf": [ { "type": "object", "description": "This is the payload we should post to MMI [webhook](https://docs.metamask-institutional.io/custodian-integration/integration-docs/transactions/webhooks/#webhook-specification)", "required": [ "metadata" ], "properties": { "metadata": { "$ref": "#/components/schemas/MmiMetadata" }, "signedMessage": { "allOf": [ { "$ref": "#/components/schemas/SignedMessage" } ], "nullable": true }, "transaction": { "allOf": [ { "$ref": "#/components/schemas/TransactionAndStatus" } ], "nullable": true } } }, { "type": "object", "required": [ "id", "identity", "expires_at", "created_at" ], "properties": { "created_at": { "$ref": "#/components/schemas/EpochDateTime" }, "expires_at": { "$ref": "#/components/schemas/EpochDateTime" }, "id": { "type": "string", "description": "The ID of the pending message" }, "identity": { "type": "string", "description": "The identity (a user or a role id) which created this message." }, "message_eip191": { "allOf": [ { "type": "object", "required": [ "address", "message" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "message": { "type": "string", "description": "Hex-encoded (including a '0x' prefix) message to sign." } } } ], "nullable": true }, "message_eip712": { "allOf": [ { "type": "object", "required": [ "address", "data", "version" ], "properties": { "address": { "type": "string", "description": "From address, hex-encoded, with leading '0x'", "example": "0x0123456789012345678901234567890123456789", "pattern": "^0x[0-9a-fA-F]{40}$" }, "data": { "$ref": "#/components/schemas/TypedData" }, "version": { "type": "string", "enum": [ "v3", "v4" ] } } } ], "nullable": true }, "message_tx": { "allOf": [ { "$ref": "#/components/schemas/TypedTransaction" } ], "nullable": true } } } ], "description": "Extended information about an existing MMI request." }, { "type": "object" } ], "description": "Extended information about an existing MMI message, including the signature." } } } }, "PolicyInfo": { "description": "A struct containing all the information about a specific version of a policy.", "content": { "application/json": { "schema": { "type": "object", "description": "A struct containing all the information about a specific version of a policy.", "required": [ "policy_id", "rules", "version", "name", "policy_type", "created", "owner", "attached_to" ], "properties": { "attached_to": { "type": "array", "items": { "$ref": "#/components/schemas/PolicyAttachedToId" }, "description": "A list of entities (keys, roles, etc.) the policy is attached to." }, "created": { "$ref": "#/components/schemas/EpochDateTime" }, "edit_policy": { "$ref": "#/components/schemas/EditPolicy" }, "metadata": { "description": "User-defined metadata for the named policy." }, "name": { "type": "string", "description": "The name of the policy." }, "owner": { "$ref": "#/components/schemas/Id" }, "policy_id": { "type": "string", "description": "The policy id" }, "policy_type": { "$ref": "#/components/schemas/PolicyType" }, "rules": { "type": "array", "items": {}, "description": "The policy rule." }, "version": { "type": "integer", "format": "int64", "description": "The policy rule's version.", "minimum": 0 } } } } } }, "PolicyResultResponse": { "description": "PolicyResultResponse is a wrapper on PolicyResult with two important\nproperties:\n* derives OkToLogResponse, so that it can be used in the rocket handler.\n* derives ToSchema and ToResponse, with the `val` field with value_type\nObject, so that we don't have to provide all of the OpenAPI type\ndescriptions of a PolicyResult.\n\nThe PolicyResult includes enums and other standard types (e.g.\nstd::time::Interval) which are nontrivial to represent in OpenAPI. Since\nthis endpoint is just for testing, we don't really care about how accurate\nthe schema is, and can lean on serde_json when decoding this response to a\nPolicyResult in a client. Note that there is a bug in utoipa where the\nvalue_type annotation will not work for a tuple-struct, only a struct with\nfields.", "content": { "application/json": { "schema": { "type": "object", "description": "PolicyResultResponse is a wrapper on PolicyResult with two important\nproperties:\n* derives OkToLogResponse, so that it can be used in the rocket handler.\n* derives ToSchema and ToResponse, with the `val` field with value_type\nObject, so that we don't have to provide all of the OpenAPI type\ndescriptions of a PolicyResult.\n\nThe PolicyResult includes enums and other standard types (e.g.\nstd::time::Interval) which are nontrivial to represent in OpenAPI. Since\nthis endpoint is just for testing, we don't really care about how accurate\nthe schema is, and can lean on serde_json when decoding this response to a\nPolicyResult in a client. Note that there is a bug in utoipa where the\nvalue_type annotation will not work for a tuple-struct, only a struct with\nfields.", "required": [ "val" ], "properties": { "val": { "type": "object" } } } } } }, "PolicySecretsInfo": { "description": "A struct containing all non-secret information about policy secrets.", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/CommonFields" }, { "type": "object", "required": [ "names" ], "properties": { "names": { "type": "array", "items": { "type": "string" }, "description": "The names of the secrets.,", "uniqueItems": true } } } ], "description": "A struct containing all non-secret information about policy secrets." } } } }, "PsbtSignResponse": { "description": "Response to a PSBT signing request", "content": { "application/json": { "schema": { "type": "object", "description": "Response to a PSBT signing request", "required": [ "psbt" ], "properties": { "psbt": { "type": "string", "description": "The PSBT in standard hex serialization, without leading \"0x\".", "example": "70736274ff01005e..." } } } } } }, "PublicOrgInfo": { "description": "Public information about an organization.", "content": { "application/json": { "schema": { "type": "object", "description": "Public information about an organization.", "required": [ "org_id", "passkey_login_enabled", "oidc_issuers" ], "properties": { "oidc_issuers": { "type": "array", "items": { "type": "object", "description": "Information about an explicitly configured (allowlisted) OpenID provider for an org", "required": [ "issuer", "audiences", "users" ], "properties": { "audiences": { "type": "array", "items": { "type": "string" }, "description": "Intended audiences (client IDs)" }, "issuer": { "type": "string", "description": "Issuer URL" }, "nickname": { "type": "string", "description": "Optional issuer nickname", "nullable": true }, "users": { "type": "array", "items": { "$ref": "#/components/schemas/MemberRole" }, "description": "The user roles allowed to use this IDP", "uniqueItems": true } } }, "description": "Explicitly configured (allowlisted) OpenID providers for an org" }, "org_id": { "type": "string", "description": "Org identifier", "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, "passkey_login_enabled": { "type": "boolean", "description": "Whether logging in with just a passkey is allowed" } } } } } }, "QueryMetricsResponse": { "description": "The metric data points.", "content": { "application/json": { "schema": { "type": "object", "description": "The metric data points.", "required": [ "results", "raw_data" ], "properties": { "messages": { "type": "array", "items": { "type": "string" }, "description": "Advisory messages (e.g., if max number of results is reached)." }, "period": { "type": "integer", "format": "int64", "description": "The period for which the statistic is computed, if any (not all metrics support splitting the requested time range into bins).\nIf set, equals to the value from the request rounded up to the closest multiple of 60.", "minimum": 0 }, "raw_data": { "type": "array", "items": { "type": "object", "additionalProperties": { "type": "string" } }, "description": "Some metrics can optionally return the raw data, when requested." }, "results": { "type": "array", "items": { "type": "object", "required": [ "dimensions", "data" ], "properties": { "data": { "type": "object", "description": "The data points, one for each time period (time periods for which the value is 0 are omitted).", "additionalProperties": { "type": "number", "format": "double" } }, "dimensions": { "type": "object", "description": "The metric dimensions.", "additionalProperties": { "type": "string" } } } }, "description": "Computed data points." }, "stat": { "allOf": [ { "$ref": "#/components/schemas/OrgMetricStat" } ], "nullable": true } } } } } }, "RoleInfo": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/CommonFields" }, { "type": "object", "required": [ "role_id", "enabled", "restricted_actions", "member" ], "properties": { "enabled": { "type": "boolean", "description": "Whether the role is enabled", "example": "true" }, "keys": { "type": "array", "items": { "$ref": "#/components/schemas/KeyInRoleInfo" }, "description": "Deprecated The CubeSigner IDs of at most 100 keys associated with this role", "nullable": true }, "member": { "type": "boolean", "description": "Whether the current user is a member of the role. This is always true,\nexcept for owners who can see roles they are not members of." }, "name": { "type": "string", "description": "The human-readable name for the role (must be alphanumeric)", "example": "my_role", "nullable": true }, "policy": { "type": "array", "items": { "type": "object" }, "description": "Policy that is checked whenever a key is accessed for signing via this role.", "example": [ { "SourceIpAllowlist": [ "123.456.78.9/16" ] }, { "RequireMfa": { "count": 1 } } ] }, "restricted_actions": { "$ref": "#/components/schemas/RestrictedActionsMap" }, "role_id": { "type": "string", "description": "The ID of the role", "example": "Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b" }, "users": { "type": "array", "items": { "type": "string" }, "description": "Deprecated. The list of at most 100 users with access to the role.", "nullable": true } } } ] } } } }, "SessionInfo": { "description": "", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/SessionMetadata" }, { "type": "object", "required": [ "session_id", "purpose", "exp", "created_at" ], "properties": { "created_at": { "type": "integer", "format": "int64", "description": "Creation date (in seconds since unix epoch)", "minimum": 0 }, "exp": { "type": "integer", "format": "int64", "description": "Expiration date (in seconds since unix epoch)", "minimum": 0 }, "last_used": { "allOf": [ { "$ref": "#/components/schemas/WhereAndWhen" } ], "nullable": true }, "lifetimes": { "$ref": "#/components/schemas/RatchetConfig" }, "purpose": { "type": "string", "description": "A human-readable description for the session", "example": "OIDC login session" }, "scopes": { "type": "array", "items": { "$ref": "#/components/schemas/Scope" }, "description": "Lists user permission and access for the session", "example": [ "sign:*", "manage:mfa:vote:cs" ] }, "session_id": { "type": "string", "description": "Session ID. Uniquely identifies the session, but cannot be used for auth.", "example": "77aad2100c361f497635dd005c4d15781e2e5df4b9f45d8e74f37425cbc30b9e" } } } ] } } } }, "SessionsResponse": { "description": "The response from any operation operating on multiple sessions", "content": { "application/json": { "schema": { "type": "object", "description": "The response from any operation operating on multiple sessions", "required": [ "sessions" ], "properties": { "sessions": { "type": "array", "items": { "$ref": "#/components/schemas/SessionInfo" }, "description": "The list of sessions" } } } } } }, "SignResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "signature" ], "properties": { "signature": { "type": "string", "description": "The hex-encoded resulting signature." } } } } } }, "SiweCompleteResponse": { "description": "Returned upon a successful SIWE authentication.", "content": { "application/json": { "schema": { "type": "object", "description": "Returned upon a successful SIWE authentication.", "required": [ "id_token" ], "properties": { "id_token": { "type": "string", "description": "The OIDC token corresponding to the user with the requested SIWE identity." } } } } } }, "SiweInitResponse": { "description": "A challenge returned in response to a Sign-In with Ethereum request.\n\nContains a message that the client must sign following EIP-191\nwith the requested key in order to complete authentication.\n\nThe client has until the message expires (but no more than 5 minutes) to complete the challenge.", "content": { "application/json": { "schema": { "type": "object", "description": "A challenge returned in response to a Sign-In with Ethereum request.\n\nContains a message that the client must sign following EIP-191\nwith the requested key in order to complete authentication.\n\nThe client has until the message expires (but no more than 5 minutes) to complete the challenge.", "required": [ "challenge_id", "message" ], "properties": { "challenge_id": { "type": "string", "description": "The ID of the challenge (to include in the request when calling the PATCH ('complete') endpoint)" }, "message": { "type": "string", "description": "The message to sign following the EIP-191 standard." } } } } } }, "StakeResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "deposit_tx", "created_validator_key_id" ], "properties": { "created_validator_key_id": { "type": "string", "description": "The validator key id (\"Key#...\")", "example": "Key#db1731f8-3659-45c0-885b-e11e1f5b7be2" }, "deposit_tx": { "$ref": "#/components/schemas/DepositTxn" } } } } } }, "TelegramAuthResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "id_token" ], "properties": { "id_token": { "type": "string", "description": "The OIDC token corresponding to this telegram user" } } } } } }, "TokenResponse": { "description": "OAuth2 standard Token Response.\n\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2", "content": { "application/json": { "schema": { "allOf": [ { "type": "object", "description": "OAuth2 standard Token Response.\n\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2", "required": [ "access_token", "token_type", "expires_in" ], "properties": { "access_token": { "type": "string", "description": "The access token issued by the authorization server." }, "expires_in": { "$ref": "#/components/schemas/Seconds" }, "id_token": { "type": "string", "description": "An OIDC token issued by Cubist, containing user information", "nullable": true }, "refresh_token": { "type": "string", "description": "The refresh token issued by the authorization server.", "nullable": true }, "token_type": { "type": "string", "description": "The type of the token issued. Value is case insensitive." } }, "additionalProperties": { "description": "We don't inspect all values in the token response but we hold onto them\nto forward to the client" } }, { "type": "object" } ], "description": "OAuth2 standard Token Response.\n\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2" } } } }, "TotpInfo": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "totp_id", "totp_url" ], "properties": { "totp_id": { "type": "string", "description": "The ID of the TOTP challenge.", "example": "TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286" }, "totp_url": { "type": "string", "description": "Standard TOTP url which includes everything needed to initialize TOTP.", "example": "otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist" } } } } } }, "UnstakeResponse": { "description": "Unstake responses are signed voluntary exit messages.\nThe schema for this message is defined\n[here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).\nThis message can be directly POSTed to the Beacon node's\n`/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema\n[here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).", "content": { "application/json": { "schema": { "type": "object", "description": "Unstake responses are signed voluntary exit messages.\nThe schema for this message is defined\n[here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).\nThis message can be directly POSTed to the Beacon node's\n`/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema\n[here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).", "required": [ "message", "signature" ], "properties": { "message": { "$ref": "#/components/schemas/VoluntaryExit" }, "signature": { "type": "string", "description": "BLS signature.", "example": "0x910c7cd537ed91cc8c4a82f3cbd832e9be8c24a22e9c86df479f7ce42025ea6a09619b418b666a060e260d2aae31b8e50e9d05ca3442c7eed3b507e5207e14674275f68c2ba84c4bf6b8dd364a304acac8cfab3681e2514b4400f9242bc61164" } } } } } }, "UpdateOrgResponse": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "org_id" ], "properties": { "alien_login_requirement": { "allOf": [ { "$ref": "#/components/schemas/SecondFactorRequirement" } ], "nullable": true }, "allowed_mfa_types": { "type": "object", "description": "MFA types that are allowed to be used for implicitly security-sensitive\noperations (like logging in, adding an MFA factor, exporting keys, etc.).", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/MfaType" }, "uniqueItems": true }, "nullable": true }, "default_invite_kind": { "allOf": [ { "$ref": "#/components/schemas/InviteKind" } ], "nullable": true }, "email_preferences": { "allOf": [ { "$ref": "#/components/schemas/EmailPreferences" } ], "nullable": true }, "enabled": { "type": "boolean", "description": "The new value of the 'enabled' property", "nullable": true }, "historical_data_configuration": { "allOf": [ { "$ref": "#/components/schemas/HistoricalDataConfiguration" } ], "nullable": true }, "idp_configuration": { "allOf": [ { "$ref": "#/components/schemas/IdpConfig" } ], "nullable": true }, "member_login_requirement": { "allOf": [ { "$ref": "#/components/schemas/SecondFactorRequirement" } ], "nullable": true }, "name": { "type": "string", "description": "The new human-readable name for the org (must be alphanumeric)", "example": "my_org_name", "nullable": true }, "notification_endpoints": { "type": "array", "items": { "$ref": "#/components/schemas/NotificationEndpointConfiguration" }, "description": "The new notification endpoint configurations", "example": [ { "url": "https://example.com/endpoint" } ], "nullable": true }, "org_id": { "type": "string", "description": "The ID of the organization", "example": "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" }, "passkey_configuration": { "allOf": [ { "$ref": "#/components/schemas/PasskeyConfig" } ], "nullable": true }, "policy": { "type": "array", "items": { "type": "object" }, "description": "The new value of org-wide policies", "example": [ { "MaxDailyUnstake": 5 }, { "OriginAllowlist": [ "https://example.com" ] } ], "nullable": true }, "policy_engine_configuration": { "allOf": [ { "$ref": "#/components/schemas/PolicyEngineConfiguration" } ], "nullable": true }, "require_scope_ceiling": { "type": "boolean", "description": "The new value of require_scope_ceiling", "nullable": true }, "totp_failure_limit": { "type": "integer", "format": "int32", "description": "The new value of the TOTP failure limit", "nullable": true, "minimum": 0 }, "user_export_delay": { "type": "integer", "format": "int64", "description": "The new value of user-export delay", "nullable": true, "minimum": 0 }, "user_export_disabled": { "type": "boolean", "description": "The new value of user-export disabled", "nullable": true }, "user_export_window": { "type": "integer", "format": "int64", "description": "The new value of user-export window", "nullable": true, "minimum": 0 } } } } } }, "UploadWasmPolicyResponse": { "description": "The response to a request for uploading a wasm policy", "content": { "application/json": { "schema": { "type": "object", "description": "The response to a request for uploading a wasm policy", "required": [ "signed_url" ], "properties": { "signed_url": { "type": "string", "description": "A signed URL for uploading the requested wasm policy." } } } } } }, "UserExportCompleteResponse": { "description": "An encrypted user-export", "content": { "application/json": { "schema": { "type": "object", "description": "An encrypted user-export", "required": [ "encrypted_key_material", "ephemeral_public_key", "user_id" ], "properties": { "encrypted_key_material": { "type": "string", "description": "The exported key material, encrypted with AES-256-GCM under a key\nderived from the public key supplied in the request via HPKE (RFC9180)\nwith DHKEM(P-256, HKDF-SHA256) and base64 encoded." }, "ephemeral_public_key": { "type": "string", "description": "The ephemeral public key used for HPKE key derivation as base64-encoded\nuncompressed SEC1 serialization." }, "user_id": { "type": "string", "description": "The user-id to which this key belongs." } } } } } }, "UserExportInitResponse": { "description": "The response to a successful user-export init request", "content": { "application/json": { "schema": { "allOf": [ { "$ref": "#/components/schemas/UserExportRequest" }, { "type": "object", "required": [ "key_id" ], "properties": { "key_id": { "type": "string", "description": "The key-id being requested.", "example": "Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8" } } } ], "description": "The response to a successful user-export init request" } } } }, "UserInOrgInfo": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "id", "membership", "status" ], "properties": { "email": { "type": "string", "description": "The user's email (optional)", "example": "alice@example.com", "nullable": true }, "id": { "type": "string", "description": "The id of the user", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" }, "initialized": { "type": "boolean", "description": "Whether the user has ever successfully logged in" }, "membership": { "$ref": "#/components/schemas/MemberRole" }, "name": { "type": "string", "description": "Optional user name.", "nullable": true }, "status": { "$ref": "#/components/schemas/MembershipStatus" }, "verified_email": { "allOf": [ { "$ref": "#/components/schemas/VerifiedEmail" } ], "nullable": true } } } } } }, "UserInfo": { "description": "", "content": { "application/json": { "schema": { "type": "object", "required": [ "user_id", "org_ids", "orgs", "mfa" ], "properties": { "email": { "type": "string", "description": "Optional email", "example": "alice@example.com", "nullable": true }, "mfa": { "type": "array", "items": { "$ref": "#/components/schemas/ConfiguredMfa" }, "description": "All multi-factor authentication methods configured for this user" }, "mfa_policy": { "allOf": [ { "$ref": "#/components/schemas/MfaPolicy" } ], "nullable": true }, "name": { "type": "string", "description": "Optional name", "example": "Alice", "nullable": true }, "org_ids": { "type": "array", "items": { "type": "string" }, "description": "All organizations the user belongs to. Deprecated in favor of 'orgs'.", "deprecated": true, "example": [ "Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a" ] }, "orgs": { "type": "array", "items": { "$ref": "#/components/schemas/UserInOrgMembership" }, "description": "All organizations the user belongs to, including the membership role in each." }, "user_id": { "type": "string", "description": "The id of the currently logged in user", "example": "User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f" }, "verified_email": { "allOf": [ { "$ref": "#/components/schemas/VerifiedEmail" } ], "nullable": true } } } } } }, "UserOrgsResponse": { "description": "The response to the user/orgs endpoint", "content": { "application/json": { "schema": { "type": "object", "description": "The response to the user/orgs endpoint", "required": [ "orgs" ], "properties": { "orgs": { "type": "array", "items": { "$ref": "#/components/schemas/OrgData" }, "description": "The list of orgs this user is a member of" } } } } } } }, "securitySchemes": { "Oidc": { "type": "apiKey", "in": "header", "name": "Authorization", "description": "OIDC tokens allow users to authenticate using a third-party service. These are exchanged for signer session tokens." }, "SignerAuth": { "type": "apiKey", "in": "header", "name": "Authorization", "description": "Signing API end-points use session tokens for auth. Specifically, with each request you need to use the \\`token\\` from your signer session (which you create with `cs token create`)." } } }, "security": [ { "Cognito": [] } ] }