Merge pull request #995 from openziti/more_admin_api

More Admin API (#992, #993)

CHANGELOG.md

@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## v1.0.7
+
+FEATURE: New add and delete API endpoints for frontend grants. New `zrok admin create frontend-grant` and `zrok admin delete frontend-grant` CLI for invoking these API endpoints from the command line (https://github.com/openziti/zrok/issues/992)
+
+FEATURE: New admin endpoint for deleting accounts. New `zrok admin delete account` CLI for invoking the API endpoint from the command line (https://github.com/openziti/zrok/issues/993)
+
 ## v1.0.6
 
 CHANGE: The `/overview` endpoint has been adjusted to include a new `remoteAgent` `boolean` on the `environment` instances, indicating whether or not the environment has an enrolled remote agent (https://github.com/openziti/zrok/issues/977)

cmd/zrok/adminCreateFrontend.go

@@ -7,7 +7,6 @@ import (
 	"github.com/openziti/zrok/tui"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"os"
 )
 
 func init() {
@@ -36,12 +35,12 @@ func (cmd *adminCreateFrontendCommand) run(_ *cobra.Command, args []string) {
 	publicName := args[1]
 	urlTemplate := args[2]
 
-	env, err := environment.LoadRoot()
+	root, err := environment.LoadRoot()
 	if err != nil {
 		panic(err)
 	}
 
-	zrok, err := env.Client()
+	zrok, err := root.Client()
 	if err != nil {
 		panic(err)
 	}
@@ -61,10 +60,8 @@ func (cmd *adminCreateFrontendCommand) run(_ *cobra.Command, args []string) {
 		switch err.(type) {
 		case *admin.CreateFrontendBadRequest:
 			tui.Error("create frontend request failed: name already exists", err)
-			os.Exit(1)
 		default:
 			tui.Error("create frontend request failed", err)
-			os.Exit(1)
 		}
 	}
 

cmd/zrok/adminCreateFrontendGrant.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"os"
+
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminCreateCmd.AddCommand(newAdminCreateFrontendGrantCommand().cmd)
+}
+
+type adminCreateFrontendGrantCommand struct {
+	cmd *cobra.Command
+}
+
+func newAdminCreateFrontendGrantCommand() *adminCreateFrontendGrantCommand {
+	cmd := &cobra.Command{
+		Use:     "frontend-grant <frontendToken> <accountEmail>",
+		Aliases: []string{"fg"},
+		Short:   "Grant an account access to a frontend",
+		Args:    cobra.ExactArgs(2),
+	}
+	command := &adminCreateFrontendGrantCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *adminCreateFrontendGrantCommand) run(_ *cobra.Command, args []string) {
+	frontendToken := args[0]
+	accountEmail := args[1]
+
+	root, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	req := admin.NewAddFrontendGrantParams()
+	req.Body.FrontendToken = frontendToken
+	req.Body.Email = accountEmail
+
+	if _, err = zrok.Admin.AddFrontendGrant(req, mustGetAdminAuth()); err != nil {
+		logrus.Errorf("error addming frontend grant: %v", err)
+		os.Exit(1)
+	}
+
+	logrus.Infof("added frontend ('%v') grant for '%v'", frontendToken, accountEmail)
+}

cmd/zrok/adminDeleteAccount.go

@@ -0,0 +1,50 @@
+package main
+
+import (
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminDeleteCmd.AddCommand(newAdminDeleteAccountCommand().cmd)
+}
+
+type adminDeleteAccountCommand struct {
+	cmd *cobra.Command
+}
+
+func newAdminDeleteAccountCommand() *adminDeleteAccountCommand {
+	cmd := &cobra.Command{
+		Use:   "account <email>",
+		Short: "Delete an account and disable all allocated resources",
+		Args:  cobra.ExactArgs(1),
+	}
+	command := &adminDeleteAccountCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *adminDeleteAccountCommand) run(_ *cobra.Command, args []string) {
+	email := args[0]
+
+	root, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	req := admin.NewDeleteAccountParams()
+	req.Body.Email = email
+
+	if _, err := zrok.Admin.DeleteAccount(req, mustGetAdminAuth()); err != nil {
+		panic(err)
+	}
+
+	logrus.Infof("deleted account '%v'", email)
+}

cmd/zrok/adminDeleteFrontend.go

@@ -42,8 +42,7 @@ func (cmd *adminDeleteFrontendCommand) run(_ *cobra.Command, args []string) {
 	req := admin.NewDeleteFrontendParams()
 	req.Body.FrontendToken = feToken
 
-	_, err = zrok.Admin.DeleteFrontend(req, mustGetAdminAuth())
+	if _, err := zrok.Admin.DeleteFrontend(req, mustGetAdminAuth()); err != nil {
-	if err != nil {
 		panic(err)
 	}
 

cmd/zrok/adminDeleteFrontendGrant.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"os"
+
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminDeleteCmd.AddCommand(newAdminDeleteFrontendGrantCommand().cmd)
+}
+
+type adminDeleteFrontendGrantCommand struct {
+	cmd *cobra.Command
+}
+
+func newAdminDeleteFrontendGrantCommand() *adminDeleteFrontendGrantCommand {
+	cmd := &cobra.Command{
+		Use:     "frontend-grant <frontendToken> <accountEmail>",
+		Aliases: []string{"fg"},
+		Short:   "Remove account access from a frontend",
+		Args:    cobra.ExactArgs(2),
+	}
+	command := &adminDeleteFrontendGrantCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *adminDeleteFrontendGrantCommand) run(_ *cobra.Command, args []string) {
+	frontendToken := args[0]
+	accountEmail := args[1]
+
+	root, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+
+	zrok, err := root.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	req := admin.NewDeleteFrontendGrantParams()
+	req.Body.FrontendToken = frontendToken
+	req.Body.Email = accountEmail
+
+	if _, err := zrok.Admin.DeleteFrontendGrant(req, mustGetAdminAuth()); err != nil {
+		logrus.Errorf("error deleting frontend grant: %v", err)
+		os.Exit(1)
+	}
+
+	logrus.Infof("deleted frontend ('%v') grant for '%v'", frontendToken, accountEmail)
+}

controller/access.go

@@ -134,7 +134,7 @@ func (h *accessHandler) checkAccessGrants(shr *store.Share, ownerAccountId int,
 		logrus.Infof("accessing own share '%v' for '%v'", shr.Token, principal.Email)
 		return nil
 	}
-	count, err := str.CheckAccessGrantForShareAndAccount(shr.Id, int(principal.ID), trx)
+	count, err := str.IsAccessGrantedToAccountForShare(shr.Id, int(principal.ID), trx)
 	if err != nil {
 		logrus.Infof("error checking access grants for '%v': %v", shr.Token, err)
 		return err

controller/addFrontendGrant.go

@@ -0,0 +1,64 @@
+package controller
+
+import (
+	"fmt"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/sirupsen/logrus"
+)
+
+type addFrontendGrantHandler struct{}
+
+func newAddFrontendGrantHandler() *addFrontendGrantHandler {
+	return &addFrontendGrantHandler{}
+}
+
+func (h *addFrontendGrantHandler) Handle(params admin.AddFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	if !principal.Admin {
+		logrus.Error("invalid admin principal")
+		return admin.NewAddFrontendGrantUnauthorized()
+	}
+
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return admin.NewAddFrontendGrantInternalServerError()
+	}
+	defer trx.Rollback()
+
+	fe, err := str.FindFrontendWithToken(params.Body.FrontendToken, trx)
+	if err != nil {
+		logrus.Errorf("error finding frontend with token '%v': %v", params.Body.FrontendToken, err)
+		return admin.NewAddFrontendGrantNotFound().WithPayload(rest_model_zrok.ErrorMessage(fmt.Sprintf("frontend token '%v' not found", params.Body.FrontendToken)))
+	}
+
+	acct, err := str.FindAccountWithEmail(params.Body.Email, trx)
+	if err != nil {
+		logrus.Errorf("error finding account with email '%v': %v", params.Body.Email, err)
+		return admin.NewAddFrontendGrantNotFound().WithPayload(rest_model_zrok.ErrorMessage(fmt.Sprintf("account '%v' not found", params.Body.Email)))
+	}
+
+	if granted, err := str.IsFrontendGrantedToAccount(fe.Id, acct.Id, trx); err != nil {
+		logrus.Errorf("error checking frontend grant for account '%v' and frontend '%v': %v", acct.Email, fe.Token, err)
+		return admin.NewAddFrontendGrantInternalServerError()
+
+	} else if !granted {
+		if _, err := str.CreateFrontendGrant(fe.Id, acct.Id, trx); err != nil {
+			logrus.Errorf("error creating frontend ('%v') grant for '%v': %v", fe.Token, acct.Email, err)
+			return admin.NewAddFrontendGrantInternalServerError()
+		}
+		logrus.Infof("granted '%v' access to frontend '%v'", acct.Email, fe.Token)
+
+		if err := trx.Commit(); err != nil {
+			logrus.Errorf("error committing transaction: %v", err)
+			return admin.NewAddFrontendGrantInternalServerError()
+		}
+
+	} else {
+		logrus.Infof("account '%v' already granted access to frontend '%v'", acct.Email, fe.Token)
+	}
+
+	return admin.NewAddFrontendGrantOK()
+}

controller/controller.go

@@ -2,6 +2,10 @@ package controller
 
 import (
 	"context"
+	"log"
+	"net/http"
+	_ "net/http/pprof"
+
 	"github.com/go-openapi/loads"
 	influxdb2 "github.com/influxdata/influxdb-client-go/v2"
 	"github.com/jessevdk/go-flags"
@@ -15,9 +19,6 @@ import (
 	"github.com/openziti/zrok/rest_server_zrok/operations/metadata"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	"log"
-	"net/http"
-	_ "net/http/pprof"
 )
 
 var (
@@ -51,11 +52,14 @@ func Run(inCfg *config.Config) error {
 	api.AccountResetPasswordHandler = newResetPasswordHandler(cfg)
 	api.AccountResetPasswordRequestHandler = newResetPasswordRequestHandler()
 	api.AccountVerifyHandler = newVerifyHandler()
+	api.AdminAddFrontendGrantHandler = newAddFrontendGrantHandler()
 	api.AdminAddOrganizationMemberHandler = newAddOrganizationMemberHandler()
 	api.AdminCreateAccountHandler = newCreateAccountHandler()
 	api.AdminCreateFrontendHandler = newCreateFrontendHandler()
 	api.AdminCreateIdentityHandler = newCreateIdentityHandler()
 	api.AdminCreateOrganizationHandler = newCreateOrganizationHandler()
+	api.AdminDeleteAccountHandler = newDeleteAccountHandler()
+	api.AdminDeleteFrontendGrantHandler = newDeleteFrontendGrantHandler()
 	api.AdminDeleteFrontendHandler = newDeleteFrontendHandler()
 	api.AdminDeleteOrganizationHandler = newDeleteOrganizationHandler()
 	api.AdminGrantsHandler = newGrantsHandler()

controller/createAccount.go

@@ -16,7 +16,7 @@ func newCreateAccountHandler() *createAccountHandler {
 
 func (h *createAccountHandler) Handle(params admin.CreateAccountParams, principal *rest_model_zrok.Principal) middleware.Responder {
 	if !principal.Admin {
-		logrus.Errorf("invalid admin principal")
+		logrus.Error("invalid admin principal")
 		return admin.NewCreateAccountUnauthorized()
 	}
 
@@ -36,9 +36,8 @@ func (h *createAccountHandler) Handle(params admin.CreateAccountParams, principa
 		logrus.Errorf("error starting transaction: %v", err)
 		return admin.NewCreateAccountInternalServerError()
 	}
-	defer func() {
+	defer trx.Rollback()
-		_ = trx.Rollback()
+	
-	}()
 	a := &store.Account{
 		Email:    params.Body.Email,
 		Salt:     hpwd.Salt,

controller/deleteAccount.go

@@ -0,0 +1,72 @@
+package controller
+
+import (
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/controller/zrokEdgeSdk"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/sirupsen/logrus"
+)
+
+type deleteAccountHandler struct{}
+
+func newDeleteAccountHandler() *deleteAccountHandler {
+	return &deleteAccountHandler{}
+}
+
+func (h *deleteAccountHandler) Handle(params admin.DeleteAccountParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	if !principal.Admin {
+		logrus.Error("invalid admin principal")
+		return admin.NewDeleteAccountUnauthorized()
+	}
+
+	logrus.Infof("starting deletion of account with email '%s'", params.Body.Email)
+
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return admin.NewDeleteAccountInternalServerError()
+	}
+	defer trx.Rollback()
+
+	account, err := str.FindAccountWithEmail(params.Body.Email, trx)
+	if err != nil {
+		logrus.Errorf("error finding account with email '%s': %v", params.Body.Email, err)
+		return admin.NewDeleteAccountNotFound()
+	}
+
+	envs, err := str.FindEnvironmentsForAccount(account.Id, trx)
+	if err != nil {
+		logrus.Errorf("error finding environments for account '%s': %v", params.Body.Email, err)
+		return admin.NewDeleteAccountInternalServerError()
+	}
+	logrus.Infof("found %d environments to clean up for account '%s'", len(envs), params.Body.Email)
+
+	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
+	if err != nil {
+		logrus.Errorf("error getting edge client: %v", err)
+		return admin.NewDeleteAccountInternalServerError()
+	}
+
+	for _, env := range envs {
+		logrus.Infof("disabling environment %d (ZId: %s) for account '%s'", env.Id, env.ZId, params.Body.Email)
+		if err := disableEnvironment(env, trx, edge); err != nil {
+			logrus.Errorf("error disabling environment %d for account '%s': %v", env.Id, params.Body.Email, err)
+			return admin.NewDeleteAccountInternalServerError()
+		}
+		logrus.Infof("successfully disabled environment %d for account '%s'", env.Id, params.Body.Email)
+	}
+
+	if err := str.DeleteAccount(account.Id, trx); err != nil {
+		logrus.Errorf("error deleting account '%s': %v", params.Body.Email, err)
+		return admin.NewDeleteAccountInternalServerError()
+	}
+
+	if err := trx.Commit(); err != nil {
+		logrus.Errorf("error committing transaction: %v", err)
+		return admin.NewDeleteAccountInternalServerError()
+	}
+
+	logrus.Infof("successfully deleted account '%s'", params.Body.Email)
+	return admin.NewDeleteAccountOK()
+}

controller/deleteFrontendGrant.go

@@ -0,0 +1,64 @@
+package controller
+
+import (
+	"fmt"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/sirupsen/logrus"
+)
+
+type deleteFrontendGrantHandler struct{}
+
+func newDeleteFrontendGrantHandler() *deleteFrontendGrantHandler {
+	return &deleteFrontendGrantHandler{}
+}
+
+func (h *deleteFrontendGrantHandler) Handle(params admin.DeleteFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	if !principal.Admin {
+		logrus.Error("invalid admin principal")
+		return admin.NewDeleteFrontendGrantUnauthorized()
+	}
+
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return admin.NewDeleteFrontendGrantInternalServerError()
+	}
+	defer trx.Rollback()
+
+	fe, err := str.FindFrontendWithToken(params.Body.FrontendToken, trx)
+	if err != nil {
+		logrus.Errorf("error finding frontend with token '%v': %v", params.Body.FrontendToken, err)
+		return admin.NewDeleteFrontendGrantNotFound().WithPayload(rest_model_zrok.ErrorMessage(fmt.Sprintf("frontend token '%v' not found", params.Body.FrontendToken)))
+	}
+
+	acct, err := str.FindAccountWithEmail(params.Body.Email, trx)
+	if err != nil {
+		logrus.Errorf("error finding account with email '%v': %v", params.Body.Email, err)
+		return admin.NewDeleteFrontendGrantNotFound().WithPayload(rest_model_zrok.ErrorMessage(fmt.Sprintf("account '%v' not found", params.Body.Email)))
+	}
+
+	if granted, err := str.IsFrontendGrantedToAccount(fe.Id, acct.Id, trx); err != nil {
+		logrus.Errorf("error checking frontend grant for account '%v' and frontend '%v': %v", acct.Email, fe.Token, err)
+		return admin.NewDeleteFrontendGrantInternalServerError()
+
+	} else if granted {
+		if err := str.DeleteFrontendGrant(fe.Id, acct.Id, trx); err != nil {
+			logrus.Errorf("error deleting frontend ('%v') grant for '%v': %v", fe.Token, acct.Email, err)
+			return admin.NewDeleteFrontendGrantInternalServerError()
+		}
+		logrus.Infof("deleted '%v' access to frontend '%v'", acct.Email, fe.Token)
+
+		if err := trx.Commit(); err != nil {
+			logrus.Errorf("error committing transaction: %v", err)
+			return admin.NewAddFrontendGrantInternalServerError()
+		}
+
+	} else {
+		logrus.Infof("account '%v' not granted access to frontend '%v'", acct.Email, fe.Token)
+	}
+
+	return admin.NewDeleteFrontendGrantOK()
+}

controller/disable.go

@@ -3,6 +3,8 @@ package controller
 import (
 	"context"
 	"fmt"
+	"time"
+
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/jmoiron/sqlx"
 	"github.com/openziti/edge-api/rest_management_api_client"
@@ -13,7 +15,6 @@ import (
 	"github.com/openziti/zrok/rest_server_zrok/operations/environment"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-	"time"
 )
 
 type disableHandler struct{}
@@ -29,48 +30,55 @@ func (h *disableHandler) Handle(params environment.DisableParams, principal *res
 		return environment.NewDisableInternalServerError()
 	}
 	defer func() { _ = trx.Rollback() }()
+
 	env, err := str.FindEnvironmentForAccount(params.Body.Identity, int(principal.ID), trx)
 	if err != nil {
 		logrus.Errorf("identity check failed for user '%v': %v", principal.Email, err)
 		return environment.NewDisableUnauthorized()
 	}
+
 	edge, err := zrokEdgeSdk.Client(cfg.Ziti)
 	if err != nil {
 		logrus.Errorf("error getting edge client for user '%v': %v", principal.Email, err)
 		return environment.NewDisableInternalServerError()
 	}
-	if err := h.removeSharesForEnvironment(env, trx, edge); err != nil {
+
-		logrus.Errorf("error removing shares for environment for user '%v': %v", principal.Email, err)
+	if err := disableEnvironment(env, trx, edge); err != nil {
-		return environment.NewDisableInternalServerError()
+		logrus.Errorf("error disabling environment for user '%v': %v", principal.Email, err)
-	}
-	if err := h.removeFrontendsForEnvironment(env, trx, edge); err != nil {
-		logrus.Errorf("error removing frontends for environment for user '%v': %v", principal.Email, err)
-		return environment.NewDisableInternalServerError()
-	}
-	if err := h.removeAgentRemoteForEnvironment(env, trx, edge); err != nil {
-		logrus.Errorf("error removing agent remote for '%v' (%v): %v", env.ZId, principal.Email, err)
-		return environment.NewDisableInternalServerError()
-	}
-	if err := zrokEdgeSdk.DeleteEdgeRouterPolicy(env.ZId, edge); err != nil {
-		logrus.Errorf("error deleting edge router policy for user '%v': %v", principal.Email, err)
-		return environment.NewDisableInternalServerError()
-	}
-	if err := zrokEdgeSdk.DeleteIdentity(env.ZId, edge); err != nil {
-		logrus.Errorf("error deleting identity for user '%v': %v", principal.Email, err)
-		return environment.NewDisableInternalServerError()
-	}
-	if err := h.removeEnvironmentFromStore(env, trx); err != nil {
-		logrus.Errorf("error removing environment for user '%v': %v", principal.Email, err)
 		return environment.NewDisableInternalServerError()
 	}
+
 	if err := trx.Commit(); err != nil {
 		logrus.Errorf("error committing for user '%v': %v", principal.Email, err)
 		return environment.NewDisableInternalServerError()
 	}
+
 	return environment.NewDisableOK()
 }
 
-func (h *disableHandler) removeSharesForEnvironment(env *store.Environment, trx *sqlx.Tx, edge *rest_management_api_client.ZitiEdgeManagement) error {
+func disableEnvironment(env *store.Environment, trx *sqlx.Tx, edge *rest_management_api_client.ZitiEdgeManagement) error {
+	if err := removeSharesForEnvironment(env, trx, edge); err != nil {
+		return errors.Wrapf(err, "error removing shares for environment '%v'", env.ZId)
+	}
+	if err := removeFrontendsForEnvironment(env, trx, edge); err != nil {
+		return errors.Wrapf(err, "error removing frontends for environment '%v'", env.ZId)
+	}
+	if err := removeAgentRemoteForEnvironment(env, trx, edge); err != nil {
+		return errors.Wrapf(err, "error removing agent remote for '%v'", env.ZId)
+	}
+	if err := zrokEdgeSdk.DeleteEdgeRouterPolicy(env.ZId, edge); err != nil {
+		return errors.Wrapf(err, "error deleting edge router policy for environment '%v'", env.ZId)
+	}
+	if err := zrokEdgeSdk.DeleteIdentity(env.ZId, edge); err != nil {
+		return errors.Wrapf(err, "error deleting identity for environment '%v'", env.ZId)
+	}
+	if err := removeEnvironmentFromStore(env, trx); err != nil {
+		return errors.Wrapf(err, "error removing environment '%v' from store", env.ZId)
+	}
+	return nil
+}
+
+func removeSharesForEnvironment(env *store.Environment, trx *sqlx.Tx, edge *rest_management_api_client.ZitiEdgeManagement) error {
 	shrs, err := str.FindSharesForEnvironment(env.Id, trx)
 	if err != nil {
 		return err
@@ -98,7 +106,7 @@ func (h *disableHandler) removeSharesForEnvironment(env *store.Environment, trx
 	return nil
 }
 
-func (h *disableHandler) removeFrontendsForEnvironment(env *store.Environment, trx *sqlx.Tx, edge *rest_management_api_client.ZitiEdgeManagement) error {
+func removeFrontendsForEnvironment(env *store.Environment, trx *sqlx.Tx, edge *rest_management_api_client.ZitiEdgeManagement) error {
 	fes, err := str.FindFrontendsForEnvironment(env.Id, trx)
 	if err != nil {
 		return err
@@ -111,7 +119,7 @@ func (h *disableHandler) removeFrontendsForEnvironment(env *store.Environment, t
 	return nil
 }
 
-func (h *disableHandler) removeAgentRemoteForEnvironment(env *store.Environment, trx *sqlx.Tx, edge *rest_management_api_client.ZitiEdgeManagement) error {
+func removeAgentRemoteForEnvironment(env *store.Environment, trx *sqlx.Tx, edge *rest_management_api_client.ZitiEdgeManagement) error {
 	enrolled, err := str.IsAgentEnrolledForEnvironment(env.Id, trx)
 	if err != nil {
 		return err
@@ -160,7 +168,7 @@ func (h *disableHandler) removeAgentRemoteForEnvironment(env *store.Environment,
 	return nil
 }
 
-func (h *disableHandler) removeEnvironmentFromStore(env *store.Environment, trx *sqlx.Tx) error {
+func removeEnvironmentFromStore(env *store.Environment, trx *sqlx.Tx) error {
 	shrs, err := str.FindSharesForEnvironment(env.Id, trx)
 	if err != nil {
 		return errors.Wrapf(err, "error finding shares for environment '%d'", env.Id)

controller/share.go

@@ -117,7 +117,7 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 				return share.NewShareNotFound()
 			}
 			if sfe.PermissionMode == store.ClosedPermissionMode {
-				granted, err := str.IsFrontendGrantedToAccount(int(principal.ID), sfe.Id, trx)
+				granted, err := str.IsFrontendGrantedToAccount(sfe.Id, int(principal.ID), trx)
 				if err != nil {
 					logrus.Error(err)
 					return share.NewShareInternalServerError()

controller/store/accessGrant.go

@@ -14,16 +14,16 @@ type AccessGrant struct {
 func (str *Store) CreateAccessGrant(shareId, accountId int, tx *sqlx.Tx) (int, error) {
 	stmt, err := tx.Prepare("insert into access_grants (share_id, account_id) values ($1, $2) returning id")
 	if err != nil {
-		return 0, errors.Wrap(err, "error preparing access_grant insert statement")
+		return 0, errors.Wrap(err, "error preparing access_grants insert statement")
 	}
 	var id int
 	if err := stmt.QueryRow(shareId, accountId).Scan(&id); err != nil {
-		return 0, errors.Wrap(err, "error executing access_grant insert statement")
+		return 0, errors.Wrap(err, "error executing access_grants insert statement")
 	}
 	return id, nil
 }
 
-func (str *Store) CheckAccessGrantForShareAndAccount(shrId, acctId int, tx *sqlx.Tx) (int, error) {
+func (str *Store) IsAccessGrantedToAccountForShare(shrId, acctId int, tx *sqlx.Tx) (int, error) {
 	count := 0
 	err := tx.QueryRowx("select count(0) from access_grants where share_id = $1 and account_id = $2 and not deleted", shrId, acctId).Scan(&count)
 	if err != nil {

controller/store/account.go

@@ -70,3 +70,14 @@ func (str *Store) UpdateAccount(a *Account, tx *sqlx.Tx) (int, error) {
 	}
 	return id, nil
 }
+
+func (str *Store) DeleteAccount(id int, trx *sqlx.Tx) error {
+	stmt, err := trx.Prepare("update accounts set deleted = true where id = $1")
+	if err != nil {
+		return errors.Wrap(err, "error preparing accounts delete statement")
+	}
+	if _, err := stmt.Exec(id); err != nil {
+		return errors.Wrap(err, "error executing accounts delete statement")
+	}
+	return nil
+}

controller/store/frontendGrant.go

@@ -5,14 +5,38 @@ import (
 	"github.com/pkg/errors"
 )
 
-func (str *Store) IsFrontendGrantedToAccount(acctId, frontendId int, trx *sqlx.Tx) (bool, error) {
+func (str *Store) IsFrontendGrantedToAccount(frontendId, accountId int, trx *sqlx.Tx) (bool, error) {
-	stmt, err := trx.Prepare("select count(0) from frontend_grants where account_id = $1 AND frontend_id = $2")
+	stmt, err := trx.Prepare("select count(0) from frontend_grants where frontend_id = $1 AND account_id = $2 and not deleted")
 	if err != nil {
 		return false, errors.Wrap(err, "error preparing frontend_grants select statement")
 	}
 	var count int
-	if err := stmt.QueryRow(acctId, frontendId).Scan(&count); err != nil {
+	if err := stmt.QueryRow(frontendId, accountId).Scan(&count); err != nil {
 		return false, errors.Wrap(err, "error querying frontend_grants count")
 	}
 	return count > 0, nil
 }
+
+func (str *Store) CreateFrontendGrant(frontendId, accountId int, trx *sqlx.Tx) (int, error) {
+	stmt, err := trx.Prepare("insert into frontend_grants (frontend_id, account_id) values ($1, $2) returning id")
+	if err != nil {
+		return 0, errors.Wrap(err, "error preparing frontend_grants insert statement")
+	}
+	var id int
+	if err := stmt.QueryRow(frontendId, accountId).Scan(&id); err != nil {
+		return 0, errors.Wrap(err, "error executing frontend_grants insert statement")
+	}
+	return id, nil
+}
+
+func (str *Store) DeleteFrontendGrant(frontendId, accountId int, trx *sqlx.Tx) error {
+	stmt, err := trx.Prepare("delete from frontend_grants where frontend_id = $1 and account_id = $2")
+	if err != nil {
+		return errors.Wrap(err, "error preparing frontend_grants delete for frontend and acount statement")
+	}
+	_, err = stmt.Exec(frontendId, accountId)
+	if err != nil {
+		return errors.Wrap(err, "error executing frontend_grants for frontend and account statement")
+	}
+	return nil
+}

rest_client_zrok/admin/add_frontend_grant_parameters.go

@@ -0,0 +1,146 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewAddFrontendGrantParams creates a new AddFrontendGrantParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewAddFrontendGrantParams() *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewAddFrontendGrantParamsWithTimeout creates a new AddFrontendGrantParams object
+// with the ability to set a timeout on a request.
+func NewAddFrontendGrantParamsWithTimeout(timeout time.Duration) *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		timeout: timeout,
+	}
+}
+
+// NewAddFrontendGrantParamsWithContext creates a new AddFrontendGrantParams object
+// with the ability to set a context for a request.
+func NewAddFrontendGrantParamsWithContext(ctx context.Context) *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		Context: ctx,
+	}
+}
+
+// NewAddFrontendGrantParamsWithHTTPClient creates a new AddFrontendGrantParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewAddFrontendGrantParamsWithHTTPClient(client *http.Client) *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+AddFrontendGrantParams contains all the parameters to send to the API endpoint
+
+	for the add frontend grant operation.
+
+	Typically these are written to a http.Request.
+*/
+type AddFrontendGrantParams struct {
+
+	// Body.
+	Body AddFrontendGrantBody
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the add frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *AddFrontendGrantParams) WithDefaults() *AddFrontendGrantParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the add frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *AddFrontendGrantParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the add frontend grant params
+func (o *AddFrontendGrantParams) WithTimeout(timeout time.Duration) *AddFrontendGrantParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the add frontend grant params
+func (o *AddFrontendGrantParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the add frontend grant params
+func (o *AddFrontendGrantParams) WithContext(ctx context.Context) *AddFrontendGrantParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the add frontend grant params
+func (o *AddFrontendGrantParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the add frontend grant params
+func (o *AddFrontendGrantParams) WithHTTPClient(client *http.Client) *AddFrontendGrantParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the add frontend grant params
+func (o *AddFrontendGrantParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the add frontend grant params
+func (o *AddFrontendGrantParams) WithBody(body AddFrontendGrantBody) *AddFrontendGrantParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the add frontend grant params
+func (o *AddFrontendGrantParams) SetBody(body AddFrontendGrantBody) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *AddFrontendGrantParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_client_zrok/admin/add_frontend_grant_responses.go

@@ -0,0 +1,330 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// AddFrontendGrantReader is a Reader for the AddFrontendGrant structure.
+type AddFrontendGrantReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *AddFrontendGrantReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewAddFrontendGrantOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 401:
+		result := NewAddFrontendGrantUnauthorized()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 404:
+		result := NewAddFrontendGrantNotFound()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewAddFrontendGrantInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[POST /frontend/grant] addFrontendGrant", response, response.Code())
+	}
+}
+
+// NewAddFrontendGrantOK creates a AddFrontendGrantOK with default headers values
+func NewAddFrontendGrantOK() *AddFrontendGrantOK {
+	return &AddFrontendGrantOK{}
+}
+
+/*
+AddFrontendGrantOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type AddFrontendGrantOK struct {
+}
+
+// IsSuccess returns true when this add frontend grant o k response has a 2xx status code
+func (o *AddFrontendGrantOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this add frontend grant o k response has a 3xx status code
+func (o *AddFrontendGrantOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add frontend grant o k response has a 4xx status code
+func (o *AddFrontendGrantOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this add frontend grant o k response has a 5xx status code
+func (o *AddFrontendGrantOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add frontend grant o k response a status code equal to that given
+func (o *AddFrontendGrantOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the add frontend grant o k response
+func (o *AddFrontendGrantOK) Code() int {
+	return 200
+}
+
+func (o *AddFrontendGrantOK) Error() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantOK ", 200)
+}
+
+func (o *AddFrontendGrantOK) String() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantOK ", 200)
+}
+
+func (o *AddFrontendGrantOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewAddFrontendGrantUnauthorized creates a AddFrontendGrantUnauthorized with default headers values
+func NewAddFrontendGrantUnauthorized() *AddFrontendGrantUnauthorized {
+	return &AddFrontendGrantUnauthorized{}
+}
+
+/*
+AddFrontendGrantUnauthorized describes a response with status code 401, with default header values.
+
+unauthorized
+*/
+type AddFrontendGrantUnauthorized struct {
+}
+
+// IsSuccess returns true when this add frontend grant unauthorized response has a 2xx status code
+func (o *AddFrontendGrantUnauthorized) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add frontend grant unauthorized response has a 3xx status code
+func (o *AddFrontendGrantUnauthorized) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add frontend grant unauthorized response has a 4xx status code
+func (o *AddFrontendGrantUnauthorized) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this add frontend grant unauthorized response has a 5xx status code
+func (o *AddFrontendGrantUnauthorized) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add frontend grant unauthorized response a status code equal to that given
+func (o *AddFrontendGrantUnauthorized) IsCode(code int) bool {
+	return code == 401
+}
+
+// Code gets the status code for the add frontend grant unauthorized response
+func (o *AddFrontendGrantUnauthorized) Code() int {
+	return 401
+}
+
+func (o *AddFrontendGrantUnauthorized) Error() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantUnauthorized ", 401)
+}
+
+func (o *AddFrontendGrantUnauthorized) String() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantUnauthorized ", 401)
+}
+
+func (o *AddFrontendGrantUnauthorized) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewAddFrontendGrantNotFound creates a AddFrontendGrantNotFound with default headers values
+func NewAddFrontendGrantNotFound() *AddFrontendGrantNotFound {
+	return &AddFrontendGrantNotFound{}
+}
+
+/*
+AddFrontendGrantNotFound describes a response with status code 404, with default header values.
+
+not found
+*/
+type AddFrontendGrantNotFound struct {
+	Payload rest_model_zrok.ErrorMessage
+}
+
+// IsSuccess returns true when this add frontend grant not found response has a 2xx status code
+func (o *AddFrontendGrantNotFound) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add frontend grant not found response has a 3xx status code
+func (o *AddFrontendGrantNotFound) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add frontend grant not found response has a 4xx status code
+func (o *AddFrontendGrantNotFound) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this add frontend grant not found response has a 5xx status code
+func (o *AddFrontendGrantNotFound) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add frontend grant not found response a status code equal to that given
+func (o *AddFrontendGrantNotFound) IsCode(code int) bool {
+	return code == 404
+}
+
+// Code gets the status code for the add frontend grant not found response
+func (o *AddFrontendGrantNotFound) Code() int {
+	return 404
+}
+
+func (o *AddFrontendGrantNotFound) Error() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantNotFound  %+v", 404, o.Payload)
+}
+
+func (o *AddFrontendGrantNotFound) String() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantNotFound  %+v", 404, o.Payload)
+}
+
+func (o *AddFrontendGrantNotFound) GetPayload() rest_model_zrok.ErrorMessage {
+	return o.Payload
+}
+
+func (o *AddFrontendGrantNotFound) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewAddFrontendGrantInternalServerError creates a AddFrontendGrantInternalServerError with default headers values
+func NewAddFrontendGrantInternalServerError() *AddFrontendGrantInternalServerError {
+	return &AddFrontendGrantInternalServerError{}
+}
+
+/*
+AddFrontendGrantInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type AddFrontendGrantInternalServerError struct {
+}
+
+// IsSuccess returns true when this add frontend grant internal server error response has a 2xx status code
+func (o *AddFrontendGrantInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add frontend grant internal server error response has a 3xx status code
+func (o *AddFrontendGrantInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add frontend grant internal server error response has a 4xx status code
+func (o *AddFrontendGrantInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this add frontend grant internal server error response has a 5xx status code
+func (o *AddFrontendGrantInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this add frontend grant internal server error response a status code equal to that given
+func (o *AddFrontendGrantInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the add frontend grant internal server error response
+func (o *AddFrontendGrantInternalServerError) Code() int {
+	return 500
+}
+
+func (o *AddFrontendGrantInternalServerError) Error() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantInternalServerError ", 500)
+}
+
+func (o *AddFrontendGrantInternalServerError) String() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantInternalServerError ", 500)
+}
+
+func (o *AddFrontendGrantInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+AddFrontendGrantBody add frontend grant body
+swagger:model AddFrontendGrantBody
+*/
+type AddFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this add frontend grant body
+func (o *AddFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this add frontend grant body based on context it is used
+func (o *AddFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *AddFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *AddFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res AddFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_client_zrok/admin/admin_client.go

@@ -30,6 +30,8 @@ type ClientOption func(*runtime.ClientOperation)
 
 // ClientService is the interface for Client methods
 type ClientService interface {
+	AddFrontendGrant(params *AddFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddFrontendGrantOK, error)
+
 	AddOrganizationMember(params *AddOrganizationMemberParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddOrganizationMemberCreated, error)
 
 	CreateAccount(params *CreateAccountParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateAccountCreated, error)
@@ -40,8 +42,12 @@ type ClientService interface {
 
 	CreateOrganization(params *CreateOrganizationParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateOrganizationCreated, error)
 
+	DeleteAccount(params *DeleteAccountParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteAccountOK, error)
+
 	DeleteFrontend(params *DeleteFrontendParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteFrontendOK, error)
 
+	DeleteFrontendGrant(params *DeleteFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteFrontendGrantOK, error)
+
 	DeleteOrganization(params *DeleteOrganizationParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteOrganizationOK, error)
 
 	Grants(params *GrantsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GrantsOK, error)
@@ -61,6 +67,45 @@ type ClientService interface {
 	SetTransport(transport runtime.ClientTransport)
 }
 
+/*
+AddFrontendGrant add frontend grant API
+*/
+func (a *Client) AddFrontendGrant(params *AddFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddFrontendGrantOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewAddFrontendGrantParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "addFrontendGrant",
+		Method:             "POST",
+		PathPattern:        "/frontend/grant",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &AddFrontendGrantReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*AddFrontendGrantOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for addFrontendGrant: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 AddOrganizationMember add organization member API
 */
@@ -256,6 +301,45 @@ func (a *Client) CreateOrganization(params *CreateOrganizationParams, authInfo r
 	panic(msg)
 }
 
+/*
+DeleteAccount delete account API
+*/
+func (a *Client) DeleteAccount(params *DeleteAccountParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteAccountOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteAccountParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "deleteAccount",
+		Method:             "DELETE",
+		PathPattern:        "/account",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteAccountReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*DeleteAccountOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for deleteAccount: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 DeleteFrontend delete frontend API
 */
@@ -295,6 +379,45 @@ func (a *Client) DeleteFrontend(params *DeleteFrontendParams, authInfo runtime.C
 	panic(msg)
 }
 
+/*
+DeleteFrontendGrant delete frontend grant API
+*/
+func (a *Client) DeleteFrontendGrant(params *DeleteFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteFrontendGrantOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteFrontendGrantParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "deleteFrontendGrant",
+		Method:             "DELETE",
+		PathPattern:        "/frontend/grant",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteFrontendGrantReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*DeleteFrontendGrantOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for deleteFrontendGrant: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 DeleteOrganization delete organization API
 */

rest_client_zrok/admin/delete_account_parameters.go

@@ -0,0 +1,146 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewDeleteAccountParams creates a new DeleteAccountParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteAccountParams() *DeleteAccountParams {
+	return &DeleteAccountParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteAccountParamsWithTimeout creates a new DeleteAccountParams object
+// with the ability to set a timeout on a request.
+func NewDeleteAccountParamsWithTimeout(timeout time.Duration) *DeleteAccountParams {
+	return &DeleteAccountParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteAccountParamsWithContext creates a new DeleteAccountParams object
+// with the ability to set a context for a request.
+func NewDeleteAccountParamsWithContext(ctx context.Context) *DeleteAccountParams {
+	return &DeleteAccountParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteAccountParamsWithHTTPClient creates a new DeleteAccountParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteAccountParamsWithHTTPClient(client *http.Client) *DeleteAccountParams {
+	return &DeleteAccountParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteAccountParams contains all the parameters to send to the API endpoint
+
+	for the delete account operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteAccountParams struct {
+
+	// Body.
+	Body DeleteAccountBody
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete account params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteAccountParams) WithDefaults() *DeleteAccountParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete account params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteAccountParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete account params
+func (o *DeleteAccountParams) WithTimeout(timeout time.Duration) *DeleteAccountParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete account params
+func (o *DeleteAccountParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete account params
+func (o *DeleteAccountParams) WithContext(ctx context.Context) *DeleteAccountParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete account params
+func (o *DeleteAccountParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete account params
+func (o *DeleteAccountParams) WithHTTPClient(client *http.Client) *DeleteAccountParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete account params
+func (o *DeleteAccountParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the delete account params
+func (o *DeleteAccountParams) WithBody(body DeleteAccountBody) *DeleteAccountParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the delete account params
+func (o *DeleteAccountParams) SetBody(body DeleteAccountBody) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteAccountParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_client_zrok/admin/delete_account_responses.go

@@ -0,0 +1,314 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// DeleteAccountReader is a Reader for the DeleteAccount structure.
+type DeleteAccountReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteAccountReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewDeleteAccountOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 401:
+		result := NewDeleteAccountUnauthorized()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 404:
+		result := NewDeleteAccountNotFound()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewDeleteAccountInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[DELETE /account] deleteAccount", response, response.Code())
+	}
+}
+
+// NewDeleteAccountOK creates a DeleteAccountOK with default headers values
+func NewDeleteAccountOK() *DeleteAccountOK {
+	return &DeleteAccountOK{}
+}
+
+/*
+DeleteAccountOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type DeleteAccountOK struct {
+}
+
+// IsSuccess returns true when this delete account o k response has a 2xx status code
+func (o *DeleteAccountOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this delete account o k response has a 3xx status code
+func (o *DeleteAccountOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete account o k response has a 4xx status code
+func (o *DeleteAccountOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete account o k response has a 5xx status code
+func (o *DeleteAccountOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete account o k response a status code equal to that given
+func (o *DeleteAccountOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the delete account o k response
+func (o *DeleteAccountOK) Code() int {
+	return 200
+}
+
+func (o *DeleteAccountOK) Error() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountOK ", 200)
+}
+
+func (o *DeleteAccountOK) String() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountOK ", 200)
+}
+
+func (o *DeleteAccountOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteAccountUnauthorized creates a DeleteAccountUnauthorized with default headers values
+func NewDeleteAccountUnauthorized() *DeleteAccountUnauthorized {
+	return &DeleteAccountUnauthorized{}
+}
+
+/*
+DeleteAccountUnauthorized describes a response with status code 401, with default header values.
+
+unauthorized
+*/
+type DeleteAccountUnauthorized struct {
+}
+
+// IsSuccess returns true when this delete account unauthorized response has a 2xx status code
+func (o *DeleteAccountUnauthorized) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete account unauthorized response has a 3xx status code
+func (o *DeleteAccountUnauthorized) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete account unauthorized response has a 4xx status code
+func (o *DeleteAccountUnauthorized) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this delete account unauthorized response has a 5xx status code
+func (o *DeleteAccountUnauthorized) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete account unauthorized response a status code equal to that given
+func (o *DeleteAccountUnauthorized) IsCode(code int) bool {
+	return code == 401
+}
+
+// Code gets the status code for the delete account unauthorized response
+func (o *DeleteAccountUnauthorized) Code() int {
+	return 401
+}
+
+func (o *DeleteAccountUnauthorized) Error() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountUnauthorized ", 401)
+}
+
+func (o *DeleteAccountUnauthorized) String() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountUnauthorized ", 401)
+}
+
+func (o *DeleteAccountUnauthorized) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteAccountNotFound creates a DeleteAccountNotFound with default headers values
+func NewDeleteAccountNotFound() *DeleteAccountNotFound {
+	return &DeleteAccountNotFound{}
+}
+
+/*
+DeleteAccountNotFound describes a response with status code 404, with default header values.
+
+not found
+*/
+type DeleteAccountNotFound struct {
+}
+
+// IsSuccess returns true when this delete account not found response has a 2xx status code
+func (o *DeleteAccountNotFound) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete account not found response has a 3xx status code
+func (o *DeleteAccountNotFound) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete account not found response has a 4xx status code
+func (o *DeleteAccountNotFound) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this delete account not found response has a 5xx status code
+func (o *DeleteAccountNotFound) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete account not found response a status code equal to that given
+func (o *DeleteAccountNotFound) IsCode(code int) bool {
+	return code == 404
+}
+
+// Code gets the status code for the delete account not found response
+func (o *DeleteAccountNotFound) Code() int {
+	return 404
+}
+
+func (o *DeleteAccountNotFound) Error() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountNotFound ", 404)
+}
+
+func (o *DeleteAccountNotFound) String() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountNotFound ", 404)
+}
+
+func (o *DeleteAccountNotFound) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteAccountInternalServerError creates a DeleteAccountInternalServerError with default headers values
+func NewDeleteAccountInternalServerError() *DeleteAccountInternalServerError {
+	return &DeleteAccountInternalServerError{}
+}
+
+/*
+DeleteAccountInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type DeleteAccountInternalServerError struct {
+}
+
+// IsSuccess returns true when this delete account internal server error response has a 2xx status code
+func (o *DeleteAccountInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete account internal server error response has a 3xx status code
+func (o *DeleteAccountInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete account internal server error response has a 4xx status code
+func (o *DeleteAccountInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete account internal server error response has a 5xx status code
+func (o *DeleteAccountInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this delete account internal server error response a status code equal to that given
+func (o *DeleteAccountInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the delete account internal server error response
+func (o *DeleteAccountInternalServerError) Code() int {
+	return 500
+}
+
+func (o *DeleteAccountInternalServerError) Error() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountInternalServerError ", 500)
+}
+
+func (o *DeleteAccountInternalServerError) String() string {
+	return fmt.Sprintf("[DELETE /account][%d] deleteAccountInternalServerError ", 500)
+}
+
+func (o *DeleteAccountInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+DeleteAccountBody delete account body
+swagger:model DeleteAccountBody
+*/
+type DeleteAccountBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+}
+
+// Validate validates this delete account body
+func (o *DeleteAccountBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete account body based on context it is used
+func (o *DeleteAccountBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteAccountBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteAccountBody) UnmarshalBinary(b []byte) error {
+	var res DeleteAccountBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_client_zrok/admin/delete_frontend_grant_parameters.go

@@ -0,0 +1,146 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewDeleteFrontendGrantParams creates a new DeleteFrontendGrantParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteFrontendGrantParams() *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteFrontendGrantParamsWithTimeout creates a new DeleteFrontendGrantParams object
+// with the ability to set a timeout on a request.
+func NewDeleteFrontendGrantParamsWithTimeout(timeout time.Duration) *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteFrontendGrantParamsWithContext creates a new DeleteFrontendGrantParams object
+// with the ability to set a context for a request.
+func NewDeleteFrontendGrantParamsWithContext(ctx context.Context) *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteFrontendGrantParamsWithHTTPClient creates a new DeleteFrontendGrantParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteFrontendGrantParamsWithHTTPClient(client *http.Client) *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteFrontendGrantParams contains all the parameters to send to the API endpoint
+
+	for the delete frontend grant operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteFrontendGrantParams struct {
+
+	// Body.
+	Body DeleteFrontendGrantBody
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteFrontendGrantParams) WithDefaults() *DeleteFrontendGrantParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteFrontendGrantParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithTimeout(timeout time.Duration) *DeleteFrontendGrantParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithContext(ctx context.Context) *DeleteFrontendGrantParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithHTTPClient(client *http.Client) *DeleteFrontendGrantParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithBody(body DeleteFrontendGrantBody) *DeleteFrontendGrantParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetBody(body DeleteFrontendGrantBody) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteFrontendGrantParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_client_zrok/admin/delete_frontend_grant_responses.go

@@ -0,0 +1,330 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// DeleteFrontendGrantReader is a Reader for the DeleteFrontendGrant structure.
+type DeleteFrontendGrantReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteFrontendGrantReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewDeleteFrontendGrantOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 401:
+		result := NewDeleteFrontendGrantUnauthorized()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 404:
+		result := NewDeleteFrontendGrantNotFound()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewDeleteFrontendGrantInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[DELETE /frontend/grant] deleteFrontendGrant", response, response.Code())
+	}
+}
+
+// NewDeleteFrontendGrantOK creates a DeleteFrontendGrantOK with default headers values
+func NewDeleteFrontendGrantOK() *DeleteFrontendGrantOK {
+	return &DeleteFrontendGrantOK{}
+}
+
+/*
+DeleteFrontendGrantOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type DeleteFrontendGrantOK struct {
+}
+
+// IsSuccess returns true when this delete frontend grant o k response has a 2xx status code
+func (o *DeleteFrontendGrantOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this delete frontend grant o k response has a 3xx status code
+func (o *DeleteFrontendGrantOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete frontend grant o k response has a 4xx status code
+func (o *DeleteFrontendGrantOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete frontend grant o k response has a 5xx status code
+func (o *DeleteFrontendGrantOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete frontend grant o k response a status code equal to that given
+func (o *DeleteFrontendGrantOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the delete frontend grant o k response
+func (o *DeleteFrontendGrantOK) Code() int {
+	return 200
+}
+
+func (o *DeleteFrontendGrantOK) Error() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantOK ", 200)
+}
+
+func (o *DeleteFrontendGrantOK) String() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantOK ", 200)
+}
+
+func (o *DeleteFrontendGrantOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteFrontendGrantUnauthorized creates a DeleteFrontendGrantUnauthorized with default headers values
+func NewDeleteFrontendGrantUnauthorized() *DeleteFrontendGrantUnauthorized {
+	return &DeleteFrontendGrantUnauthorized{}
+}
+
+/*
+DeleteFrontendGrantUnauthorized describes a response with status code 401, with default header values.
+
+unauthorized
+*/
+type DeleteFrontendGrantUnauthorized struct {
+}
+
+// IsSuccess returns true when this delete frontend grant unauthorized response has a 2xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete frontend grant unauthorized response has a 3xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete frontend grant unauthorized response has a 4xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this delete frontend grant unauthorized response has a 5xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete frontend grant unauthorized response a status code equal to that given
+func (o *DeleteFrontendGrantUnauthorized) IsCode(code int) bool {
+	return code == 401
+}
+
+// Code gets the status code for the delete frontend grant unauthorized response
+func (o *DeleteFrontendGrantUnauthorized) Code() int {
+	return 401
+}
+
+func (o *DeleteFrontendGrantUnauthorized) Error() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantUnauthorized ", 401)
+}
+
+func (o *DeleteFrontendGrantUnauthorized) String() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantUnauthorized ", 401)
+}
+
+func (o *DeleteFrontendGrantUnauthorized) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteFrontendGrantNotFound creates a DeleteFrontendGrantNotFound with default headers values
+func NewDeleteFrontendGrantNotFound() *DeleteFrontendGrantNotFound {
+	return &DeleteFrontendGrantNotFound{}
+}
+
+/*
+DeleteFrontendGrantNotFound describes a response with status code 404, with default header values.
+
+not found
+*/
+type DeleteFrontendGrantNotFound struct {
+	Payload rest_model_zrok.ErrorMessage
+}
+
+// IsSuccess returns true when this delete frontend grant not found response has a 2xx status code
+func (o *DeleteFrontendGrantNotFound) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete frontend grant not found response has a 3xx status code
+func (o *DeleteFrontendGrantNotFound) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete frontend grant not found response has a 4xx status code
+func (o *DeleteFrontendGrantNotFound) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this delete frontend grant not found response has a 5xx status code
+func (o *DeleteFrontendGrantNotFound) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete frontend grant not found response a status code equal to that given
+func (o *DeleteFrontendGrantNotFound) IsCode(code int) bool {
+	return code == 404
+}
+
+// Code gets the status code for the delete frontend grant not found response
+func (o *DeleteFrontendGrantNotFound) Code() int {
+	return 404
+}
+
+func (o *DeleteFrontendGrantNotFound) Error() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantNotFound  %+v", 404, o.Payload)
+}
+
+func (o *DeleteFrontendGrantNotFound) String() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantNotFound  %+v", 404, o.Payload)
+}
+
+func (o *DeleteFrontendGrantNotFound) GetPayload() rest_model_zrok.ErrorMessage {
+	return o.Payload
+}
+
+func (o *DeleteFrontendGrantNotFound) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewDeleteFrontendGrantInternalServerError creates a DeleteFrontendGrantInternalServerError with default headers values
+func NewDeleteFrontendGrantInternalServerError() *DeleteFrontendGrantInternalServerError {
+	return &DeleteFrontendGrantInternalServerError{}
+}
+
+/*
+DeleteFrontendGrantInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type DeleteFrontendGrantInternalServerError struct {
+}
+
+// IsSuccess returns true when this delete frontend grant internal server error response has a 2xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete frontend grant internal server error response has a 3xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete frontend grant internal server error response has a 4xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete frontend grant internal server error response has a 5xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this delete frontend grant internal server error response a status code equal to that given
+func (o *DeleteFrontendGrantInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the delete frontend grant internal server error response
+func (o *DeleteFrontendGrantInternalServerError) Code() int {
+	return 500
+}
+
+func (o *DeleteFrontendGrantInternalServerError) Error() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantInternalServerError ", 500)
+}
+
+func (o *DeleteFrontendGrantInternalServerError) String() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantInternalServerError ", 500)
+}
+
+func (o *DeleteFrontendGrantInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+DeleteFrontendGrantBody delete frontend grant body
+swagger:model DeleteFrontendGrantBody
+*/
+type DeleteFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this delete frontend grant body
+func (o *DeleteFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete frontend grant body based on context it is used
+func (o *DeleteFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res DeleteFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/embedded_spec.go

@@ -183,6 +183,44 @@ func init() {
             "description": "internal server error"
           }
         }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteAccount",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "properties": {
+                "email": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "404": {
+            "description": "not found"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
       }
     },
     "/agent/access": {
@@ -1175,6 +1213,98 @@ func init() {
         }
       }
     },
+    "/frontend/grant": {
+      "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "addFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "404": {
+            "description": "not found",
+            "schema": {
+              "$ref": "#/definitions/errorMessage"
+            }
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "404": {
+            "description": "not found",
+            "schema": {
+              "$ref": "#/definitions/errorMessage"
+            }
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
     "/frontends": {
       "get": {
         "security": [
@@ -3010,6 +3140,44 @@ func init() {
             "description": "internal server error"
           }
         }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteAccount",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "properties": {
+                "email": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "404": {
+            "description": "not found"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
       }
     },
     "/agent/access": {
@@ -3956,6 +4124,98 @@ func init() {
         }
       }
     },
+    "/frontend/grant": {
+      "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "addFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "404": {
+            "description": "not found",
+            "schema": {
+              "$ref": "#/definitions/errorMessage"
+            }
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "404": {
+            "description": "not found",
+            "schema": {
+              "$ref": "#/definitions/errorMessage"
+            }
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
     "/frontends": {
       "get": {
         "security": [

rest_server_zrok/operations/admin/add_frontend_grant.go

@@ -0,0 +1,114 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// AddFrontendGrantHandlerFunc turns a function with the right signature into a add frontend grant handler
+type AddFrontendGrantHandlerFunc func(AddFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn AddFrontendGrantHandlerFunc) Handle(params AddFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// AddFrontendGrantHandler interface for that can handle valid add frontend grant params
+type AddFrontendGrantHandler interface {
+	Handle(AddFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewAddFrontendGrant creates a new http.Handler for the add frontend grant operation
+func NewAddFrontendGrant(ctx *middleware.Context, handler AddFrontendGrantHandler) *AddFrontendGrant {
+	return &AddFrontendGrant{Context: ctx, Handler: handler}
+}
+
+/*
+	AddFrontendGrant swagger:route POST /frontend/grant admin addFrontendGrant
+
+AddFrontendGrant add frontend grant API
+*/
+type AddFrontendGrant struct {
+	Context *middleware.Context
+	Handler AddFrontendGrantHandler
+}
+
+func (o *AddFrontendGrant) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewAddFrontendGrantParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// AddFrontendGrantBody add frontend grant body
+//
+// swagger:model AddFrontendGrantBody
+type AddFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this add frontend grant body
+func (o *AddFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this add frontend grant body based on context it is used
+func (o *AddFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *AddFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *AddFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res AddFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/operations/admin/add_frontend_grant_parameters.go

@@ -0,0 +1,74 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/validate"
+)
+
+// NewAddFrontendGrantParams creates a new AddFrontendGrantParams object
+//
+// There are no default values defined in the spec.
+func NewAddFrontendGrantParams() AddFrontendGrantParams {
+
+	return AddFrontendGrantParams{}
+}
+
+// AddFrontendGrantParams contains all the bound params for the add frontend grant operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters addFrontendGrant
+type AddFrontendGrantParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  In: body
+	*/
+	Body AddFrontendGrantBody
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewAddFrontendGrantParams() beforehand.
+func (o *AddFrontendGrantParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body AddFrontendGrantBody
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(r.Context())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = body
+			}
+		}
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_server_zrok/operations/admin/add_frontend_grant_responses.go

@@ -0,0 +1,132 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// AddFrontendGrantOKCode is the HTTP code returned for type AddFrontendGrantOK
+const AddFrontendGrantOKCode int = 200
+
+/*
+AddFrontendGrantOK ok
+
+swagger:response addFrontendGrantOK
+*/
+type AddFrontendGrantOK struct {
+}
+
+// NewAddFrontendGrantOK creates AddFrontendGrantOK with default headers values
+func NewAddFrontendGrantOK() *AddFrontendGrantOK {
+
+	return &AddFrontendGrantOK{}
+}
+
+// WriteResponse to the client
+func (o *AddFrontendGrantOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(200)
+}
+
+// AddFrontendGrantUnauthorizedCode is the HTTP code returned for type AddFrontendGrantUnauthorized
+const AddFrontendGrantUnauthorizedCode int = 401
+
+/*
+AddFrontendGrantUnauthorized unauthorized
+
+swagger:response addFrontendGrantUnauthorized
+*/
+type AddFrontendGrantUnauthorized struct {
+}
+
+// NewAddFrontendGrantUnauthorized creates AddFrontendGrantUnauthorized with default headers values
+func NewAddFrontendGrantUnauthorized() *AddFrontendGrantUnauthorized {
+
+	return &AddFrontendGrantUnauthorized{}
+}
+
+// WriteResponse to the client
+func (o *AddFrontendGrantUnauthorized) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(401)
+}
+
+// AddFrontendGrantNotFoundCode is the HTTP code returned for type AddFrontendGrantNotFound
+const AddFrontendGrantNotFoundCode int = 404
+
+/*
+AddFrontendGrantNotFound not found
+
+swagger:response addFrontendGrantNotFound
+*/
+type AddFrontendGrantNotFound struct {
+
+	/*
+	  In: Body
+	*/
+	Payload rest_model_zrok.ErrorMessage `json:"body,omitempty"`
+}
+
+// NewAddFrontendGrantNotFound creates AddFrontendGrantNotFound with default headers values
+func NewAddFrontendGrantNotFound() *AddFrontendGrantNotFound {
+
+	return &AddFrontendGrantNotFound{}
+}
+
+// WithPayload adds the payload to the add frontend grant not found response
+func (o *AddFrontendGrantNotFound) WithPayload(payload rest_model_zrok.ErrorMessage) *AddFrontendGrantNotFound {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the add frontend grant not found response
+func (o *AddFrontendGrantNotFound) SetPayload(payload rest_model_zrok.ErrorMessage) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *AddFrontendGrantNotFound) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(404)
+	payload := o.Payload
+	if err := producer.Produce(rw, payload); err != nil {
+		panic(err) // let the recovery middleware deal with this
+	}
+}
+
+// AddFrontendGrantInternalServerErrorCode is the HTTP code returned for type AddFrontendGrantInternalServerError
+const AddFrontendGrantInternalServerErrorCode int = 500
+
+/*
+AddFrontendGrantInternalServerError internal server error
+
+swagger:response addFrontendGrantInternalServerError
+*/
+type AddFrontendGrantInternalServerError struct {
+}
+
+// NewAddFrontendGrantInternalServerError creates AddFrontendGrantInternalServerError with default headers values
+func NewAddFrontendGrantInternalServerError() *AddFrontendGrantInternalServerError {
+
+	return &AddFrontendGrantInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *AddFrontendGrantInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}

rest_server_zrok/operations/admin/add_frontend_grant_urlbuilder.go

@@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// AddFrontendGrantURL generates an URL for the add frontend grant operation
+type AddFrontendGrantURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *AddFrontendGrantURL) WithBasePath(bp string) *AddFrontendGrantURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *AddFrontendGrantURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *AddFrontendGrantURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/frontend/grant"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *AddFrontendGrantURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *AddFrontendGrantURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *AddFrontendGrantURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on AddFrontendGrantURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on AddFrontendGrantURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *AddFrontendGrantURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}

rest_server_zrok/operations/admin/delete_account.go

@@ -0,0 +1,111 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// DeleteAccountHandlerFunc turns a function with the right signature into a delete account handler
+type DeleteAccountHandlerFunc func(DeleteAccountParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn DeleteAccountHandlerFunc) Handle(params DeleteAccountParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// DeleteAccountHandler interface for that can handle valid delete account params
+type DeleteAccountHandler interface {
+	Handle(DeleteAccountParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewDeleteAccount creates a new http.Handler for the delete account operation
+func NewDeleteAccount(ctx *middleware.Context, handler DeleteAccountHandler) *DeleteAccount {
+	return &DeleteAccount{Context: ctx, Handler: handler}
+}
+
+/*
+	DeleteAccount swagger:route DELETE /account admin deleteAccount
+
+DeleteAccount delete account API
+*/
+type DeleteAccount struct {
+	Context *middleware.Context
+	Handler DeleteAccountHandler
+}
+
+func (o *DeleteAccount) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewDeleteAccountParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// DeleteAccountBody delete account body
+//
+// swagger:model DeleteAccountBody
+type DeleteAccountBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+}
+
+// Validate validates this delete account body
+func (o *DeleteAccountBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete account body based on context it is used
+func (o *DeleteAccountBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteAccountBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteAccountBody) UnmarshalBinary(b []byte) error {
+	var res DeleteAccountBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/operations/admin/delete_account_parameters.go

@@ -0,0 +1,74 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/validate"
+)
+
+// NewDeleteAccountParams creates a new DeleteAccountParams object
+//
+// There are no default values defined in the spec.
+func NewDeleteAccountParams() DeleteAccountParams {
+
+	return DeleteAccountParams{}
+}
+
+// DeleteAccountParams contains all the bound params for the delete account operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters deleteAccount
+type DeleteAccountParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  In: body
+	*/
+	Body DeleteAccountBody
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewDeleteAccountParams() beforehand.
+func (o *DeleteAccountParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body DeleteAccountBody
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(r.Context())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = body
+			}
+		}
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_server_zrok/operations/admin/delete_account_responses.go

@@ -0,0 +1,112 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+)
+
+// DeleteAccountOKCode is the HTTP code returned for type DeleteAccountOK
+const DeleteAccountOKCode int = 200
+
+/*
+DeleteAccountOK ok
+
+swagger:response deleteAccountOK
+*/
+type DeleteAccountOK struct {
+}
+
+// NewDeleteAccountOK creates DeleteAccountOK with default headers values
+func NewDeleteAccountOK() *DeleteAccountOK {
+
+	return &DeleteAccountOK{}
+}
+
+// WriteResponse to the client
+func (o *DeleteAccountOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(200)
+}
+
+// DeleteAccountUnauthorizedCode is the HTTP code returned for type DeleteAccountUnauthorized
+const DeleteAccountUnauthorizedCode int = 401
+
+/*
+DeleteAccountUnauthorized unauthorized
+
+swagger:response deleteAccountUnauthorized
+*/
+type DeleteAccountUnauthorized struct {
+}
+
+// NewDeleteAccountUnauthorized creates DeleteAccountUnauthorized with default headers values
+func NewDeleteAccountUnauthorized() *DeleteAccountUnauthorized {
+
+	return &DeleteAccountUnauthorized{}
+}
+
+// WriteResponse to the client
+func (o *DeleteAccountUnauthorized) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(401)
+}
+
+// DeleteAccountNotFoundCode is the HTTP code returned for type DeleteAccountNotFound
+const DeleteAccountNotFoundCode int = 404
+
+/*
+DeleteAccountNotFound not found
+
+swagger:response deleteAccountNotFound
+*/
+type DeleteAccountNotFound struct {
+}
+
+// NewDeleteAccountNotFound creates DeleteAccountNotFound with default headers values
+func NewDeleteAccountNotFound() *DeleteAccountNotFound {
+
+	return &DeleteAccountNotFound{}
+}
+
+// WriteResponse to the client
+func (o *DeleteAccountNotFound) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(404)
+}
+
+// DeleteAccountInternalServerErrorCode is the HTTP code returned for type DeleteAccountInternalServerError
+const DeleteAccountInternalServerErrorCode int = 500
+
+/*
+DeleteAccountInternalServerError internal server error
+
+swagger:response deleteAccountInternalServerError
+*/
+type DeleteAccountInternalServerError struct {
+}
+
+// NewDeleteAccountInternalServerError creates DeleteAccountInternalServerError with default headers values
+func NewDeleteAccountInternalServerError() *DeleteAccountInternalServerError {
+
+	return &DeleteAccountInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *DeleteAccountInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}

rest_server_zrok/operations/admin/delete_account_urlbuilder.go

@@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// DeleteAccountURL generates an URL for the delete account operation
+type DeleteAccountURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteAccountURL) WithBasePath(bp string) *DeleteAccountURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteAccountURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *DeleteAccountURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/account"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *DeleteAccountURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *DeleteAccountURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *DeleteAccountURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on DeleteAccountURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on DeleteAccountURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *DeleteAccountURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}

rest_server_zrok/operations/admin/delete_frontend_grant.go

@@ -0,0 +1,114 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// DeleteFrontendGrantHandlerFunc turns a function with the right signature into a delete frontend grant handler
+type DeleteFrontendGrantHandlerFunc func(DeleteFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn DeleteFrontendGrantHandlerFunc) Handle(params DeleteFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// DeleteFrontendGrantHandler interface for that can handle valid delete frontend grant params
+type DeleteFrontendGrantHandler interface {
+	Handle(DeleteFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewDeleteFrontendGrant creates a new http.Handler for the delete frontend grant operation
+func NewDeleteFrontendGrant(ctx *middleware.Context, handler DeleteFrontendGrantHandler) *DeleteFrontendGrant {
+	return &DeleteFrontendGrant{Context: ctx, Handler: handler}
+}
+
+/*
+	DeleteFrontendGrant swagger:route DELETE /frontend/grant admin deleteFrontendGrant
+
+DeleteFrontendGrant delete frontend grant API
+*/
+type DeleteFrontendGrant struct {
+	Context *middleware.Context
+	Handler DeleteFrontendGrantHandler
+}
+
+func (o *DeleteFrontendGrant) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewDeleteFrontendGrantParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// DeleteFrontendGrantBody delete frontend grant body
+//
+// swagger:model DeleteFrontendGrantBody
+type DeleteFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this delete frontend grant body
+func (o *DeleteFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete frontend grant body based on context it is used
+func (o *DeleteFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res DeleteFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/operations/admin/delete_frontend_grant_parameters.go

@@ -0,0 +1,74 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/validate"
+)
+
+// NewDeleteFrontendGrantParams creates a new DeleteFrontendGrantParams object
+//
+// There are no default values defined in the spec.
+func NewDeleteFrontendGrantParams() DeleteFrontendGrantParams {
+
+	return DeleteFrontendGrantParams{}
+}
+
+// DeleteFrontendGrantParams contains all the bound params for the delete frontend grant operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters deleteFrontendGrant
+type DeleteFrontendGrantParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  In: body
+	*/
+	Body DeleteFrontendGrantBody
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewDeleteFrontendGrantParams() beforehand.
+func (o *DeleteFrontendGrantParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body DeleteFrontendGrantBody
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(r.Context())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = body
+			}
+		}
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_server_zrok/operations/admin/delete_frontend_grant_responses.go

@@ -0,0 +1,132 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// DeleteFrontendGrantOKCode is the HTTP code returned for type DeleteFrontendGrantOK
+const DeleteFrontendGrantOKCode int = 200
+
+/*
+DeleteFrontendGrantOK ok
+
+swagger:response deleteFrontendGrantOK
+*/
+type DeleteFrontendGrantOK struct {
+}
+
+// NewDeleteFrontendGrantOK creates DeleteFrontendGrantOK with default headers values
+func NewDeleteFrontendGrantOK() *DeleteFrontendGrantOK {
+
+	return &DeleteFrontendGrantOK{}
+}
+
+// WriteResponse to the client
+func (o *DeleteFrontendGrantOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(200)
+}
+
+// DeleteFrontendGrantUnauthorizedCode is the HTTP code returned for type DeleteFrontendGrantUnauthorized
+const DeleteFrontendGrantUnauthorizedCode int = 401
+
+/*
+DeleteFrontendGrantUnauthorized unauthorized
+
+swagger:response deleteFrontendGrantUnauthorized
+*/
+type DeleteFrontendGrantUnauthorized struct {
+}
+
+// NewDeleteFrontendGrantUnauthorized creates DeleteFrontendGrantUnauthorized with default headers values
+func NewDeleteFrontendGrantUnauthorized() *DeleteFrontendGrantUnauthorized {
+
+	return &DeleteFrontendGrantUnauthorized{}
+}
+
+// WriteResponse to the client
+func (o *DeleteFrontendGrantUnauthorized) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(401)
+}
+
+// DeleteFrontendGrantNotFoundCode is the HTTP code returned for type DeleteFrontendGrantNotFound
+const DeleteFrontendGrantNotFoundCode int = 404
+
+/*
+DeleteFrontendGrantNotFound not found
+
+swagger:response deleteFrontendGrantNotFound
+*/
+type DeleteFrontendGrantNotFound struct {
+
+	/*
+	  In: Body
+	*/
+	Payload rest_model_zrok.ErrorMessage `json:"body,omitempty"`
+}
+
+// NewDeleteFrontendGrantNotFound creates DeleteFrontendGrantNotFound with default headers values
+func NewDeleteFrontendGrantNotFound() *DeleteFrontendGrantNotFound {
+
+	return &DeleteFrontendGrantNotFound{}
+}
+
+// WithPayload adds the payload to the delete frontend grant not found response
+func (o *DeleteFrontendGrantNotFound) WithPayload(payload rest_model_zrok.ErrorMessage) *DeleteFrontendGrantNotFound {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the delete frontend grant not found response
+func (o *DeleteFrontendGrantNotFound) SetPayload(payload rest_model_zrok.ErrorMessage) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *DeleteFrontendGrantNotFound) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(404)
+	payload := o.Payload
+	if err := producer.Produce(rw, payload); err != nil {
+		panic(err) // let the recovery middleware deal with this
+	}
+}
+
+// DeleteFrontendGrantInternalServerErrorCode is the HTTP code returned for type DeleteFrontendGrantInternalServerError
+const DeleteFrontendGrantInternalServerErrorCode int = 500
+
+/*
+DeleteFrontendGrantInternalServerError internal server error
+
+swagger:response deleteFrontendGrantInternalServerError
+*/
+type DeleteFrontendGrantInternalServerError struct {
+}
+
+// NewDeleteFrontendGrantInternalServerError creates DeleteFrontendGrantInternalServerError with default headers values
+func NewDeleteFrontendGrantInternalServerError() *DeleteFrontendGrantInternalServerError {
+
+	return &DeleteFrontendGrantInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *DeleteFrontendGrantInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}

rest_server_zrok/operations/admin/delete_frontend_grant_urlbuilder.go

@@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// DeleteFrontendGrantURL generates an URL for the delete frontend grant operation
+type DeleteFrontendGrantURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteFrontendGrantURL) WithBasePath(bp string) *DeleteFrontendGrantURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteFrontendGrantURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *DeleteFrontendGrantURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/frontend/grant"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *DeleteFrontendGrantURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *DeleteFrontendGrantURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *DeleteFrontendGrantURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on DeleteFrontendGrantURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on DeleteFrontendGrantURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *DeleteFrontendGrantURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}

rest_server_zrok/operations/zrok_api.go

@@ -53,6 +53,9 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		ShareAccessHandler: share.AccessHandlerFunc(func(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation share.Access has not yet been implemented")
 		}),
+		AdminAddFrontendGrantHandler: admin.AddFrontendGrantHandlerFunc(func(params admin.AddFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin.AddFrontendGrant has not yet been implemented")
+		}),
 		AdminAddOrganizationMemberHandler: admin.AddOrganizationMemberHandlerFunc(func(params admin.AddOrganizationMemberParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.AddOrganizationMember has not yet been implemented")
 		}),
@@ -77,9 +80,15 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		AdminCreateOrganizationHandler: admin.CreateOrganizationHandlerFunc(func(params admin.CreateOrganizationParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.CreateOrganization has not yet been implemented")
 		}),
+		AdminDeleteAccountHandler: admin.DeleteAccountHandlerFunc(func(params admin.DeleteAccountParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin.DeleteAccount has not yet been implemented")
+		}),
 		AdminDeleteFrontendHandler: admin.DeleteFrontendHandlerFunc(func(params admin.DeleteFrontendParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.DeleteFrontend has not yet been implemented")
 		}),
+		AdminDeleteFrontendGrantHandler: admin.DeleteFrontendGrantHandlerFunc(func(params admin.DeleteFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin.DeleteFrontendGrant has not yet been implemented")
+		}),
 		AdminDeleteOrganizationHandler: admin.DeleteOrganizationHandlerFunc(func(params admin.DeleteOrganizationParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.DeleteOrganization has not yet been implemented")
 		}),
@@ -264,6 +273,8 @@ type ZrokAPI struct {
 
 	// ShareAccessHandler sets the operation handler for the access operation
 	ShareAccessHandler share.AccessHandler
+	// AdminAddFrontendGrantHandler sets the operation handler for the add frontend grant operation
+	AdminAddFrontendGrantHandler admin.AddFrontendGrantHandler
 	// AdminAddOrganizationMemberHandler sets the operation handler for the add organization member operation
 	AdminAddOrganizationMemberHandler admin.AddOrganizationMemberHandler
 	// AccountChangePasswordHandler sets the operation handler for the change password operation
@@ -280,8 +291,12 @@ type ZrokAPI struct {
 	AdminCreateIdentityHandler admin.CreateIdentityHandler
 	// AdminCreateOrganizationHandler sets the operation handler for the create organization operation
 	AdminCreateOrganizationHandler admin.CreateOrganizationHandler
+	// AdminDeleteAccountHandler sets the operation handler for the delete account operation
+	AdminDeleteAccountHandler admin.DeleteAccountHandler
 	// AdminDeleteFrontendHandler sets the operation handler for the delete frontend operation
 	AdminDeleteFrontendHandler admin.DeleteFrontendHandler
+	// AdminDeleteFrontendGrantHandler sets the operation handler for the delete frontend grant operation
+	AdminDeleteFrontendGrantHandler admin.DeleteFrontendGrantHandler
 	// AdminDeleteOrganizationHandler sets the operation handler for the delete organization operation
 	AdminDeleteOrganizationHandler admin.DeleteOrganizationHandler
 	// EnvironmentDisableHandler sets the operation handler for the disable operation
@@ -454,6 +469,9 @@ func (o *ZrokAPI) Validate() error {
 	if o.ShareAccessHandler == nil {
 		unregistered = append(unregistered, "share.AccessHandler")
 	}
+	if o.AdminAddFrontendGrantHandler == nil {
+		unregistered = append(unregistered, "admin.AddFrontendGrantHandler")
+	}
 	if o.AdminAddOrganizationMemberHandler == nil {
 		unregistered = append(unregistered, "admin.AddOrganizationMemberHandler")
 	}
@@ -478,9 +496,15 @@ func (o *ZrokAPI) Validate() error {
 	if o.AdminCreateOrganizationHandler == nil {
 		unregistered = append(unregistered, "admin.CreateOrganizationHandler")
 	}
+	if o.AdminDeleteAccountHandler == nil {
+		unregistered = append(unregistered, "admin.DeleteAccountHandler")
+	}
 	if o.AdminDeleteFrontendHandler == nil {
 		unregistered = append(unregistered, "admin.DeleteFrontendHandler")
 	}
+	if o.AdminDeleteFrontendGrantHandler == nil {
+		unregistered = append(unregistered, "admin.DeleteFrontendGrantHandler")
+	}
 	if o.AdminDeleteOrganizationHandler == nil {
 		unregistered = append(unregistered, "admin.DeleteOrganizationHandler")
 	}
@@ -719,6 +743,10 @@ func (o *ZrokAPI) initHandlerCache() {
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
 	}
+	o.handlers["POST"]["/frontend/grant"] = admin.NewAddFrontendGrant(o.context, o.AdminAddFrontendGrantHandler)
+	if o.handlers["POST"] == nil {
+		o.handlers["POST"] = make(map[string]http.Handler)
+	}
 	o.handlers["POST"]["/organization/add"] = admin.NewAddOrganizationMember(o.context, o.AdminAddOrganizationMemberHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
@@ -751,10 +779,18 @@ func (o *ZrokAPI) initHandlerCache() {
 	if o.handlers["DELETE"] == nil {
 		o.handlers["DELETE"] = make(map[string]http.Handler)
 	}
+	o.handlers["DELETE"]["/account"] = admin.NewDeleteAccount(o.context, o.AdminDeleteAccountHandler)
+	if o.handlers["DELETE"] == nil {
+		o.handlers["DELETE"] = make(map[string]http.Handler)
+	}
 	o.handlers["DELETE"]["/frontend"] = admin.NewDeleteFrontend(o.context, o.AdminDeleteFrontendHandler)
 	if o.handlers["DELETE"] == nil {
 		o.handlers["DELETE"] = make(map[string]http.Handler)
 	}
+	o.handlers["DELETE"]["/frontend/grant"] = admin.NewDeleteFrontendGrant(o.context, o.AdminDeleteFrontendGrantHandler)
+	if o.handlers["DELETE"] == nil {
+		o.handlers["DELETE"] = make(map[string]http.Handler)
+	}
 	o.handlers["DELETE"]["/organization"] = admin.NewDeleteOrganization(o.context, o.AdminDeleteOrganizationHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)

sdk/nodejs/sdk/src/api/.openapi-generator/FILES

@@ -9,6 +9,7 @@ apis/index.ts
 index.ts
 models/Access201Response.ts
 models/AccessRequest.ts
+models/AddFrontendGrantRequest.ts
 models/AddOrganizationMemberRequest.ts
 models/AuthUser.ts
 models/ChangePasswordRequest.ts

sdk/nodejs/sdk/src/api/apis/AdminApi.ts

@@ -15,6 +15,7 @@
 
 import * as runtime from '../runtime';
 import type {
+  AddFrontendGrantRequest,
   AddOrganizationMemberRequest,
   CreateFrontend201Response,
   CreateFrontendRequest,
@@ -33,6 +34,8 @@ import type {
   Verify200Response,
 } from '../models/index';
 import {
+    AddFrontendGrantRequestFromJSON,
+    AddFrontendGrantRequestToJSON,
     AddOrganizationMemberRequestFromJSON,
     AddOrganizationMemberRequestToJSON,
     CreateFrontend201ResponseFromJSON,
@@ -67,6 +70,10 @@ import {
     Verify200ResponseToJSON,
 } from '../models/index';
 
+export interface AddFrontendGrantOperationRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface AddOrganizationMemberOperationRequest {
     body?: AddOrganizationMemberRequest;
 }
@@ -87,10 +94,18 @@ export interface CreateOrganizationOperationRequest {
     body?: CreateOrganizationRequest;
 }
 
+export interface DeleteAccountRequest {
+    body?: Verify200Response;
+}
+
 export interface DeleteFrontendRequest {
     body?: CreateFrontend201Response;
 }
 
+export interface DeleteFrontendGrantRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface DeleteOrganizationRequest {
     body?: CreateOrganization201Response;
 }
@@ -120,6 +135,36 @@ export interface UpdateFrontendOperationRequest {
  */
 export class AdminApi extends runtime.BaseAPI {
 
+    /**
+     */
+    async addFrontendGrantRaw(requestParameters: AddFrontendGrantOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async addFrontendGrant(requestParameters: AddFrontendGrantOperationRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.addFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async addOrganizationMemberRaw(requestParameters: AddOrganizationMemberOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
@@ -274,6 +319,36 @@ export class AdminApi extends runtime.BaseAPI {
         return await response.value();
     }
 
+    /**
+     */
+    async deleteAccountRaw(requestParameters: DeleteAccountRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/account`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: Verify200ResponseToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteAccount(requestParameters: DeleteAccountRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteAccountRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async deleteFrontendRaw(requestParameters: DeleteFrontendRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
@@ -304,6 +379,36 @@ export class AdminApi extends runtime.BaseAPI {
         await this.deleteFrontendRaw(requestParameters, initOverrides);
     }
 
+    /**
+     */
+    async deleteFrontendGrantRaw(requestParameters: DeleteFrontendGrantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteFrontendGrant(requestParameters: DeleteFrontendGrantRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async deleteOrganizationRaw(requestParameters: DeleteOrganizationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {

sdk/nodejs/sdk/src/api/models/AddFrontendGrantRequest.ts

@@ -0,0 +1,73 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * zrok
+ * zrok client access
+ *
+ * The version of the OpenAPI document: 1.0.0
+ * 
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import { mapValues } from '../runtime';
+/**
+ * 
+ * @export
+ * @interface AddFrontendGrantRequest
+ */
+export interface AddFrontendGrantRequest {
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    frontendToken?: string;
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    email?: string;
+}
+
+/**
+ * Check if a given object implements the AddFrontendGrantRequest interface.
+ */
+export function instanceOfAddFrontendGrantRequest(value: object): value is AddFrontendGrantRequest {
+    return true;
+}
+
+export function AddFrontendGrantRequestFromJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestFromJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): AddFrontendGrantRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        
+        'frontendToken': json['frontendToken'] == null ? undefined : json['frontendToken'],
+        'email': json['email'] == null ? undefined : json['email'],
+    };
+}
+
+export function AddFrontendGrantRequestToJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestToJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestToJSONTyped(value?: AddFrontendGrantRequest | null, ignoreDiscriminator: boolean = false): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        
+        'frontendToken': value['frontendToken'],
+        'email': value['email'],
+    };
+}
+

sdk/nodejs/sdk/src/api/models/index.ts

@@ -2,6 +2,7 @@
 /* eslint-disable */
 export * from './Access201Response';
 export * from './AccessRequest';
+export * from './AddFrontendGrantRequest';
 export * from './AddOrganizationMemberRequest';
 export * from './AuthUser';
 export * from './ChangePasswordRequest';

sdk/python/src/.openapi-generator/FILES

@@ -3,6 +3,7 @@ README.md
 docs/Access201Response.md
 docs/AccessRequest.md
 docs/AccountApi.md
+docs/AddFrontendGrantRequest.md
 docs/AddOrganizationMemberRequest.md
 docs/AdminApi.md
 docs/AgentApi.md
@@ -74,6 +75,7 @@ test/__init__.py
 test/test_access201_response.py
 test/test_access_request.py
 test/test_account_api.py
+test/test_add_frontend_grant_request.py
 test/test_add_organization_member_request.py
 test/test_admin_api.py
 test/test_agent_api.py
@@ -154,6 +156,7 @@ zrok_api/exceptions.py
 zrok_api/models/__init__.py
 zrok_api/models/access201_response.py
 zrok_api/models/access_request.py
+zrok_api/models/add_frontend_grant_request.py
 zrok_api/models/add_organization_member_request.py
 zrok_api/models/auth_user.py
 zrok_api/models/change_password_request.py

sdk/python/src/README.md

@@ -100,12 +100,15 @@ Class | Method | HTTP request | Description
 *AccountApi* | [**reset_password**](docs/AccountApi.md#reset_password) | **POST** /resetPassword | 
 *AccountApi* | [**reset_password_request**](docs/AccountApi.md#reset_password_request) | **POST** /resetPasswordRequest | 
 *AccountApi* | [**verify**](docs/AccountApi.md#verify) | **POST** /verify | 
+*AdminApi* | [**add_frontend_grant**](docs/AdminApi.md#add_frontend_grant) | **POST** /frontend/grant | 
 *AdminApi* | [**add_organization_member**](docs/AdminApi.md#add_organization_member) | **POST** /organization/add | 
 *AdminApi* | [**create_account**](docs/AdminApi.md#create_account) | **POST** /account | 
 *AdminApi* | [**create_frontend**](docs/AdminApi.md#create_frontend) | **POST** /frontend | 
 *AdminApi* | [**create_identity**](docs/AdminApi.md#create_identity) | **POST** /identity | 
 *AdminApi* | [**create_organization**](docs/AdminApi.md#create_organization) | **POST** /organization | 
+*AdminApi* | [**delete_account**](docs/AdminApi.md#delete_account) | **DELETE** /account | 
 *AdminApi* | [**delete_frontend**](docs/AdminApi.md#delete_frontend) | **DELETE** /frontend | 
+*AdminApi* | [**delete_frontend_grant**](docs/AdminApi.md#delete_frontend_grant) | **DELETE** /frontend/grant | 
 *AdminApi* | [**delete_organization**](docs/AdminApi.md#delete_organization) | **DELETE** /organization | 
 *AdminApi* | [**grants**](docs/AdminApi.md#grants) | **POST** /grants | 
 *AdminApi* | [**invite_token_generate**](docs/AdminApi.md#invite_token_generate) | **POST** /invite/token/generate | 
@@ -152,6 +155,7 @@ Class | Method | HTTP request | Description
 
  - [Access201Response](docs/Access201Response.md)
  - [AccessRequest](docs/AccessRequest.md)
+ - [AddFrontendGrantRequest](docs/AddFrontendGrantRequest.md)
  - [AddOrganizationMemberRequest](docs/AddOrganizationMemberRequest.md)
  - [AuthUser](docs/AuthUser.md)
  - [ChangePasswordRequest](docs/ChangePasswordRequest.md)

sdk/python/src/docs/AddFrontendGrantRequest.md

@@ -0,0 +1,30 @@
+# AddFrontendGrantRequest
+
+
+## Properties
+
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**frontend_token** | **str** |  | [optional] 
+**email** | **str** |  | [optional] 
+
+## Example
+
+```python
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+
+# TODO update the JSON string below
+json = "{}"
+# create an instance of AddFrontendGrantRequest from a JSON string
+add_frontend_grant_request_instance = AddFrontendGrantRequest.from_json(json)
+# print the JSON string representation of the object
+print(AddFrontendGrantRequest.to_json())
+
+# convert the object into a dict
+add_frontend_grant_request_dict = add_frontend_grant_request_instance.to_dict()
+# create an instance of AddFrontendGrantRequest from a dict
+add_frontend_grant_request_from_dict = AddFrontendGrantRequest.from_dict(add_frontend_grant_request_dict)
+```
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+
+

sdk/python/src/docs/AdminApi.md

@@ -4,12 +4,15 @@ All URIs are relative to */api/v1*
 
 Method | HTTP request | Description
 ------------- | ------------- | -------------
+[**add_frontend_grant**](AdminApi.md#add_frontend_grant) | **POST** /frontend/grant | 
 [**add_organization_member**](AdminApi.md#add_organization_member) | **POST** /organization/add | 
 [**create_account**](AdminApi.md#create_account) | **POST** /account | 
 [**create_frontend**](AdminApi.md#create_frontend) | **POST** /frontend | 
 [**create_identity**](AdminApi.md#create_identity) | **POST** /identity | 
 [**create_organization**](AdminApi.md#create_organization) | **POST** /organization | 
+[**delete_account**](AdminApi.md#delete_account) | **DELETE** /account | 
 [**delete_frontend**](AdminApi.md#delete_frontend) | **DELETE** /frontend | 
+[**delete_frontend_grant**](AdminApi.md#delete_frontend_grant) | **DELETE** /frontend/grant | 
 [**delete_organization**](AdminApi.md#delete_organization) | **DELETE** /organization | 
 [**grants**](AdminApi.md#grants) | **POST** /grants | 
 [**invite_token_generate**](AdminApi.md#invite_token_generate) | **POST** /invite/token/generate | 
@@ -20,6 +23,81 @@ Method | HTTP request | Description
 [**update_frontend**](AdminApi.md#update_frontend) | **PATCH** /frontend | 
 
 
+# **add_frontend_grant**
+> add_frontend_grant(body=body)
+
+### Example
+
+* Api Key Authentication (key):
+
+```python
+import zrok_api
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+from zrok_api.rest import ApiException
+from pprint import pprint
+
+# Defining the host is optional and defaults to /api/v1
+# See configuration.py for a list of all supported configuration parameters.
+configuration = zrok_api.Configuration(
+    host = "/api/v1"
+)
+
+# The client must configure the authentication and authorization parameters
+# in accordance with the API server security policy.
+# Examples for each auth method are provided below, use the example that
+# satisfies your auth use case.
+
+# Configure API key authorization: key
+configuration.api_key['key'] = os.environ["API_KEY"]
+
+# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+# configuration.api_key_prefix['key'] = 'Bearer'
+
+# Enter a context with an instance of the API client
+with zrok_api.ApiClient(configuration) as api_client:
+    # Create an instance of the API class
+    api_instance = zrok_api.AdminApi(api_client)
+    body = zrok_api.AddFrontendGrantRequest() # AddFrontendGrantRequest |  (optional)
+
+    try:
+        api_instance.add_frontend_grant(body=body)
+    except Exception as e:
+        print("Exception when calling AdminApi->add_frontend_grant: %s\n" % e)
+```
+
+
+
+### Parameters
+
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **body** | [**AddFrontendGrantRequest**](AddFrontendGrantRequest.md)|  | [optional] 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[key](../README.md#key)
+
+### HTTP request headers
+
+ - **Content-Type**: application/zrok.v1+json
+ - **Accept**: application/zrok.v1+json
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+|-------------|-------------|------------------|
+**200** | ok |  -  |
+**401** | unauthorized |  -  |
+**404** | not found |  -  |
+**500** | internal server error |  -  |
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
 # **add_organization_member**
 > add_organization_member(body=body)
 
@@ -405,6 +483,81 @@ Name | Type | Description  | Notes
 
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 
+# **delete_account**
+> delete_account(body=body)
+
+### Example
+
+* Api Key Authentication (key):
+
+```python
+import zrok_api
+from zrok_api.models.verify200_response import Verify200Response
+from zrok_api.rest import ApiException
+from pprint import pprint
+
+# Defining the host is optional and defaults to /api/v1
+# See configuration.py for a list of all supported configuration parameters.
+configuration = zrok_api.Configuration(
+    host = "/api/v1"
+)
+
+# The client must configure the authentication and authorization parameters
+# in accordance with the API server security policy.
+# Examples for each auth method are provided below, use the example that
+# satisfies your auth use case.
+
+# Configure API key authorization: key
+configuration.api_key['key'] = os.environ["API_KEY"]
+
+# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+# configuration.api_key_prefix['key'] = 'Bearer'
+
+# Enter a context with an instance of the API client
+with zrok_api.ApiClient(configuration) as api_client:
+    # Create an instance of the API class
+    api_instance = zrok_api.AdminApi(api_client)
+    body = zrok_api.Verify200Response() # Verify200Response |  (optional)
+
+    try:
+        api_instance.delete_account(body=body)
+    except Exception as e:
+        print("Exception when calling AdminApi->delete_account: %s\n" % e)
+```
+
+
+
+### Parameters
+
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **body** | [**Verify200Response**](Verify200Response.md)|  | [optional] 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[key](../README.md#key)
+
+### HTTP request headers
+
+ - **Content-Type**: application/zrok.v1+json
+ - **Accept**: Not defined
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+|-------------|-------------|------------------|
+**200** | ok |  -  |
+**401** | unauthorized |  -  |
+**404** | not found |  -  |
+**500** | internal server error |  -  |
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
 # **delete_frontend**
 > delete_frontend(body=body)
 
@@ -480,6 +633,81 @@ void (empty response body)
 
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 
+# **delete_frontend_grant**
+> delete_frontend_grant(body=body)
+
+### Example
+
+* Api Key Authentication (key):
+
+```python
+import zrok_api
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+from zrok_api.rest import ApiException
+from pprint import pprint
+
+# Defining the host is optional and defaults to /api/v1
+# See configuration.py for a list of all supported configuration parameters.
+configuration = zrok_api.Configuration(
+    host = "/api/v1"
+)
+
+# The client must configure the authentication and authorization parameters
+# in accordance with the API server security policy.
+# Examples for each auth method are provided below, use the example that
+# satisfies your auth use case.
+
+# Configure API key authorization: key
+configuration.api_key['key'] = os.environ["API_KEY"]
+
+# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+# configuration.api_key_prefix['key'] = 'Bearer'
+
+# Enter a context with an instance of the API client
+with zrok_api.ApiClient(configuration) as api_client:
+    # Create an instance of the API class
+    api_instance = zrok_api.AdminApi(api_client)
+    body = zrok_api.AddFrontendGrantRequest() # AddFrontendGrantRequest |  (optional)
+
+    try:
+        api_instance.delete_frontend_grant(body=body)
+    except Exception as e:
+        print("Exception when calling AdminApi->delete_frontend_grant: %s\n" % e)
+```
+
+
+
+### Parameters
+
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **body** | [**AddFrontendGrantRequest**](AddFrontendGrantRequest.md)|  | [optional] 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[key](../README.md#key)
+
+### HTTP request headers
+
+ - **Content-Type**: application/zrok.v1+json
+ - **Accept**: application/zrok.v1+json
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+|-------------|-------------|------------------|
+**200** | ok |  -  |
+**401** | unauthorized |  -  |
+**404** | not found |  -  |
+**500** | internal server error |  -  |
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
 # **delete_organization**
 > delete_organization(body=body)
 

sdk/python/src/test/test_add_frontend_grant_request.py

@@ -0,0 +1,52 @@
+# coding: utf-8
+
+"""
+    zrok
+
+    zrok client access
+
+    The version of the OpenAPI document: 1.0.0
+    Generated by OpenAPI Generator (https://openapi-generator.tech)
+
+    Do not edit the class manually.
+"""  # noqa: E501
+
+
+import unittest
+
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+
+class TestAddFrontendGrantRequest(unittest.TestCase):
+    """AddFrontendGrantRequest unit test stubs"""
+
+    def setUp(self):
+        pass
+
+    def tearDown(self):
+        pass
+
+    def make_instance(self, include_optional) -> AddFrontendGrantRequest:
+        """Test AddFrontendGrantRequest
+            include_optional is a boolean, when False only required
+            params are included, when True both required and
+            optional params are included """
+        # uncomment below to create an instance of `AddFrontendGrantRequest`
+        """
+        model = AddFrontendGrantRequest()
+        if include_optional:
+            return AddFrontendGrantRequest(
+                frontend_token = '',
+                email = ''
+            )
+        else:
+            return AddFrontendGrantRequest(
+        )
+        """
+
+    def testAddFrontendGrantRequest(self):
+        """Test AddFrontendGrantRequest"""
+        # inst_req_only = self.make_instance(include_optional=False)
+        # inst_req_and_optional = self.make_instance(include_optional=True)
+
+if __name__ == '__main__':
+    unittest.main()

sdk/python/src/test/test_admin_api.py

@@ -26,6 +26,12 @@ class TestAdminApi(unittest.TestCase):
     def tearDown(self) -> None:
         pass
 
+    def test_add_frontend_grant(self) -> None:
+        """Test case for add_frontend_grant
+
+        """
+        pass
+
     def test_add_organization_member(self) -> None:
         """Test case for add_organization_member
 
@@ -56,12 +62,24 @@ class TestAdminApi(unittest.TestCase):
         """
         pass
 
+    def test_delete_account(self) -> None:
+        """Test case for delete_account
+
+        """
+        pass
+
     def test_delete_frontend(self) -> None:
         """Test case for delete_frontend
 
         """
         pass
 
+    def test_delete_frontend_grant(self) -> None:
+        """Test case for delete_frontend_grant
+
+        """
+        pass
+
     def test_delete_organization(self) -> None:
         """Test case for delete_organization
 

sdk/python/src/zrok_api/__init__.py

@@ -38,6 +38,7 @@ from zrok_api.exceptions import ApiException
 # import models into sdk package
 from zrok_api.models.access201_response import Access201Response
 from zrok_api.models.access_request import AccessRequest
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
 from zrok_api.models.auth_user import AuthUser
 from zrok_api.models.change_password_request import ChangePasswordRequest

sdk/python/src/zrok_api/api/admin_api.py

@@ -17,6 +17,7 @@ from typing import Any, Dict, List, Optional, Tuple, Union
 from typing_extensions import Annotated
 
 from typing import List, Optional
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
 from zrok_api.models.create_frontend201_response import CreateFrontend201Response
 from zrok_api.models.create_frontend_request import CreateFrontendRequest
@@ -52,6 +53,286 @@ class AdminApi:
         self.api_client = api_client
 
 
+    @validate_call
+    def add_frontend_grant(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> None:
+        """add_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': "str",
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        ).data
+
+
+    @validate_call
+    def add_frontend_grant_with_http_info(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> ApiResponse[None]:
+        """add_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': "str",
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        )
+
+
+    @validate_call
+    def add_frontend_grant_without_preload_content(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> RESTResponseType:
+        """add_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': "str",
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        return response_data.response
+
+
+    def _add_frontend_grant_serialize(
+        self,
+        body,
+        _request_auth,
+        _content_type,
+        _headers,
+        _host_index,
+    ) -> RequestSerialized:
+
+        _host = None
+
+        _collection_formats: Dict[str, str] = {
+        }
+
+        _path_params: Dict[str, str] = {}
+        _query_params: List[Tuple[str, str]] = []
+        _header_params: Dict[str, Optional[str]] = _headers or {}
+        _form_params: List[Tuple[str, str]] = []
+        _files: Dict[
+            str, Union[str, bytes, List[str], List[bytes], List[Tuple[str, bytes]]]
+        ] = {}
+        _body_params: Optional[bytes] = None
+
+        # process the path parameters
+        # process the query parameters
+        # process the header parameters
+        # process the form parameters
+        # process the body parameter
+        if body is not None:
+            _body_params = body
+
+
+        # set the HTTP header `Accept`
+        if 'Accept' not in _header_params:
+            _header_params['Accept'] = self.api_client.select_header_accept(
+                [
+                    'application/zrok.v1+json'
+                ]
+            )
+
+        # set the HTTP header `Content-Type`
+        if _content_type:
+            _header_params['Content-Type'] = _content_type
+        else:
+            _default_content_type = (
+                self.api_client.select_header_content_type(
+                    [
+                        'application/zrok.v1+json'
+                    ]
+                )
+            )
+            if _default_content_type is not None:
+                _header_params['Content-Type'] = _default_content_type
+
+        # authentication setting
+        _auth_settings: List[str] = [
+            'key'
+        ]
+
+        return self.api_client.param_serialize(
+            method='POST',
+            resource_path='/frontend/grant',
+            path_params=_path_params,
+            query_params=_query_params,
+            header_params=_header_params,
+            body=_body_params,
+            post_params=_form_params,
+            files=_files,
+            auth_settings=_auth_settings,
+            collection_formats=_collection_formats,
+            _host=_host,
+            _request_auth=_request_auth
+        )
+
+
+
+
     @validate_call
     def add_organization_member(
         self,
@@ -1439,6 +1720,279 @@ class AdminApi:
 
 
 
+    @validate_call
+    def delete_account(
+        self,
+        body: Optional[Verify200Response] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> None:
+        """delete_account
+
+
+        :param body:
+        :type body: Verify200Response
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_account_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        ).data
+
+
+    @validate_call
+    def delete_account_with_http_info(
+        self,
+        body: Optional[Verify200Response] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> ApiResponse[None]:
+        """delete_account
+
+
+        :param body:
+        :type body: Verify200Response
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_account_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        )
+
+
+    @validate_call
+    def delete_account_without_preload_content(
+        self,
+        body: Optional[Verify200Response] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> RESTResponseType:
+        """delete_account
+
+
+        :param body:
+        :type body: Verify200Response
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_account_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        return response_data.response
+
+
+    def _delete_account_serialize(
+        self,
+        body,
+        _request_auth,
+        _content_type,
+        _headers,
+        _host_index,
+    ) -> RequestSerialized:
+
+        _host = None
+
+        _collection_formats: Dict[str, str] = {
+        }
+
+        _path_params: Dict[str, str] = {}
+        _query_params: List[Tuple[str, str]] = []
+        _header_params: Dict[str, Optional[str]] = _headers or {}
+        _form_params: List[Tuple[str, str]] = []
+        _files: Dict[
+            str, Union[str, bytes, List[str], List[bytes], List[Tuple[str, bytes]]]
+        ] = {}
+        _body_params: Optional[bytes] = None
+
+        # process the path parameters
+        # process the query parameters
+        # process the header parameters
+        # process the form parameters
+        # process the body parameter
+        if body is not None:
+            _body_params = body
+
+
+
+        # set the HTTP header `Content-Type`
+        if _content_type:
+            _header_params['Content-Type'] = _content_type
+        else:
+            _default_content_type = (
+                self.api_client.select_header_content_type(
+                    [
+                        'application/zrok.v1+json'
+                    ]
+                )
+            )
+            if _default_content_type is not None:
+                _header_params['Content-Type'] = _default_content_type
+
+        # authentication setting
+        _auth_settings: List[str] = [
+            'key'
+        ]
+
+        return self.api_client.param_serialize(
+            method='DELETE',
+            resource_path='/account',
+            path_params=_path_params,
+            query_params=_query_params,
+            header_params=_header_params,
+            body=_body_params,
+            post_params=_form_params,
+            files=_files,
+            auth_settings=_auth_settings,
+            collection_formats=_collection_formats,
+            _host=_host,
+            _request_auth=_request_auth
+        )
+
+
+
+
     @validate_call
     def delete_frontend(
         self,
@@ -1712,6 +2266,286 @@ class AdminApi:
 
 
 
+    @validate_call
+    def delete_frontend_grant(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> None:
+        """delete_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': "str",
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        ).data
+
+
+    @validate_call
+    def delete_frontend_grant_with_http_info(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> ApiResponse[None]:
+        """delete_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': "str",
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        )
+
+
+    @validate_call
+    def delete_frontend_grant_without_preload_content(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> RESTResponseType:
+        """delete_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '404': "str",
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        return response_data.response
+
+
+    def _delete_frontend_grant_serialize(
+        self,
+        body,
+        _request_auth,
+        _content_type,
+        _headers,
+        _host_index,
+    ) -> RequestSerialized:
+
+        _host = None
+
+        _collection_formats: Dict[str, str] = {
+        }
+
+        _path_params: Dict[str, str] = {}
+        _query_params: List[Tuple[str, str]] = []
+        _header_params: Dict[str, Optional[str]] = _headers or {}
+        _form_params: List[Tuple[str, str]] = []
+        _files: Dict[
+            str, Union[str, bytes, List[str], List[bytes], List[Tuple[str, bytes]]]
+        ] = {}
+        _body_params: Optional[bytes] = None
+
+        # process the path parameters
+        # process the query parameters
+        # process the header parameters
+        # process the form parameters
+        # process the body parameter
+        if body is not None:
+            _body_params = body
+
+
+        # set the HTTP header `Accept`
+        if 'Accept' not in _header_params:
+            _header_params['Accept'] = self.api_client.select_header_accept(
+                [
+                    'application/zrok.v1+json'
+                ]
+            )
+
+        # set the HTTP header `Content-Type`
+        if _content_type:
+            _header_params['Content-Type'] = _content_type
+        else:
+            _default_content_type = (
+                self.api_client.select_header_content_type(
+                    [
+                        'application/zrok.v1+json'
+                    ]
+                )
+            )
+            if _default_content_type is not None:
+                _header_params['Content-Type'] = _default_content_type
+
+        # authentication setting
+        _auth_settings: List[str] = [
+            'key'
+        ]
+
+        return self.api_client.param_serialize(
+            method='DELETE',
+            resource_path='/frontend/grant',
+            path_params=_path_params,
+            query_params=_query_params,
+            header_params=_header_params,
+            body=_body_params,
+            post_params=_form_params,
+            files=_files,
+            auth_settings=_auth_settings,
+            collection_formats=_collection_formats,
+            _host=_host,
+            _request_auth=_request_auth
+        )
+
+
+
+
     @validate_call
     def delete_organization(
         self,

sdk/python/src/zrok_api/models/__init__.py

@@ -16,6 +16,7 @@
 # import models into model package
 from zrok_api.models.access201_response import Access201Response
 from zrok_api.models.access_request import AccessRequest
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
 from zrok_api.models.auth_user import AuthUser
 from zrok_api.models.change_password_request import ChangePasswordRequest

sdk/python/src/zrok_api/models/add_frontend_grant_request.py

@@ -0,0 +1,89 @@
+# coding: utf-8
+
+"""
+    zrok
+
+    zrok client access
+
+    The version of the OpenAPI document: 1.0.0
+    Generated by OpenAPI Generator (https://openapi-generator.tech)
+
+    Do not edit the class manually.
+"""  # noqa: E501
+
+
+from __future__ import annotations
+import pprint
+import re  # noqa: F401
+import json
+
+from pydantic import BaseModel, ConfigDict, Field, StrictStr
+from typing import Any, ClassVar, Dict, List, Optional
+from typing import Optional, Set
+from typing_extensions import Self
+
+class AddFrontendGrantRequest(BaseModel):
+    """
+    AddFrontendGrantRequest
+    """ # noqa: E501
+    frontend_token: Optional[StrictStr] = Field(default=None, alias="frontendToken")
+    email: Optional[StrictStr] = None
+    __properties: ClassVar[List[str]] = ["frontendToken", "email"]
+
+    model_config = ConfigDict(
+        populate_by_name=True,
+        validate_assignment=True,
+        protected_namespaces=(),
+    )
+
+
+    def to_str(self) -> str:
+        """Returns the string representation of the model using alias"""
+        return pprint.pformat(self.model_dump(by_alias=True))
+
+    def to_json(self) -> str:
+        """Returns the JSON representation of the model using alias"""
+        # TODO: pydantic v2: use .model_dump_json(by_alias=True, exclude_unset=True) instead
+        return json.dumps(self.to_dict())
+
+    @classmethod
+    def from_json(cls, json_str: str) -> Optional[Self]:
+        """Create an instance of AddFrontendGrantRequest from a JSON string"""
+        return cls.from_dict(json.loads(json_str))
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Return the dictionary representation of the model using alias.
+
+        This has the following differences from calling pydantic's
+        `self.model_dump(by_alias=True)`:
+
+        * `None` is only added to the output dict for nullable fields that
+          were set at model initialization. Other fields with value `None`
+          are ignored.
+        """
+        excluded_fields: Set[str] = set([
+        ])
+
+        _dict = self.model_dump(
+            by_alias=True,
+            exclude=excluded_fields,
+            exclude_none=True,
+        )
+        return _dict
+
+    @classmethod
+    def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
+        """Create an instance of AddFrontendGrantRequest from a dict"""
+        if obj is None:
+            return None
+
+        if not isinstance(obj, dict):
+            return cls.model_validate(obj)
+
+        _obj = cls.model_validate({
+            "frontendToken": obj.get("frontendToken"),
+            "email": obj.get("email")
+        })
+        return _obj
+
+

specs/zrok.yml

@@ -251,6 +251,28 @@ paths:
           description: unauthorized
         500:
           description: internal server error
+    delete:
+      tags:
+        - admin
+      security:
+        - key: []
+      operationId: deleteAccount
+      parameters:
+        - name: body
+          in: body
+          schema:
+            properties:
+              email:
+                type: string
+      responses:
+        200:
+          description: ok
+        401:
+          description: unauthorized
+        404:
+          description: not found
+        500:
+          description: internal server error
 
   /frontend:
     post:
@@ -341,6 +363,62 @@ paths:
         500:
           description: internal server error
 
+  /frontend/grant:
+    post:
+      tags:
+        - admin
+      security:
+        - key: []
+      operationId: addFrontendGrant
+      parameters:
+        - name: body
+          in: body
+          schema:
+            type: object
+            properties:
+              frontendToken:
+                type: string
+              email:
+                type: string
+      responses:
+        200:
+          description: ok
+        401:
+          description: unauthorized
+        404:
+          description: not found
+          schema:
+            $ref: "#/definitions/errorMessage"
+        500:
+          description: internal server error
+    delete:
+      tags:
+        - admin
+      security:
+        - key: []
+      operationId: deleteFrontendGrant
+      parameters:
+        - name: body
+          in: body
+          schema:
+            type: object
+            properties:
+              frontendToken:
+                type: string
+              email:
+                type: string
+      responses:
+        200:
+          description: ok
+        401:
+          description: unauthorized
+        404:
+          description: not found
+          schema:
+            $ref: "#/definitions/errorMessage"
+        500:
+          description: internal server error
+
   /frontends:
     get:
       tags:

ui/src/api/.openapi-generator/FILES

@@ -9,6 +9,7 @@ apis/index.ts
 index.ts
 models/Access201Response.ts
 models/AccessRequest.ts
+models/AddFrontendGrantRequest.ts
 models/AddOrganizationMemberRequest.ts
 models/AuthUser.ts
 models/ChangePasswordRequest.ts

ui/src/api/apis/AdminApi.ts

@@ -15,6 +15,7 @@
 
 import * as runtime from '../runtime';
 import type {
+  AddFrontendGrantRequest,
   AddOrganizationMemberRequest,
   CreateFrontend201Response,
   CreateFrontendRequest,
@@ -33,6 +34,8 @@ import type {
   Verify200Response,
 } from '../models/index';
 import {
+    AddFrontendGrantRequestFromJSON,
+    AddFrontendGrantRequestToJSON,
     AddOrganizationMemberRequestFromJSON,
     AddOrganizationMemberRequestToJSON,
     CreateFrontend201ResponseFromJSON,
@@ -67,6 +70,10 @@ import {
     Verify200ResponseToJSON,
 } from '../models/index';
 
+export interface AddFrontendGrantOperationRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface AddOrganizationMemberOperationRequest {
     body?: AddOrganizationMemberRequest;
 }
@@ -87,10 +94,18 @@ export interface CreateOrganizationOperationRequest {
     body?: CreateOrganizationRequest;
 }
 
+export interface DeleteAccountRequest {
+    body?: Verify200Response;
+}
+
 export interface DeleteFrontendRequest {
     body?: CreateFrontend201Response;
 }
 
+export interface DeleteFrontendGrantRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface DeleteOrganizationRequest {
     body?: CreateOrganization201Response;
 }
@@ -120,6 +135,36 @@ export interface UpdateFrontendOperationRequest {
  */
 export class AdminApi extends runtime.BaseAPI {
 
+    /**
+     */
+    async addFrontendGrantRaw(requestParameters: AddFrontendGrantOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async addFrontendGrant(requestParameters: AddFrontendGrantOperationRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.addFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async addOrganizationMemberRaw(requestParameters: AddOrganizationMemberOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
@@ -274,6 +319,36 @@ export class AdminApi extends runtime.BaseAPI {
         return await response.value();
     }
 
+    /**
+     */
+    async deleteAccountRaw(requestParameters: DeleteAccountRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/account`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: Verify200ResponseToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteAccount(requestParameters: DeleteAccountRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteAccountRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async deleteFrontendRaw(requestParameters: DeleteFrontendRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
@@ -304,6 +379,36 @@ export class AdminApi extends runtime.BaseAPI {
         await this.deleteFrontendRaw(requestParameters, initOverrides);
     }
 
+    /**
+     */
+    async deleteFrontendGrantRaw(requestParameters: DeleteFrontendGrantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteFrontendGrant(requestParameters: DeleteFrontendGrantRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async deleteOrganizationRaw(requestParameters: DeleteOrganizationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {

ui/src/api/models/AddFrontendGrantRequest.ts

@@ -0,0 +1,73 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * zrok
+ * zrok client access
+ *
+ * The version of the OpenAPI document: 1.0.0
+ * 
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import { mapValues } from '../runtime';
+/**
+ * 
+ * @export
+ * @interface AddFrontendGrantRequest
+ */
+export interface AddFrontendGrantRequest {
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    frontendToken?: string;
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    email?: string;
+}
+
+/**
+ * Check if a given object implements the AddFrontendGrantRequest interface.
+ */
+export function instanceOfAddFrontendGrantRequest(value: object): value is AddFrontendGrantRequest {
+    return true;
+}
+
+export function AddFrontendGrantRequestFromJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestFromJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): AddFrontendGrantRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        
+        'frontendToken': json['frontendToken'] == null ? undefined : json['frontendToken'],
+        'email': json['email'] == null ? undefined : json['email'],
+    };
+}
+
+export function AddFrontendGrantRequestToJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestToJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestToJSONTyped(value?: AddFrontendGrantRequest | null, ignoreDiscriminator: boolean = false): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        
+        'frontendToken': value['frontendToken'],
+        'email': value['email'],
+    };
+}
+

ui/src/api/models/index.ts

@@ -2,6 +2,7 @@
 /* eslint-disable */
 export * from './Access201Response';
 export * from './AccessRequest';
+export * from './AddFrontendGrantRequest';
 export * from './AddOrganizationMemberRequest';
 export * from './AuthUser';
 export * from './ChangePasswordRequest';