admin '/secrets/access' endpoints (#983)

2025-06-26 12:42:18 +02:00 · 2025-06-17 11:26:11 -04:00 · 2025-06-17 11:26:11 -04:00 · a251aee960
commit a251aee960
parent 5680b7cfd3
34 changed files with 3158 additions and 0 deletions
--- a/rest_client_zrok/admin/add_secrets_access_parameters.go
+++ b/rest_client_zrok/admin/add_secrets_access_parameters.go
@ -0,0 +1,146 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewAddSecretsAccessParams creates a new AddSecretsAccessParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewAddSecretsAccessParams() *AddSecretsAccessParams {
+	return &AddSecretsAccessParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewAddSecretsAccessParamsWithTimeout creates a new AddSecretsAccessParams object
+// with the ability to set a timeout on a request.
+func NewAddSecretsAccessParamsWithTimeout(timeout time.Duration) *AddSecretsAccessParams {
+	return &AddSecretsAccessParams{
+		timeout: timeout,
+	}
+}
+
+// NewAddSecretsAccessParamsWithContext creates a new AddSecretsAccessParams object
+// with the ability to set a context for a request.
+func NewAddSecretsAccessParamsWithContext(ctx context.Context) *AddSecretsAccessParams {
+	return &AddSecretsAccessParams{
+		Context: ctx,
+	}
+}
+
+// NewAddSecretsAccessParamsWithHTTPClient creates a new AddSecretsAccessParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewAddSecretsAccessParamsWithHTTPClient(client *http.Client) *AddSecretsAccessParams {
+	return &AddSecretsAccessParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+AddSecretsAccessParams contains all the parameters to send to the API endpoint
+
+	for the add secrets access operation.
+
+	Typically these are written to a http.Request.
+*/
+type AddSecretsAccessParams struct {
+
+	// Body.
+	Body AddSecretsAccessBody
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the add secrets access params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *AddSecretsAccessParams) WithDefaults() *AddSecretsAccessParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the add secrets access params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *AddSecretsAccessParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the add secrets access params
+func (o *AddSecretsAccessParams) WithTimeout(timeout time.Duration) *AddSecretsAccessParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the add secrets access params
+func (o *AddSecretsAccessParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the add secrets access params
+func (o *AddSecretsAccessParams) WithContext(ctx context.Context) *AddSecretsAccessParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the add secrets access params
+func (o *AddSecretsAccessParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the add secrets access params
+func (o *AddSecretsAccessParams) WithHTTPClient(client *http.Client) *AddSecretsAccessParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the add secrets access params
+func (o *AddSecretsAccessParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the add secrets access params
+func (o *AddSecretsAccessParams) WithBody(body AddSecretsAccessBody) *AddSecretsAccessParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the add secrets access params
+func (o *AddSecretsAccessParams) SetBody(body AddSecretsAccessBody) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *AddSecretsAccessParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/rest_client_zrok/admin/add_secrets_access_responses.go
+++ b/rest_client_zrok/admin/add_secrets_access_responses.go
@ -0,0 +1,314 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// AddSecretsAccessReader is a Reader for the AddSecretsAccess structure.
+type AddSecretsAccessReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *AddSecretsAccessReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewAddSecretsAccessOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewAddSecretsAccessBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 401:
+		result := NewAddSecretsAccessUnauthorized()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewAddSecretsAccessInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[POST /secrets/access] addSecretsAccess", response, response.Code())
+	}
+}
+
+// NewAddSecretsAccessOK creates a AddSecretsAccessOK with default headers values
+func NewAddSecretsAccessOK() *AddSecretsAccessOK {
+	return &AddSecretsAccessOK{}
+}
+
+/*
+AddSecretsAccessOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type AddSecretsAccessOK struct {
+}
+
+// IsSuccess returns true when this add secrets access o k response has a 2xx status code
+func (o *AddSecretsAccessOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this add secrets access o k response has a 3xx status code
+func (o *AddSecretsAccessOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add secrets access o k response has a 4xx status code
+func (o *AddSecretsAccessOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this add secrets access o k response has a 5xx status code
+func (o *AddSecretsAccessOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add secrets access o k response a status code equal to that given
+func (o *AddSecretsAccessOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the add secrets access o k response
+func (o *AddSecretsAccessOK) Code() int {
+	return 200
+}
+
+func (o *AddSecretsAccessOK) Error() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessOK ", 200)
+}
+
+func (o *AddSecretsAccessOK) String() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessOK ", 200)
+}
+
+func (o *AddSecretsAccessOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewAddSecretsAccessBadRequest creates a AddSecretsAccessBadRequest with default headers values
+func NewAddSecretsAccessBadRequest() *AddSecretsAccessBadRequest {
+	return &AddSecretsAccessBadRequest{}
+}
+
+/*
+AddSecretsAccessBadRequest describes a response with status code 400, with default header values.
+
+access not added
+*/
+type AddSecretsAccessBadRequest struct {
+}
+
+// IsSuccess returns true when this add secrets access bad request response has a 2xx status code
+func (o *AddSecretsAccessBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add secrets access bad request response has a 3xx status code
+func (o *AddSecretsAccessBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add secrets access bad request response has a 4xx status code
+func (o *AddSecretsAccessBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this add secrets access bad request response has a 5xx status code
+func (o *AddSecretsAccessBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add secrets access bad request response a status code equal to that given
+func (o *AddSecretsAccessBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the add secrets access bad request response
+func (o *AddSecretsAccessBadRequest) Code() int {
+	return 400
+}
+
+func (o *AddSecretsAccessBadRequest) Error() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessBadRequest ", 400)
+}
+
+func (o *AddSecretsAccessBadRequest) String() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessBadRequest ", 400)
+}
+
+func (o *AddSecretsAccessBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewAddSecretsAccessUnauthorized creates a AddSecretsAccessUnauthorized with default headers values
+func NewAddSecretsAccessUnauthorized() *AddSecretsAccessUnauthorized {
+	return &AddSecretsAccessUnauthorized{}
+}
+
+/*
+AddSecretsAccessUnauthorized describes a response with status code 401, with default header values.
+
+unauthorized
+*/
+type AddSecretsAccessUnauthorized struct {
+}
+
+// IsSuccess returns true when this add secrets access unauthorized response has a 2xx status code
+func (o *AddSecretsAccessUnauthorized) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add secrets access unauthorized response has a 3xx status code
+func (o *AddSecretsAccessUnauthorized) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add secrets access unauthorized response has a 4xx status code
+func (o *AddSecretsAccessUnauthorized) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this add secrets access unauthorized response has a 5xx status code
+func (o *AddSecretsAccessUnauthorized) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add secrets access unauthorized response a status code equal to that given
+func (o *AddSecretsAccessUnauthorized) IsCode(code int) bool {
+	return code == 401
+}
+
+// Code gets the status code for the add secrets access unauthorized response
+func (o *AddSecretsAccessUnauthorized) Code() int {
+	return 401
+}
+
+func (o *AddSecretsAccessUnauthorized) Error() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessUnauthorized ", 401)
+}
+
+func (o *AddSecretsAccessUnauthorized) String() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessUnauthorized ", 401)
+}
+
+func (o *AddSecretsAccessUnauthorized) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewAddSecretsAccessInternalServerError creates a AddSecretsAccessInternalServerError with default headers values
+func NewAddSecretsAccessInternalServerError() *AddSecretsAccessInternalServerError {
+	return &AddSecretsAccessInternalServerError{}
+}
+
+/*
+AddSecretsAccessInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type AddSecretsAccessInternalServerError struct {
+}
+
+// IsSuccess returns true when this add secrets access internal server error response has a 2xx status code
+func (o *AddSecretsAccessInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add secrets access internal server error response has a 3xx status code
+func (o *AddSecretsAccessInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add secrets access internal server error response has a 4xx status code
+func (o *AddSecretsAccessInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this add secrets access internal server error response has a 5xx status code
+func (o *AddSecretsAccessInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this add secrets access internal server error response a status code equal to that given
+func (o *AddSecretsAccessInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the add secrets access internal server error response
+func (o *AddSecretsAccessInternalServerError) Code() int {
+	return 500
+}
+
+func (o *AddSecretsAccessInternalServerError) Error() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessInternalServerError ", 500)
+}
+
+func (o *AddSecretsAccessInternalServerError) String() string {
+	return fmt.Sprintf("[POST /secrets/access][%d] addSecretsAccessInternalServerError ", 500)
+}
+
+func (o *AddSecretsAccessInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+AddSecretsAccessBody add secrets access body
+swagger:model AddSecretsAccessBody
+*/
+type AddSecretsAccessBody struct {
+
+	// secrets identity z Id
+	SecretsIdentityZID string `json:"secretsIdentityZId,omitempty"`
+}
+
+// Validate validates this add secrets access body
+func (o *AddSecretsAccessBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this add secrets access body based on context it is used
+func (o *AddSecretsAccessBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *AddSecretsAccessBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *AddSecretsAccessBody) UnmarshalBinary(b []byte) error {
+	var res AddSecretsAccessBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
--- a/rest_client_zrok/admin/admin_client.go
+++ b/rest_client_zrok/admin/admin_client.go
@ -32,6 +32,8 @@ type ClientOption func(*runtime.ClientOperation)
 type ClientService interface {
 	AddOrganizationMember(params *AddOrganizationMemberParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddOrganizationMemberCreated, error)

+	AddSecretsAccess(params *AddSecretsAccessParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddSecretsAccessOK, error)
+
 	CreateAccount(params *CreateAccountParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateAccountCreated, error)

 	CreateFrontend(params *CreateFrontendParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateFrontendCreated, error)
@ -44,6 +46,8 @@ type ClientService interface {

 	DeleteOrganization(params *DeleteOrganizationParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteOrganizationOK, error)

+	DeleteSecretsAccess(params *DeleteSecretsAccessParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteSecretsAccessOK, error)
+
 	Grants(params *GrantsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GrantsOK, error)

 	InviteTokenGenerate(params *InviteTokenGenerateParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*InviteTokenGenerateCreated, error)
@ -100,6 +104,45 @@ func (a *Client) AddOrganizationMember(params *AddOrganizationMemberParams, auth
 	panic(msg)
 }

+/*
+AddSecretsAccess add secrets access API
+*/
+func (a *Client) AddSecretsAccess(params *AddSecretsAccessParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddSecretsAccessOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewAddSecretsAccessParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "addSecretsAccess",
+		Method:             "POST",
+		PathPattern:        "/secrets/access",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &AddSecretsAccessReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*AddSecretsAccessOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for addSecretsAccess: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 CreateAccount create account API
 */
@ -334,6 +377,45 @@ func (a *Client) DeleteOrganization(params *DeleteOrganizationParams, authInfo r
 	panic(msg)
 }

+/*
+DeleteSecretsAccess delete secrets access API
+*/
+func (a *Client) DeleteSecretsAccess(params *DeleteSecretsAccessParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteSecretsAccessOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteSecretsAccessParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "deleteSecretsAccess",
+		Method:             "DELETE",
+		PathPattern:        "/secrets/access",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteSecretsAccessReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*DeleteSecretsAccessOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for deleteSecretsAccess: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 Grants grants API
 */
--- a/rest_client_zrok/admin/delete_secrets_access_parameters.go
+++ b/rest_client_zrok/admin/delete_secrets_access_parameters.go
@ -0,0 +1,146 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewDeleteSecretsAccessParams creates a new DeleteSecretsAccessParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteSecretsAccessParams() *DeleteSecretsAccessParams {
+	return &DeleteSecretsAccessParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteSecretsAccessParamsWithTimeout creates a new DeleteSecretsAccessParams object
+// with the ability to set a timeout on a request.
+func NewDeleteSecretsAccessParamsWithTimeout(timeout time.Duration) *DeleteSecretsAccessParams {
+	return &DeleteSecretsAccessParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteSecretsAccessParamsWithContext creates a new DeleteSecretsAccessParams object
+// with the ability to set a context for a request.
+func NewDeleteSecretsAccessParamsWithContext(ctx context.Context) *DeleteSecretsAccessParams {
+	return &DeleteSecretsAccessParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteSecretsAccessParamsWithHTTPClient creates a new DeleteSecretsAccessParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteSecretsAccessParamsWithHTTPClient(client *http.Client) *DeleteSecretsAccessParams {
+	return &DeleteSecretsAccessParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteSecretsAccessParams contains all the parameters to send to the API endpoint
+
+	for the delete secrets access operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteSecretsAccessParams struct {
+
+	// Body.
+	Body DeleteSecretsAccessBody
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete secrets access params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteSecretsAccessParams) WithDefaults() *DeleteSecretsAccessParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete secrets access params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteSecretsAccessParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete secrets access params
+func (o *DeleteSecretsAccessParams) WithTimeout(timeout time.Duration) *DeleteSecretsAccessParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete secrets access params
+func (o *DeleteSecretsAccessParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete secrets access params
+func (o *DeleteSecretsAccessParams) WithContext(ctx context.Context) *DeleteSecretsAccessParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete secrets access params
+func (o *DeleteSecretsAccessParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete secrets access params
+func (o *DeleteSecretsAccessParams) WithHTTPClient(client *http.Client) *DeleteSecretsAccessParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete secrets access params
+func (o *DeleteSecretsAccessParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the delete secrets access params
+func (o *DeleteSecretsAccessParams) WithBody(body DeleteSecretsAccessBody) *DeleteSecretsAccessParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the delete secrets access params
+func (o *DeleteSecretsAccessParams) SetBody(body DeleteSecretsAccessBody) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteSecretsAccessParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/rest_client_zrok/admin/delete_secrets_access_responses.go
+++ b/rest_client_zrok/admin/delete_secrets_access_responses.go
@ -0,0 +1,314 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// DeleteSecretsAccessReader is a Reader for the DeleteSecretsAccess structure.
+type DeleteSecretsAccessReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteSecretsAccessReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewDeleteSecretsAccessOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewDeleteSecretsAccessBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 401:
+		result := NewDeleteSecretsAccessUnauthorized()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewDeleteSecretsAccessInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[DELETE /secrets/access] deleteSecretsAccess", response, response.Code())
+	}
+}
+
+// NewDeleteSecretsAccessOK creates a DeleteSecretsAccessOK with default headers values
+func NewDeleteSecretsAccessOK() *DeleteSecretsAccessOK {
+	return &DeleteSecretsAccessOK{}
+}
+
+/*
+DeleteSecretsAccessOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type DeleteSecretsAccessOK struct {
+}
+
+// IsSuccess returns true when this delete secrets access o k response has a 2xx status code
+func (o *DeleteSecretsAccessOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this delete secrets access o k response has a 3xx status code
+func (o *DeleteSecretsAccessOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete secrets access o k response has a 4xx status code
+func (o *DeleteSecretsAccessOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete secrets access o k response has a 5xx status code
+func (o *DeleteSecretsAccessOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete secrets access o k response a status code equal to that given
+func (o *DeleteSecretsAccessOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the delete secrets access o k response
+func (o *DeleteSecretsAccessOK) Code() int {
+	return 200
+}
+
+func (o *DeleteSecretsAccessOK) Error() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessOK ", 200)
+}
+
+func (o *DeleteSecretsAccessOK) String() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessOK ", 200)
+}
+
+func (o *DeleteSecretsAccessOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteSecretsAccessBadRequest creates a DeleteSecretsAccessBadRequest with default headers values
+func NewDeleteSecretsAccessBadRequest() *DeleteSecretsAccessBadRequest {
+	return &DeleteSecretsAccessBadRequest{}
+}
+
+/*
+DeleteSecretsAccessBadRequest describes a response with status code 400, with default header values.
+
+access not removed
+*/
+type DeleteSecretsAccessBadRequest struct {
+}
+
+// IsSuccess returns true when this delete secrets access bad request response has a 2xx status code
+func (o *DeleteSecretsAccessBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete secrets access bad request response has a 3xx status code
+func (o *DeleteSecretsAccessBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete secrets access bad request response has a 4xx status code
+func (o *DeleteSecretsAccessBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this delete secrets access bad request response has a 5xx status code
+func (o *DeleteSecretsAccessBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete secrets access bad request response a status code equal to that given
+func (o *DeleteSecretsAccessBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the delete secrets access bad request response
+func (o *DeleteSecretsAccessBadRequest) Code() int {
+	return 400
+}
+
+func (o *DeleteSecretsAccessBadRequest) Error() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessBadRequest ", 400)
+}
+
+func (o *DeleteSecretsAccessBadRequest) String() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessBadRequest ", 400)
+}
+
+func (o *DeleteSecretsAccessBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteSecretsAccessUnauthorized creates a DeleteSecretsAccessUnauthorized with default headers values
+func NewDeleteSecretsAccessUnauthorized() *DeleteSecretsAccessUnauthorized {
+	return &DeleteSecretsAccessUnauthorized{}
+}
+
+/*
+DeleteSecretsAccessUnauthorized describes a response with status code 401, with default header values.
+
+unauthorized
+*/
+type DeleteSecretsAccessUnauthorized struct {
+}
+
+// IsSuccess returns true when this delete secrets access unauthorized response has a 2xx status code
+func (o *DeleteSecretsAccessUnauthorized) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete secrets access unauthorized response has a 3xx status code
+func (o *DeleteSecretsAccessUnauthorized) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete secrets access unauthorized response has a 4xx status code
+func (o *DeleteSecretsAccessUnauthorized) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this delete secrets access unauthorized response has a 5xx status code
+func (o *DeleteSecretsAccessUnauthorized) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete secrets access unauthorized response a status code equal to that given
+func (o *DeleteSecretsAccessUnauthorized) IsCode(code int) bool {
+	return code == 401
+}
+
+// Code gets the status code for the delete secrets access unauthorized response
+func (o *DeleteSecretsAccessUnauthorized) Code() int {
+	return 401
+}
+
+func (o *DeleteSecretsAccessUnauthorized) Error() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessUnauthorized ", 401)
+}
+
+func (o *DeleteSecretsAccessUnauthorized) String() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessUnauthorized ", 401)
+}
+
+func (o *DeleteSecretsAccessUnauthorized) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteSecretsAccessInternalServerError creates a DeleteSecretsAccessInternalServerError with default headers values
+func NewDeleteSecretsAccessInternalServerError() *DeleteSecretsAccessInternalServerError {
+	return &DeleteSecretsAccessInternalServerError{}
+}
+
+/*
+DeleteSecretsAccessInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type DeleteSecretsAccessInternalServerError struct {
+}
+
+// IsSuccess returns true when this delete secrets access internal server error response has a 2xx status code
+func (o *DeleteSecretsAccessInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete secrets access internal server error response has a 3xx status code
+func (o *DeleteSecretsAccessInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete secrets access internal server error response has a 4xx status code
+func (o *DeleteSecretsAccessInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete secrets access internal server error response has a 5xx status code
+func (o *DeleteSecretsAccessInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this delete secrets access internal server error response a status code equal to that given
+func (o *DeleteSecretsAccessInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the delete secrets access internal server error response
+func (o *DeleteSecretsAccessInternalServerError) Code() int {
+	return 500
+}
+
+func (o *DeleteSecretsAccessInternalServerError) Error() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessInternalServerError ", 500)
+}
+
+func (o *DeleteSecretsAccessInternalServerError) String() string {
+	return fmt.Sprintf("[DELETE /secrets/access][%d] deleteSecretsAccessInternalServerError ", 500)
+}
+
+func (o *DeleteSecretsAccessInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+DeleteSecretsAccessBody delete secrets access body
+swagger:model DeleteSecretsAccessBody
+*/
+type DeleteSecretsAccessBody struct {
+
+	// secrets identity z Id
+	SecretsIdentityZID string `json:"secretsIdentityZId,omitempty"`
+}
+
+// Validate validates this delete secrets access body
+func (o *DeleteSecretsAccessBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete secrets access body based on context it is used
+func (o *DeleteSecretsAccessBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteSecretsAccessBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteSecretsAccessBody) UnmarshalBinary(b []byte) error {
+	var res DeleteSecretsAccessBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
--- a/rest_server_zrok/embedded_spec.go
+++ b/rest_server_zrok/embedded_spec.go
@ -2143,6 +2143,84 @@ func init() {
        }
      }
    },
+    "/secrets/access": {
+      "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "addSecretsAccess",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "properties": {
+                "secretsIdentityZId": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "400": {
+            "description": "access not added"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteSecretsAccess",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "properties": {
+                "secretsIdentityZId": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "400": {
+            "description": "access not removed"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
    "/share": {
      "post": {
        "security": [
@ -4873,6 +4951,84 @@ func init() {
        }
      }
    },
+    "/secrets/access": {
+      "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "addSecretsAccess",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "properties": {
+                "secretsIdentityZId": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "400": {
+            "description": "access not added"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteSecretsAccess",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "properties": {
+                "secretsIdentityZId": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "400": {
+            "description": "access not removed"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
    "/share": {
      "post": {
        "security": [
--- a/rest_server_zrok/operations/admin/add_secrets_access.go
+++ b/rest_server_zrok/operations/admin/add_secrets_access.go
@ -0,0 +1,111 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// AddSecretsAccessHandlerFunc turns a function with the right signature into a add secrets access handler
+type AddSecretsAccessHandlerFunc func(AddSecretsAccessParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn AddSecretsAccessHandlerFunc) Handle(params AddSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// AddSecretsAccessHandler interface for that can handle valid add secrets access params
+type AddSecretsAccessHandler interface {
+	Handle(AddSecretsAccessParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewAddSecretsAccess creates a new http.Handler for the add secrets access operation
+func NewAddSecretsAccess(ctx *middleware.Context, handler AddSecretsAccessHandler) *AddSecretsAccess {
+	return &AddSecretsAccess{Context: ctx, Handler: handler}
+}
+
+/*
+	AddSecretsAccess swagger:route POST /secrets/access admin addSecretsAccess
+
+AddSecretsAccess add secrets access API
+*/
+type AddSecretsAccess struct {
+	Context *middleware.Context
+	Handler AddSecretsAccessHandler
+}
+
+func (o *AddSecretsAccess) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewAddSecretsAccessParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// AddSecretsAccessBody add secrets access body
+//
+// swagger:model AddSecretsAccessBody
+type AddSecretsAccessBody struct {
+
+	// secrets identity z Id
+	SecretsIdentityZID string `json:"secretsIdentityZId,omitempty"`
+}
+
+// Validate validates this add secrets access body
+func (o *AddSecretsAccessBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this add secrets access body based on context it is used
+func (o *AddSecretsAccessBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *AddSecretsAccessBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *AddSecretsAccessBody) UnmarshalBinary(b []byte) error {
+	var res AddSecretsAccessBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
--- a/rest_server_zrok/operations/admin/add_secrets_access_parameters.go
+++ b/rest_server_zrok/operations/admin/add_secrets_access_parameters.go
@ -0,0 +1,74 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/validate"
+)
+
+// NewAddSecretsAccessParams creates a new AddSecretsAccessParams object
+//
+// There are no default values defined in the spec.
+func NewAddSecretsAccessParams() AddSecretsAccessParams {
+
+	return AddSecretsAccessParams{}
+}
+
+// AddSecretsAccessParams contains all the bound params for the add secrets access operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters addSecretsAccess
+type AddSecretsAccessParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  In: body
+	*/
+	Body AddSecretsAccessBody
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewAddSecretsAccessParams() beforehand.
+func (o *AddSecretsAccessParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body AddSecretsAccessBody
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(r.Context())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = body
+			}
+		}
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/rest_server_zrok/operations/admin/add_secrets_access_responses.go
+++ b/rest_server_zrok/operations/admin/add_secrets_access_responses.go
@ -0,0 +1,112 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+)
+
+// AddSecretsAccessOKCode is the HTTP code returned for type AddSecretsAccessOK
+const AddSecretsAccessOKCode int = 200
+
+/*
+AddSecretsAccessOK ok
+
+swagger:response addSecretsAccessOK
+*/
+type AddSecretsAccessOK struct {
+}
+
+// NewAddSecretsAccessOK creates AddSecretsAccessOK with default headers values
+func NewAddSecretsAccessOK() *AddSecretsAccessOK {
+
+	return &AddSecretsAccessOK{}
+}
+
+// WriteResponse to the client
+func (o *AddSecretsAccessOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(200)
+}
+
+// AddSecretsAccessBadRequestCode is the HTTP code returned for type AddSecretsAccessBadRequest
+const AddSecretsAccessBadRequestCode int = 400
+
+/*
+AddSecretsAccessBadRequest access not added
+
+swagger:response addSecretsAccessBadRequest
+*/
+type AddSecretsAccessBadRequest struct {
+}
+
+// NewAddSecretsAccessBadRequest creates AddSecretsAccessBadRequest with default headers values
+func NewAddSecretsAccessBadRequest() *AddSecretsAccessBadRequest {
+
+	return &AddSecretsAccessBadRequest{}
+}
+
+// WriteResponse to the client
+func (o *AddSecretsAccessBadRequest) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(400)
+}
+
+// AddSecretsAccessUnauthorizedCode is the HTTP code returned for type AddSecretsAccessUnauthorized
+const AddSecretsAccessUnauthorizedCode int = 401
+
+/*
+AddSecretsAccessUnauthorized unauthorized
+
+swagger:response addSecretsAccessUnauthorized
+*/
+type AddSecretsAccessUnauthorized struct {
+}
+
+// NewAddSecretsAccessUnauthorized creates AddSecretsAccessUnauthorized with default headers values
+func NewAddSecretsAccessUnauthorized() *AddSecretsAccessUnauthorized {
+
+	return &AddSecretsAccessUnauthorized{}
+}
+
+// WriteResponse to the client
+func (o *AddSecretsAccessUnauthorized) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(401)
+}
+
+// AddSecretsAccessInternalServerErrorCode is the HTTP code returned for type AddSecretsAccessInternalServerError
+const AddSecretsAccessInternalServerErrorCode int = 500
+
+/*
+AddSecretsAccessInternalServerError internal server error
+
+swagger:response addSecretsAccessInternalServerError
+*/
+type AddSecretsAccessInternalServerError struct {
+}
+
+// NewAddSecretsAccessInternalServerError creates AddSecretsAccessInternalServerError with default headers values
+func NewAddSecretsAccessInternalServerError() *AddSecretsAccessInternalServerError {
+
+	return &AddSecretsAccessInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *AddSecretsAccessInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}
--- a/rest_server_zrok/operations/admin/add_secrets_access_urlbuilder.go
+++ b/rest_server_zrok/operations/admin/add_secrets_access_urlbuilder.go
@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// AddSecretsAccessURL generates an URL for the add secrets access operation
+type AddSecretsAccessURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *AddSecretsAccessURL) WithBasePath(bp string) *AddSecretsAccessURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *AddSecretsAccessURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *AddSecretsAccessURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/secrets/access"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *AddSecretsAccessURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *AddSecretsAccessURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *AddSecretsAccessURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on AddSecretsAccessURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on AddSecretsAccessURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *AddSecretsAccessURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}
--- a/rest_server_zrok/operations/admin/delete_secrets_access.go
+++ b/rest_server_zrok/operations/admin/delete_secrets_access.go
@ -0,0 +1,111 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// DeleteSecretsAccessHandlerFunc turns a function with the right signature into a delete secrets access handler
+type DeleteSecretsAccessHandlerFunc func(DeleteSecretsAccessParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn DeleteSecretsAccessHandlerFunc) Handle(params DeleteSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// DeleteSecretsAccessHandler interface for that can handle valid delete secrets access params
+type DeleteSecretsAccessHandler interface {
+	Handle(DeleteSecretsAccessParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewDeleteSecretsAccess creates a new http.Handler for the delete secrets access operation
+func NewDeleteSecretsAccess(ctx *middleware.Context, handler DeleteSecretsAccessHandler) *DeleteSecretsAccess {
+	return &DeleteSecretsAccess{Context: ctx, Handler: handler}
+}
+
+/*
+	DeleteSecretsAccess swagger:route DELETE /secrets/access admin deleteSecretsAccess
+
+DeleteSecretsAccess delete secrets access API
+*/
+type DeleteSecretsAccess struct {
+	Context *middleware.Context
+	Handler DeleteSecretsAccessHandler
+}
+
+func (o *DeleteSecretsAccess) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewDeleteSecretsAccessParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// DeleteSecretsAccessBody delete secrets access body
+//
+// swagger:model DeleteSecretsAccessBody
+type DeleteSecretsAccessBody struct {
+
+	// secrets identity z Id
+	SecretsIdentityZID string `json:"secretsIdentityZId,omitempty"`
+}
+
+// Validate validates this delete secrets access body
+func (o *DeleteSecretsAccessBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete secrets access body based on context it is used
+func (o *DeleteSecretsAccessBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteSecretsAccessBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteSecretsAccessBody) UnmarshalBinary(b []byte) error {
+	var res DeleteSecretsAccessBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
--- a/rest_server_zrok/operations/admin/delete_secrets_access_parameters.go
+++ b/rest_server_zrok/operations/admin/delete_secrets_access_parameters.go
@ -0,0 +1,74 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/validate"
+)
+
+// NewDeleteSecretsAccessParams creates a new DeleteSecretsAccessParams object
+//
+// There are no default values defined in the spec.
+func NewDeleteSecretsAccessParams() DeleteSecretsAccessParams {
+
+	return DeleteSecretsAccessParams{}
+}
+
+// DeleteSecretsAccessParams contains all the bound params for the delete secrets access operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters deleteSecretsAccess
+type DeleteSecretsAccessParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  In: body
+	*/
+	Body DeleteSecretsAccessBody
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewDeleteSecretsAccessParams() beforehand.
+func (o *DeleteSecretsAccessParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body DeleteSecretsAccessBody
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(r.Context())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = body
+			}
+		}
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/rest_server_zrok/operations/admin/delete_secrets_access_responses.go
+++ b/rest_server_zrok/operations/admin/delete_secrets_access_responses.go
@ -0,0 +1,112 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+)
+
+// DeleteSecretsAccessOKCode is the HTTP code returned for type DeleteSecretsAccessOK
+const DeleteSecretsAccessOKCode int = 200
+
+/*
+DeleteSecretsAccessOK ok
+
+swagger:response deleteSecretsAccessOK
+*/
+type DeleteSecretsAccessOK struct {
+}
+
+// NewDeleteSecretsAccessOK creates DeleteSecretsAccessOK with default headers values
+func NewDeleteSecretsAccessOK() *DeleteSecretsAccessOK {
+
+	return &DeleteSecretsAccessOK{}
+}
+
+// WriteResponse to the client
+func (o *DeleteSecretsAccessOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(200)
+}
+
+// DeleteSecretsAccessBadRequestCode is the HTTP code returned for type DeleteSecretsAccessBadRequest
+const DeleteSecretsAccessBadRequestCode int = 400
+
+/*
+DeleteSecretsAccessBadRequest access not removed
+
+swagger:response deleteSecretsAccessBadRequest
+*/
+type DeleteSecretsAccessBadRequest struct {
+}
+
+// NewDeleteSecretsAccessBadRequest creates DeleteSecretsAccessBadRequest with default headers values
+func NewDeleteSecretsAccessBadRequest() *DeleteSecretsAccessBadRequest {
+
+	return &DeleteSecretsAccessBadRequest{}
+}
+
+// WriteResponse to the client
+func (o *DeleteSecretsAccessBadRequest) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(400)
+}
+
+// DeleteSecretsAccessUnauthorizedCode is the HTTP code returned for type DeleteSecretsAccessUnauthorized
+const DeleteSecretsAccessUnauthorizedCode int = 401
+
+/*
+DeleteSecretsAccessUnauthorized unauthorized
+
+swagger:response deleteSecretsAccessUnauthorized
+*/
+type DeleteSecretsAccessUnauthorized struct {
+}
+
+// NewDeleteSecretsAccessUnauthorized creates DeleteSecretsAccessUnauthorized with default headers values
+func NewDeleteSecretsAccessUnauthorized() *DeleteSecretsAccessUnauthorized {
+
+	return &DeleteSecretsAccessUnauthorized{}
+}
+
+// WriteResponse to the client
+func (o *DeleteSecretsAccessUnauthorized) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(401)
+}
+
+// DeleteSecretsAccessInternalServerErrorCode is the HTTP code returned for type DeleteSecretsAccessInternalServerError
+const DeleteSecretsAccessInternalServerErrorCode int = 500
+
+/*
+DeleteSecretsAccessInternalServerError internal server error
+
+swagger:response deleteSecretsAccessInternalServerError
+*/
+type DeleteSecretsAccessInternalServerError struct {
+}
+
+// NewDeleteSecretsAccessInternalServerError creates DeleteSecretsAccessInternalServerError with default headers values
+func NewDeleteSecretsAccessInternalServerError() *DeleteSecretsAccessInternalServerError {
+
+	return &DeleteSecretsAccessInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *DeleteSecretsAccessInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}
--- a/rest_server_zrok/operations/admin/delete_secrets_access_urlbuilder.go
+++ b/rest_server_zrok/operations/admin/delete_secrets_access_urlbuilder.go
@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// DeleteSecretsAccessURL generates an URL for the delete secrets access operation
+type DeleteSecretsAccessURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteSecretsAccessURL) WithBasePath(bp string) *DeleteSecretsAccessURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteSecretsAccessURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *DeleteSecretsAccessURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/secrets/access"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *DeleteSecretsAccessURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *DeleteSecretsAccessURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *DeleteSecretsAccessURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on DeleteSecretsAccessURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on DeleteSecretsAccessURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *DeleteSecretsAccessURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}
--- a/rest_server_zrok/operations/zrok_api.go
+++ b/rest_server_zrok/operations/zrok_api.go
@ -56,6 +56,9 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		AdminAddOrganizationMemberHandler: admin.AddOrganizationMemberHandlerFunc(func(params admin.AddOrganizationMemberParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.AddOrganizationMember has not yet been implemented")
 		}),
+		AdminAddSecretsAccessHandler: admin.AddSecretsAccessHandlerFunc(func(params admin.AddSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin.AddSecretsAccess has not yet been implemented")
+		}),
 		AccountChangePasswordHandler: account.ChangePasswordHandlerFunc(func(params account.ChangePasswordParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation account.ChangePassword has not yet been implemented")
 		}),
@ -83,6 +86,9 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		AdminDeleteOrganizationHandler: admin.DeleteOrganizationHandlerFunc(func(params admin.DeleteOrganizationParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.DeleteOrganization has not yet been implemented")
 		}),
+		AdminDeleteSecretsAccessHandler: admin.DeleteSecretsAccessHandlerFunc(func(params admin.DeleteSecretsAccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin.DeleteSecretsAccess has not yet been implemented")
+		}),
 		EnvironmentDisableHandler: environment.DisableHandlerFunc(func(params environment.DisableParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation environment.Disable has not yet been implemented")
 		}),
@ -266,6 +272,8 @@ type ZrokAPI struct {
 	ShareAccessHandler share.AccessHandler
 	// AdminAddOrganizationMemberHandler sets the operation handler for the add organization member operation
 	AdminAddOrganizationMemberHandler admin.AddOrganizationMemberHandler
+	// AdminAddSecretsAccessHandler sets the operation handler for the add secrets access operation
+	AdminAddSecretsAccessHandler admin.AddSecretsAccessHandler
 	// AccountChangePasswordHandler sets the operation handler for the change password operation
 	AccountChangePasswordHandler account.ChangePasswordHandler
 	// MetadataClientVersionCheckHandler sets the operation handler for the client version check operation
@ -284,6 +292,8 @@ type ZrokAPI struct {
 	AdminDeleteFrontendHandler admin.DeleteFrontendHandler
 	// AdminDeleteOrganizationHandler sets the operation handler for the delete organization operation
 	AdminDeleteOrganizationHandler admin.DeleteOrganizationHandler
+	// AdminDeleteSecretsAccessHandler sets the operation handler for the delete secrets access operation
+	AdminDeleteSecretsAccessHandler admin.DeleteSecretsAccessHandler
 	// EnvironmentDisableHandler sets the operation handler for the disable operation
 	EnvironmentDisableHandler environment.DisableHandler
 	// EnvironmentEnableHandler sets the operation handler for the enable operation
@ -457,6 +467,9 @@ func (o *ZrokAPI) Validate() error {
 	if o.AdminAddOrganizationMemberHandler == nil {
 		unregistered = append(unregistered, "admin.AddOrganizationMemberHandler")
 	}
+	if o.AdminAddSecretsAccessHandler == nil {
+		unregistered = append(unregistered, "admin.AddSecretsAccessHandler")
+	}
 	if o.AccountChangePasswordHandler == nil {
 		unregistered = append(unregistered, "account.ChangePasswordHandler")
 	}
@ -484,6 +497,9 @@ func (o *ZrokAPI) Validate() error {
 	if o.AdminDeleteOrganizationHandler == nil {
 		unregistered = append(unregistered, "admin.DeleteOrganizationHandler")
 	}
+	if o.AdminDeleteSecretsAccessHandler == nil {
+		unregistered = append(unregistered, "admin.DeleteSecretsAccessHandler")
+	}
 	if o.EnvironmentDisableHandler == nil {
 		unregistered = append(unregistered, "environment.DisableHandler")
 	}
@ -723,6 +739,10 @@ func (o *ZrokAPI) initHandlerCache() {
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
 	}
+	o.handlers["POST"]["/secrets/access"] = admin.NewAddSecretsAccess(o.context, o.AdminAddSecretsAccessHandler)
+	if o.handlers["POST"] == nil {
+		o.handlers["POST"] = make(map[string]http.Handler)
+	}
 	o.handlers["POST"]["/changePassword"] = account.NewChangePassword(o.context, o.AccountChangePasswordHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
@ -756,6 +776,10 @@ func (o *ZrokAPI) initHandlerCache() {
 		o.handlers["DELETE"] = make(map[string]http.Handler)
 	}
 	o.handlers["DELETE"]["/organization"] = admin.NewDeleteOrganization(o.context, o.AdminDeleteOrganizationHandler)
+	if o.handlers["DELETE"] == nil {
+		o.handlers["DELETE"] = make(map[string]http.Handler)
+	}
+	o.handlers["DELETE"]["/secrets/access"] = admin.NewDeleteSecretsAccess(o.context, o.AdminDeleteSecretsAccessHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
 	}
--- a/sdk/nodejs/sdk/src/api/.openapi-generator/FILES
+++ b/sdk/nodejs/sdk/src/api/.openapi-generator/FILES
@ -10,6 +10,7 @@ index.ts
 models/Access201Response.ts
 models/AccessRequest.ts
 models/AddOrganizationMemberRequest.ts
+models/AddSecretsAccessRequest.ts
 models/AuthUser.ts
 models/ChangePasswordRequest.ts
 models/ClientVersionCheckRequest.ts
--- a/sdk/nodejs/sdk/src/api/apis/AdminApi.ts
+++ b/sdk/nodejs/sdk/src/api/apis/AdminApi.ts
@ -16,6 +16,7 @@
 import * as runtime from '../runtime';
 import type {
  AddOrganizationMemberRequest,
+  AddSecretsAccessRequest,
  CreateFrontend201Response,
  CreateFrontendRequest,
  CreateIdentity201Response,
@ -35,6 +36,8 @@ import type {
 import {
    AddOrganizationMemberRequestFromJSON,
    AddOrganizationMemberRequestToJSON,
+    AddSecretsAccessRequestFromJSON,
+    AddSecretsAccessRequestToJSON,
    CreateFrontend201ResponseFromJSON,
    CreateFrontend201ResponseToJSON,
    CreateFrontendRequestFromJSON,
@ -71,6 +74,10 @@ export interface AddOrganizationMemberOperationRequest {
    body?: AddOrganizationMemberRequest;
 }

+export interface AddSecretsAccessOperationRequest {
+    body?: AddSecretsAccessRequest;
+}
+
 export interface CreateAccountRequest {
    body?: LoginRequest;
 }
@ -95,6 +102,10 @@ export interface DeleteOrganizationRequest {
    body?: CreateOrganization201Response;
 }

+export interface DeleteSecretsAccessRequest {
+    body?: AddSecretsAccessRequest;
+}
+
 export interface GrantsRequest {
    body?: Verify200Response;
 }
@ -150,6 +161,36 @@ export class AdminApi extends runtime.BaseAPI {
        await this.addOrganizationMemberRaw(requestParameters, initOverrides);
    }

+    /**
+     */
+    async addSecretsAccessRaw(requestParameters: AddSecretsAccessOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/secrets/access`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddSecretsAccessRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async addSecretsAccess(requestParameters: AddSecretsAccessOperationRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.addSecretsAccessRaw(requestParameters, initOverrides);
+    }
+
    /**
     */
    async createAccountRaw(requestParameters: CreateAccountRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RegenerateAccountToken200Response>> {
@ -334,6 +375,36 @@ export class AdminApi extends runtime.BaseAPI {
        await this.deleteOrganizationRaw(requestParameters, initOverrides);
    }

+    /**
+     */
+    async deleteSecretsAccessRaw(requestParameters: DeleteSecretsAccessRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/secrets/access`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddSecretsAccessRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteSecretsAccess(requestParameters: DeleteSecretsAccessRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteSecretsAccessRaw(requestParameters, initOverrides);
+    }
+
    /**
     */
    async grantsRaw(requestParameters: GrantsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
--- a/sdk/nodejs/sdk/src/api/models/AddSecretsAccessRequest.ts
+++ b/sdk/nodejs/sdk/src/api/models/AddSecretsAccessRequest.ts
@ -0,0 +1,65 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * zrok
+ * zrok client access
+ *
+ * The version of the OpenAPI document: 1.0.0
+ * 
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import { mapValues } from '../runtime';
+/**
+ * 
+ * @export
+ * @interface AddSecretsAccessRequest
+ */
+export interface AddSecretsAccessRequest {
+    /**
+     * 
+     * @type {string}
+     * @memberof AddSecretsAccessRequest
+     */
+    secretsIdentityZId?: string;
+}
+
+/**
+ * Check if a given object implements the AddSecretsAccessRequest interface.
+ */
+export function instanceOfAddSecretsAccessRequest(value: object): value is AddSecretsAccessRequest {
+    return true;
+}
+
+export function AddSecretsAccessRequestFromJSON(json: any): AddSecretsAccessRequest {
+    return AddSecretsAccessRequestFromJSONTyped(json, false);
+}
+
+export function AddSecretsAccessRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): AddSecretsAccessRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        
+        'secretsIdentityZId': json['secretsIdentityZId'] == null ? undefined : json['secretsIdentityZId'],
+    };
+}
+
+export function AddSecretsAccessRequestToJSON(json: any): AddSecretsAccessRequest {
+    return AddSecretsAccessRequestToJSONTyped(json, false);
+}
+
+export function AddSecretsAccessRequestToJSONTyped(value?: AddSecretsAccessRequest | null, ignoreDiscriminator: boolean = false): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        
+        'secretsIdentityZId': value['secretsIdentityZId'],
+    };
+}
+
--- a/sdk/nodejs/sdk/src/api/models/index.ts
+++ b/sdk/nodejs/sdk/src/api/models/index.ts
@ -3,6 +3,7 @@
 export * from './Access201Response';
 export * from './AccessRequest';
 export * from './AddOrganizationMemberRequest';
+export * from './AddSecretsAccessRequest';
 export * from './AuthUser';
 export * from './ChangePasswordRequest';
 export * from './ClientVersionCheckRequest';
--- a/sdk/python/src/.openapi-generator/FILES
+++ b/sdk/python/src/.openapi-generator/FILES
@ -4,6 +4,7 @@ docs/Access201Response.md
 docs/AccessRequest.md
 docs/AccountApi.md
 docs/AddOrganizationMemberRequest.md
+docs/AddSecretsAccessRequest.md
 docs/AdminApi.md
 docs/AgentApi.md
 docs/AuthUser.md
@ -75,6 +76,7 @@ test/test_access201_response.py
 test/test_access_request.py
 test/test_account_api.py
 test/test_add_organization_member_request.py
+test/test_add_secrets_access_request.py
 test/test_admin_api.py
 test/test_agent_api.py
 test/test_auth_user.py
@ -155,6 +157,7 @@ zrok_api/models/__init__.py
 zrok_api/models/access201_response.py
 zrok_api/models/access_request.py
 zrok_api/models/add_organization_member_request.py
+zrok_api/models/add_secrets_access_request.py
 zrok_api/models/auth_user.py
 zrok_api/models/change_password_request.py
 zrok_api/models/client_version_check_request.py
--- a/sdk/python/src/README.md
+++ b/sdk/python/src/README.md
@ -101,12 +101,14 @@ Class | Method | HTTP request | Description
 *AccountApi* | [**reset_password_request**](docs/AccountApi.md#reset_password_request) | **POST** /resetPasswordRequest | 
 *AccountApi* | [**verify**](docs/AccountApi.md#verify) | **POST** /verify | 
 *AdminApi* | [**add_organization_member**](docs/AdminApi.md#add_organization_member) | **POST** /organization/add | 
+*AdminApi* | [**add_secrets_access**](docs/AdminApi.md#add_secrets_access) | **POST** /secrets/access | 
 *AdminApi* | [**create_account**](docs/AdminApi.md#create_account) | **POST** /account | 
 *AdminApi* | [**create_frontend**](docs/AdminApi.md#create_frontend) | **POST** /frontend | 
 *AdminApi* | [**create_identity**](docs/AdminApi.md#create_identity) | **POST** /identity | 
 *AdminApi* | [**create_organization**](docs/AdminApi.md#create_organization) | **POST** /organization | 
 *AdminApi* | [**delete_frontend**](docs/AdminApi.md#delete_frontend) | **DELETE** /frontend | 
 *AdminApi* | [**delete_organization**](docs/AdminApi.md#delete_organization) | **DELETE** /organization | 
+*AdminApi* | [**delete_secrets_access**](docs/AdminApi.md#delete_secrets_access) | **DELETE** /secrets/access | 
 *AdminApi* | [**grants**](docs/AdminApi.md#grants) | **POST** /grants | 
 *AdminApi* | [**invite_token_generate**](docs/AdminApi.md#invite_token_generate) | **POST** /invite/token/generate | 
 *AdminApi* | [**list_frontends**](docs/AdminApi.md#list_frontends) | **GET** /frontends | 
@ -153,6 +155,7 @@ Class | Method | HTTP request | Description
 - [Access201Response](docs/Access201Response.md)
 - [AccessRequest](docs/AccessRequest.md)
 - [AddOrganizationMemberRequest](docs/AddOrganizationMemberRequest.md)
+ - [AddSecretsAccessRequest](docs/AddSecretsAccessRequest.md)
 - [AuthUser](docs/AuthUser.md)
 - [ChangePasswordRequest](docs/ChangePasswordRequest.md)
 - [ClientVersionCheckRequest](docs/ClientVersionCheckRequest.md)
--- a/sdk/python/src/docs/AddSecretsAccessRequest.md
+++ b/sdk/python/src/docs/AddSecretsAccessRequest.md
@ -0,0 +1,29 @@
+# AddSecretsAccessRequest
+
+
+## Properties
+
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**secrets_identity_zid** | **str** |  | [optional] 
+
+## Example
+
+```python
+from zrok_api.models.add_secrets_access_request import AddSecretsAccessRequest
+
+# TODO update the JSON string below
+json = "{}"
+# create an instance of AddSecretsAccessRequest from a JSON string
+add_secrets_access_request_instance = AddSecretsAccessRequest.from_json(json)
+# print the JSON string representation of the object
+print(AddSecretsAccessRequest.to_json())
+
+# convert the object into a dict
+add_secrets_access_request_dict = add_secrets_access_request_instance.to_dict()
+# create an instance of AddSecretsAccessRequest from a dict
+add_secrets_access_request_from_dict = AddSecretsAccessRequest.from_dict(add_secrets_access_request_dict)
+```
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+
+
--- a/sdk/python/src/docs/AdminApi.md
+++ b/sdk/python/src/docs/AdminApi.md
@ -5,12 +5,14 @@ All URIs are relative to */api/v1*
 Method | HTTP request | Description
 ------------- | ------------- | -------------
 [**add_organization_member**](AdminApi.md#add_organization_member) | **POST** /organization/add | 
+[**add_secrets_access**](AdminApi.md#add_secrets_access) | **POST** /secrets/access | 
 [**create_account**](AdminApi.md#create_account) | **POST** /account | 
 [**create_frontend**](AdminApi.md#create_frontend) | **POST** /frontend | 
 [**create_identity**](AdminApi.md#create_identity) | **POST** /identity | 
 [**create_organization**](AdminApi.md#create_organization) | **POST** /organization | 
 [**delete_frontend**](AdminApi.md#delete_frontend) | **DELETE** /frontend | 
 [**delete_organization**](AdminApi.md#delete_organization) | **DELETE** /organization | 
+[**delete_secrets_access**](AdminApi.md#delete_secrets_access) | **DELETE** /secrets/access | 
 [**grants**](AdminApi.md#grants) | **POST** /grants | 
 [**invite_token_generate**](AdminApi.md#invite_token_generate) | **POST** /invite/token/generate | 
 [**list_frontends**](AdminApi.md#list_frontends) | **GET** /frontends | 
@ -95,6 +97,81 @@ void (empty response body)

 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)

+# **add_secrets_access**
+> add_secrets_access(body=body)
+
+### Example
+
+* Api Key Authentication (key):
+
+```python
+import zrok_api
+from zrok_api.models.add_secrets_access_request import AddSecretsAccessRequest
+from zrok_api.rest import ApiException
+from pprint import pprint
+
+# Defining the host is optional and defaults to /api/v1
+# See configuration.py for a list of all supported configuration parameters.
+configuration = zrok_api.Configuration(
+    host = "/api/v1"
+)
+
+# The client must configure the authentication and authorization parameters
+# in accordance with the API server security policy.
+# Examples for each auth method are provided below, use the example that
+# satisfies your auth use case.
+
+# Configure API key authorization: key
+configuration.api_key['key'] = os.environ["API_KEY"]
+
+# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+# configuration.api_key_prefix['key'] = 'Bearer'
+
+# Enter a context with an instance of the API client
+with zrok_api.ApiClient(configuration) as api_client:
+    # Create an instance of the API class
+    api_instance = zrok_api.AdminApi(api_client)
+    body = zrok_api.AddSecretsAccessRequest() # AddSecretsAccessRequest |  (optional)
+
+    try:
+        api_instance.add_secrets_access(body=body)
+    except Exception as e:
+        print("Exception when calling AdminApi->add_secrets_access: %s\n" % e)
+```
+
+
+
+### Parameters
+
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **body** | [**AddSecretsAccessRequest**](AddSecretsAccessRequest.md)|  | [optional] 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[key](../README.md#key)
+
+### HTTP request headers
+
+ - **Content-Type**: application/zrok.v1+json
+ - **Accept**: Not defined
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+|-------------|-------------|------------------|
+**200** | ok |  -  |
+**400** | access not added |  -  |
+**401** | unauthorized |  -  |
+**500** | internal server error |  -  |
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
 # **create_account**
 > RegenerateAccountToken200Response create_account(body=body)

@ -555,6 +632,81 @@ void (empty response body)

 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)

+# **delete_secrets_access**
+> delete_secrets_access(body=body)
+
+### Example
+
+* Api Key Authentication (key):
+
+```python
+import zrok_api
+from zrok_api.models.add_secrets_access_request import AddSecretsAccessRequest
+from zrok_api.rest import ApiException
+from pprint import pprint
+
+# Defining the host is optional and defaults to /api/v1
+# See configuration.py for a list of all supported configuration parameters.
+configuration = zrok_api.Configuration(
+    host = "/api/v1"
+)
+
+# The client must configure the authentication and authorization parameters
+# in accordance with the API server security policy.
+# Examples for each auth method are provided below, use the example that
+# satisfies your auth use case.
+
+# Configure API key authorization: key
+configuration.api_key['key'] = os.environ["API_KEY"]
+
+# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+# configuration.api_key_prefix['key'] = 'Bearer'
+
+# Enter a context with an instance of the API client
+with zrok_api.ApiClient(configuration) as api_client:
+    # Create an instance of the API class
+    api_instance = zrok_api.AdminApi(api_client)
+    body = zrok_api.AddSecretsAccessRequest() # AddSecretsAccessRequest |  (optional)
+
+    try:
+        api_instance.delete_secrets_access(body=body)
+    except Exception as e:
+        print("Exception when calling AdminApi->delete_secrets_access: %s\n" % e)
+```
+
+
+
+### Parameters
+
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **body** | [**AddSecretsAccessRequest**](AddSecretsAccessRequest.md)|  | [optional] 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[key](../README.md#key)
+
+### HTTP request headers
+
+ - **Content-Type**: application/zrok.v1+json
+ - **Accept**: Not defined
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+|-------------|-------------|------------------|
+**200** | ok |  -  |
+**400** | access not removed |  -  |
+**401** | unauthorized |  -  |
+**500** | internal server error |  -  |
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
 # **grants**
 > grants(body=body)

--- a/sdk/python/src/test/test_add_secrets_access_request.py
+++ b/sdk/python/src/test/test_add_secrets_access_request.py
@ -0,0 +1,51 @@
+# coding: utf-8
+
+"""
+    zrok
+
+    zrok client access
+
+    The version of the OpenAPI document: 1.0.0
+    Generated by OpenAPI Generator (https://openapi-generator.tech)
+
+    Do not edit the class manually.
+"""  # noqa: E501
+
+
+import unittest
+
+from zrok_api.models.add_secrets_access_request import AddSecretsAccessRequest
+
+class TestAddSecretsAccessRequest(unittest.TestCase):
+    """AddSecretsAccessRequest unit test stubs"""
+
+    def setUp(self):
+        pass
+
+    def tearDown(self):
+        pass
+
+    def make_instance(self, include_optional) -> AddSecretsAccessRequest:
+        """Test AddSecretsAccessRequest
+            include_optional is a boolean, when False only required
+            params are included, when True both required and
+            optional params are included """
+        # uncomment below to create an instance of `AddSecretsAccessRequest`
+        """
+        model = AddSecretsAccessRequest()
+        if include_optional:
+            return AddSecretsAccessRequest(
+                secrets_identity_zid = ''
+            )
+        else:
+            return AddSecretsAccessRequest(
+        )
+        """
+
+    def testAddSecretsAccessRequest(self):
+        """Test AddSecretsAccessRequest"""
+        # inst_req_only = self.make_instance(include_optional=False)
+        # inst_req_and_optional = self.make_instance(include_optional=True)
+
+if __name__ == '__main__':
+    unittest.main()
--- a/sdk/python/src/test/test_admin_api.py
+++ b/sdk/python/src/test/test_admin_api.py
@ -32,6 +32,12 @@ class TestAdminApi(unittest.TestCase):
        """
        pass

+    def test_add_secrets_access(self) -> None:
+        """Test case for add_secrets_access
+
+        """
+        pass
+
    def test_create_account(self) -> None:
        """Test case for create_account

@ -68,6 +74,12 @@ class TestAdminApi(unittest.TestCase):
        """
        pass

+    def test_delete_secrets_access(self) -> None:
+        """Test case for delete_secrets_access
+
+        """
+        pass
+
    def test_grants(self) -> None:
        """Test case for grants

--- a/sdk/python/src/zrok_api/init.py
+++ b/sdk/python/src/zrok_api/init.py
@ -39,6 +39,7 @@ from zrok_api.exceptions import ApiException
 from zrok_api.models.access201_response import Access201Response
 from zrok_api.models.access_request import AccessRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
+from zrok_api.models.add_secrets_access_request import AddSecretsAccessRequest
 from zrok_api.models.auth_user import AuthUser
 from zrok_api.models.change_password_request import ChangePasswordRequest
 from zrok_api.models.client_version_check_request import ClientVersionCheckRequest
--- a/sdk/python/src/zrok_api/api/admin_api.py
+++ b/sdk/python/src/zrok_api/api/admin_api.py
@ -18,6 +18,7 @@ from typing_extensions import Annotated

 from typing import List, Optional
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
+from zrok_api.models.add_secrets_access_request import AddSecretsAccessRequest
 from zrok_api.models.create_frontend201_response import CreateFrontend201Response
 from zrok_api.models.create_frontend_request import CreateFrontendRequest
 from zrok_api.models.create_identity201_response import CreateIdentity201Response
@ -325,6 +326,279 @@ class AdminApi:



+    @validate_call
+    def add_secrets_access(
+        self,
+        body: Optional[AddSecretsAccessRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> None:
+        """add_secrets_access
+
+
+        :param body:
+        :type body: AddSecretsAccessRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_secrets_access_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '400': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        ).data
+
+
+    @validate_call
+    def add_secrets_access_with_http_info(
+        self,
+        body: Optional[AddSecretsAccessRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> ApiResponse[None]:
+        """add_secrets_access
+
+
+        :param body:
+        :type body: AddSecretsAccessRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_secrets_access_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '400': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        )
+
+
+    @validate_call
+    def add_secrets_access_without_preload_content(
+        self,
+        body: Optional[AddSecretsAccessRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> RESTResponseType:
+        """add_secrets_access
+
+
+        :param body:
+        :type body: AddSecretsAccessRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_secrets_access_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '400': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        return response_data.response
+
+
+    def _add_secrets_access_serialize(
+        self,
+        body,
+        _request_auth,
+        _content_type,
+        _headers,
+        _host_index,
+    ) -> RequestSerialized:
+
+        _host = None
+
+        _collection_formats: Dict[str, str] = {
+        }
+
+        _path_params: Dict[str, str] = {}
+        _query_params: List[Tuple[str, str]] = []
+        _header_params: Dict[str, Optional[str]] = _headers or {}
+        _form_params: List[Tuple[str, str]] = []
+        _files: Dict[
+            str, Union[str, bytes, List[str], List[bytes], List[Tuple[str, bytes]]]
+        ] = {}
+        _body_params: Optional[bytes] = None
+
+        # process the path parameters
+        # process the query parameters
+        # process the header parameters
+        # process the form parameters
+        # process the body parameter
+        if body is not None:
+            _body_params = body
+
+
+
+        # set the HTTP header `Content-Type`
+        if _content_type:
+            _header_params['Content-Type'] = _content_type
+        else:
+            _default_content_type = (
+                self.api_client.select_header_content_type(
+                    [
+                        'application/zrok.v1+json'
+                    ]
+                )
+            )
+            if _default_content_type is not None:
+                _header_params['Content-Type'] = _default_content_type
+
+        # authentication setting
+        _auth_settings: List[str] = [
+            'key'
+        ]
+
+        return self.api_client.param_serialize(
+            method='POST',
+            resource_path='/secrets/access',
+            path_params=_path_params,
+            query_params=_query_params,
+            header_params=_header_params,
+            body=_body_params,
+            post_params=_form_params,
+            files=_files,
+            auth_settings=_auth_settings,
+            collection_formats=_collection_formats,
+            _host=_host,
+            _request_auth=_request_auth
+        )
+
+
+
+
    @validate_call
    def create_account(
        self,
@ -1985,6 +2259,279 @@ class AdminApi:



+    @validate_call
+    def delete_secrets_access(
+        self,
+        body: Optional[AddSecretsAccessRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> None:
+        """delete_secrets_access
+
+
+        :param body:
+        :type body: AddSecretsAccessRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_secrets_access_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '400': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        ).data
+
+
+    @validate_call
+    def delete_secrets_access_with_http_info(
+        self,
+        body: Optional[AddSecretsAccessRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> ApiResponse[None]:
+        """delete_secrets_access
+
+
+        :param body:
+        :type body: AddSecretsAccessRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_secrets_access_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '400': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        )
+
+
+    @validate_call
+    def delete_secrets_access_without_preload_content(
+        self,
+        body: Optional[AddSecretsAccessRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> RESTResponseType:
+        """delete_secrets_access
+
+
+        :param body:
+        :type body: AddSecretsAccessRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_secrets_access_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '400': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        return response_data.response
+
+
+    def _delete_secrets_access_serialize(
+        self,
+        body,
+        _request_auth,
+        _content_type,
+        _headers,
+        _host_index,
+    ) -> RequestSerialized:
+
+        _host = None
+
+        _collection_formats: Dict[str, str] = {
+        }
+
+        _path_params: Dict[str, str] = {}
+        _query_params: List[Tuple[str, str]] = []
+        _header_params: Dict[str, Optional[str]] = _headers or {}
+        _form_params: List[Tuple[str, str]] = []
+        _files: Dict[
+            str, Union[str, bytes, List[str], List[bytes], List[Tuple[str, bytes]]]
+        ] = {}
+        _body_params: Optional[bytes] = None
+
+        # process the path parameters
+        # process the query parameters
+        # process the header parameters
+        # process the form parameters
+        # process the body parameter
+        if body is not None:
+            _body_params = body
+
+
+
+        # set the HTTP header `Content-Type`
+        if _content_type:
+            _header_params['Content-Type'] = _content_type
+        else:
+            _default_content_type = (
+                self.api_client.select_header_content_type(
+                    [
+                        'application/zrok.v1+json'
+                    ]
+                )
+            )
+            if _default_content_type is not None:
+                _header_params['Content-Type'] = _default_content_type
+
+        # authentication setting
+        _auth_settings: List[str] = [
+            'key'
+        ]
+
+        return self.api_client.param_serialize(
+            method='DELETE',
+            resource_path='/secrets/access',
+            path_params=_path_params,
+            query_params=_query_params,
+            header_params=_header_params,
+            body=_body_params,
+            post_params=_form_params,
+            files=_files,
+            auth_settings=_auth_settings,
+            collection_formats=_collection_formats,
+            _host=_host,
+            _request_auth=_request_auth
+        )
+
+
+
+
    @validate_call
    def grants(
        self,
--- a/sdk/python/src/zrok_api/models/init.py
+++ b/sdk/python/src/zrok_api/models/init.py
@ -17,6 +17,7 @@
 from zrok_api.models.access201_response import Access201Response
 from zrok_api.models.access_request import AccessRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
+from zrok_api.models.add_secrets_access_request import AddSecretsAccessRequest
 from zrok_api.models.auth_user import AuthUser
 from zrok_api.models.change_password_request import ChangePasswordRequest
 from zrok_api.models.client_version_check_request import ClientVersionCheckRequest
--- a/sdk/python/src/zrok_api/models/add_secrets_access_request.py
+++ b/sdk/python/src/zrok_api/models/add_secrets_access_request.py
@ -0,0 +1,87 @@
+# coding: utf-8
+
+"""
+    zrok
+
+    zrok client access
+
+    The version of the OpenAPI document: 1.0.0
+    Generated by OpenAPI Generator (https://openapi-generator.tech)
+
+    Do not edit the class manually.
+"""  # noqa: E501
+
+
+from __future__ import annotations
+import pprint
+import re  # noqa: F401
+import json
+
+from pydantic import BaseModel, ConfigDict, Field, StrictStr
+from typing import Any, ClassVar, Dict, List, Optional
+from typing import Optional, Set
+from typing_extensions import Self
+
+class AddSecretsAccessRequest(BaseModel):
+    """
+    AddSecretsAccessRequest
+    """ # noqa: E501
+    secrets_identity_zid: Optional[StrictStr] = Field(default=None, alias="secretsIdentityZId")
+    __properties: ClassVar[List[str]] = ["secretsIdentityZId"]
+
+    model_config = ConfigDict(
+        populate_by_name=True,
+        validate_assignment=True,
+        protected_namespaces=(),
+    )
+
+
+    def to_str(self) -> str:
+        """Returns the string representation of the model using alias"""
+        return pprint.pformat(self.model_dump(by_alias=True))
+
+    def to_json(self) -> str:
+        """Returns the JSON representation of the model using alias"""
+        # TODO: pydantic v2: use .model_dump_json(by_alias=True, exclude_unset=True) instead
+        return json.dumps(self.to_dict())
+
+    @classmethod
+    def from_json(cls, json_str: str) -> Optional[Self]:
+        """Create an instance of AddSecretsAccessRequest from a JSON string"""
+        return cls.from_dict(json.loads(json_str))
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Return the dictionary representation of the model using alias.
+
+        This has the following differences from calling pydantic's
+        `self.model_dump(by_alias=True)`:
+
+        * `None` is only added to the output dict for nullable fields that
+          were set at model initialization. Other fields with value `None`
+          are ignored.
+        """
+        excluded_fields: Set[str] = set([
+        ])
+
+        _dict = self.model_dump(
+            by_alias=True,
+            exclude=excluded_fields,
+            exclude_none=True,
+        )
+        return _dict
+
+    @classmethod
+    def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
+        """Create an instance of AddSecretsAccessRequest from a dict"""
+        if obj is None:
+            return None
+
+        if not isinstance(obj, dict):
+            return cls.model_validate(obj)
+
+        _obj = cls.model_validate({
+            "secretsIdentityZId": obj.get("secretsIdentityZId")
+        })
+        return _obj
+
+
--- a/specs/zrok.yml
+++ b/specs/zrok.yml
@ -613,6 +613,52 @@ paths:
        500:
          description: internal server error

+  /secrets/access:
+    post:
+      tags:
+        - admin
+      security:
+        - key: []
+      operationId: addSecretsAccess
+      parameters:
+        - name: body
+          in: body
+          schema:
+            properties:
+              secretsIdentityZId:
+                type: string
+      responses:
+        200:
+          description: ok
+        400:
+          description: access not added
+        401:
+          description: unauthorized
+        500:
+          description: internal server error
+    delete:
+      tags:
+        - admin
+      security:
+        - key: []
+      operationId: deleteSecretsAccess
+      parameters:
+        - name: body
+          in: body
+          schema:
+            properties:
+              secretsIdentityZId:
+                type: string
+      responses:
+        200:
+          description: ok
+        400:
+          description: access not removed
+        401:
+          description: unauthorized
+        500:
+          description: internal server error
+
  #
  # agent
  #
--- a/ui/src/api/.openapi-generator/FILES
+++ b/ui/src/api/.openapi-generator/FILES
@ -10,6 +10,7 @@ index.ts
 models/Access201Response.ts
 models/AccessRequest.ts
 models/AddOrganizationMemberRequest.ts
+models/AddSecretsAccessRequest.ts
 models/AuthUser.ts
 models/ChangePasswordRequest.ts
 models/ClientVersionCheckRequest.ts
--- a/ui/src/api/apis/AdminApi.ts
+++ b/ui/src/api/apis/AdminApi.ts
@ -16,6 +16,7 @@
 import * as runtime from '../runtime';
 import type {
  AddOrganizationMemberRequest,
+  AddSecretsAccessRequest,
  CreateFrontend201Response,
  CreateFrontendRequest,
  CreateIdentity201Response,
@ -35,6 +36,8 @@ import type {
 import {
    AddOrganizationMemberRequestFromJSON,
    AddOrganizationMemberRequestToJSON,
+    AddSecretsAccessRequestFromJSON,
+    AddSecretsAccessRequestToJSON,
    CreateFrontend201ResponseFromJSON,
    CreateFrontend201ResponseToJSON,
    CreateFrontendRequestFromJSON,
@ -71,6 +74,10 @@ export interface AddOrganizationMemberOperationRequest {
    body?: AddOrganizationMemberRequest;
 }

+export interface AddSecretsAccessOperationRequest {
+    body?: AddSecretsAccessRequest;
+}
+
 export interface CreateAccountRequest {
    body?: LoginRequest;
 }
@ -95,6 +102,10 @@ export interface DeleteOrganizationRequest {
    body?: CreateOrganization201Response;
 }

+export interface DeleteSecretsAccessRequest {
+    body?: AddSecretsAccessRequest;
+}
+
 export interface GrantsRequest {
    body?: Verify200Response;
 }
@ -150,6 +161,36 @@ export class AdminApi extends runtime.BaseAPI {
        await this.addOrganizationMemberRaw(requestParameters, initOverrides);
    }

+    /**
+     */
+    async addSecretsAccessRaw(requestParameters: AddSecretsAccessOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/secrets/access`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddSecretsAccessRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async addSecretsAccess(requestParameters: AddSecretsAccessOperationRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.addSecretsAccessRaw(requestParameters, initOverrides);
+    }
+
    /**
     */
    async createAccountRaw(requestParameters: CreateAccountRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<RegenerateAccountToken200Response>> {
@ -334,6 +375,36 @@ export class AdminApi extends runtime.BaseAPI {
        await this.deleteOrganizationRaw(requestParameters, initOverrides);
    }

+    /**
+     */
+    async deleteSecretsAccessRaw(requestParameters: DeleteSecretsAccessRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/secrets/access`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddSecretsAccessRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteSecretsAccess(requestParameters: DeleteSecretsAccessRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteSecretsAccessRaw(requestParameters, initOverrides);
+    }
+
    /**
     */
    async grantsRaw(requestParameters: GrantsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
--- a/ui/src/api/models/AddSecretsAccessRequest.ts
+++ b/ui/src/api/models/AddSecretsAccessRequest.ts
@ -0,0 +1,65 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * zrok
+ * zrok client access
+ *
+ * The version of the OpenAPI document: 1.0.0
+ * 
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import { mapValues } from '../runtime';
+/**
+ * 
+ * @export
+ * @interface AddSecretsAccessRequest
+ */
+export interface AddSecretsAccessRequest {
+    /**
+     * 
+     * @type {string}
+     * @memberof AddSecretsAccessRequest
+     */
+    secretsIdentityZId?: string;
+}
+
+/**
+ * Check if a given object implements the AddSecretsAccessRequest interface.
+ */
+export function instanceOfAddSecretsAccessRequest(value: object): value is AddSecretsAccessRequest {
+    return true;
+}
+
+export function AddSecretsAccessRequestFromJSON(json: any): AddSecretsAccessRequest {
+    return AddSecretsAccessRequestFromJSONTyped(json, false);
+}
+
+export function AddSecretsAccessRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): AddSecretsAccessRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        
+        'secretsIdentityZId': json['secretsIdentityZId'] == null ? undefined : json['secretsIdentityZId'],
+    };
+}
+
+export function AddSecretsAccessRequestToJSON(json: any): AddSecretsAccessRequest {
+    return AddSecretsAccessRequestToJSONTyped(json, false);
+}
+
+export function AddSecretsAccessRequestToJSONTyped(value?: AddSecretsAccessRequest | null, ignoreDiscriminator: boolean = false): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        
+        'secretsIdentityZId': value['secretsIdentityZId'],
+    };
+}
+
--- a/ui/src/api/models/index.ts
+++ b/ui/src/api/models/index.ts
@ -3,6 +3,7 @@
 export * from './Access201Response';
 export * from './AccessRequest';
 export * from './AddOrganizationMemberRequest';
+export * from './AddSecretsAccessRequest';
 export * from './AuthUser';
 export * from './ChangePasswordRequest';
 export * from './ClientVersionCheckRequest';