/frontend/grant endpoint (#992)

rest_client_zrok/admin/add_frontend_grant_parameters.go

@@ -0,0 +1,146 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewAddFrontendGrantParams creates a new AddFrontendGrantParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewAddFrontendGrantParams() *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewAddFrontendGrantParamsWithTimeout creates a new AddFrontendGrantParams object
+// with the ability to set a timeout on a request.
+func NewAddFrontendGrantParamsWithTimeout(timeout time.Duration) *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		timeout: timeout,
+	}
+}
+
+// NewAddFrontendGrantParamsWithContext creates a new AddFrontendGrantParams object
+// with the ability to set a context for a request.
+func NewAddFrontendGrantParamsWithContext(ctx context.Context) *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		Context: ctx,
+	}
+}
+
+// NewAddFrontendGrantParamsWithHTTPClient creates a new AddFrontendGrantParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewAddFrontendGrantParamsWithHTTPClient(client *http.Client) *AddFrontendGrantParams {
+	return &AddFrontendGrantParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+AddFrontendGrantParams contains all the parameters to send to the API endpoint
+
+	for the add frontend grant operation.
+
+	Typically these are written to a http.Request.
+*/
+type AddFrontendGrantParams struct {
+
+	// Body.
+	Body AddFrontendGrantBody
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the add frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *AddFrontendGrantParams) WithDefaults() *AddFrontendGrantParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the add frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *AddFrontendGrantParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the add frontend grant params
+func (o *AddFrontendGrantParams) WithTimeout(timeout time.Duration) *AddFrontendGrantParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the add frontend grant params
+func (o *AddFrontendGrantParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the add frontend grant params
+func (o *AddFrontendGrantParams) WithContext(ctx context.Context) *AddFrontendGrantParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the add frontend grant params
+func (o *AddFrontendGrantParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the add frontend grant params
+func (o *AddFrontendGrantParams) WithHTTPClient(client *http.Client) *AddFrontendGrantParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the add frontend grant params
+func (o *AddFrontendGrantParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the add frontend grant params
+func (o *AddFrontendGrantParams) WithBody(body AddFrontendGrantBody) *AddFrontendGrantParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the add frontend grant params
+func (o *AddFrontendGrantParams) SetBody(body AddFrontendGrantBody) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *AddFrontendGrantParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_client_zrok/admin/add_frontend_grant_responses.go

@@ -0,0 +1,255 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// AddFrontendGrantReader is a Reader for the AddFrontendGrant structure.
+type AddFrontendGrantReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *AddFrontendGrantReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewAddFrontendGrantOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 401:
+		result := NewAddFrontendGrantUnauthorized()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewAddFrontendGrantInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[POST /frontend/grant] addFrontendGrant", response, response.Code())
+	}
+}
+
+// NewAddFrontendGrantOK creates a AddFrontendGrantOK with default headers values
+func NewAddFrontendGrantOK() *AddFrontendGrantOK {
+	return &AddFrontendGrantOK{}
+}
+
+/*
+AddFrontendGrantOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type AddFrontendGrantOK struct {
+}
+
+// IsSuccess returns true when this add frontend grant o k response has a 2xx status code
+func (o *AddFrontendGrantOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this add frontend grant o k response has a 3xx status code
+func (o *AddFrontendGrantOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add frontend grant o k response has a 4xx status code
+func (o *AddFrontendGrantOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this add frontend grant o k response has a 5xx status code
+func (o *AddFrontendGrantOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add frontend grant o k response a status code equal to that given
+func (o *AddFrontendGrantOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the add frontend grant o k response
+func (o *AddFrontendGrantOK) Code() int {
+	return 200
+}
+
+func (o *AddFrontendGrantOK) Error() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantOK ", 200)
+}
+
+func (o *AddFrontendGrantOK) String() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantOK ", 200)
+}
+
+func (o *AddFrontendGrantOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewAddFrontendGrantUnauthorized creates a AddFrontendGrantUnauthorized with default headers values
+func NewAddFrontendGrantUnauthorized() *AddFrontendGrantUnauthorized {
+	return &AddFrontendGrantUnauthorized{}
+}
+
+/*
+AddFrontendGrantUnauthorized describes a response with status code 401, with default header values.
+
+unauthorized
+*/
+type AddFrontendGrantUnauthorized struct {
+}
+
+// IsSuccess returns true when this add frontend grant unauthorized response has a 2xx status code
+func (o *AddFrontendGrantUnauthorized) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add frontend grant unauthorized response has a 3xx status code
+func (o *AddFrontendGrantUnauthorized) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add frontend grant unauthorized response has a 4xx status code
+func (o *AddFrontendGrantUnauthorized) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this add frontend grant unauthorized response has a 5xx status code
+func (o *AddFrontendGrantUnauthorized) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this add frontend grant unauthorized response a status code equal to that given
+func (o *AddFrontendGrantUnauthorized) IsCode(code int) bool {
+	return code == 401
+}
+
+// Code gets the status code for the add frontend grant unauthorized response
+func (o *AddFrontendGrantUnauthorized) Code() int {
+	return 401
+}
+
+func (o *AddFrontendGrantUnauthorized) Error() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantUnauthorized ", 401)
+}
+
+func (o *AddFrontendGrantUnauthorized) String() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantUnauthorized ", 401)
+}
+
+func (o *AddFrontendGrantUnauthorized) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewAddFrontendGrantInternalServerError creates a AddFrontendGrantInternalServerError with default headers values
+func NewAddFrontendGrantInternalServerError() *AddFrontendGrantInternalServerError {
+	return &AddFrontendGrantInternalServerError{}
+}
+
+/*
+AddFrontendGrantInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type AddFrontendGrantInternalServerError struct {
+}
+
+// IsSuccess returns true when this add frontend grant internal server error response has a 2xx status code
+func (o *AddFrontendGrantInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this add frontend grant internal server error response has a 3xx status code
+func (o *AddFrontendGrantInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this add frontend grant internal server error response has a 4xx status code
+func (o *AddFrontendGrantInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this add frontend grant internal server error response has a 5xx status code
+func (o *AddFrontendGrantInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this add frontend grant internal server error response a status code equal to that given
+func (o *AddFrontendGrantInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the add frontend grant internal server error response
+func (o *AddFrontendGrantInternalServerError) Code() int {
+	return 500
+}
+
+func (o *AddFrontendGrantInternalServerError) Error() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantInternalServerError ", 500)
+}
+
+func (o *AddFrontendGrantInternalServerError) String() string {
+	return fmt.Sprintf("[POST /frontend/grant][%d] addFrontendGrantInternalServerError ", 500)
+}
+
+func (o *AddFrontendGrantInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+AddFrontendGrantBody add frontend grant body
+swagger:model AddFrontendGrantBody
+*/
+type AddFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this add frontend grant body
+func (o *AddFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this add frontend grant body based on context it is used
+func (o *AddFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *AddFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *AddFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res AddFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_client_zrok/admin/admin_client.go

@@ -30,6 +30,8 @@ type ClientOption func(*runtime.ClientOperation)
 
 // ClientService is the interface for Client methods
 type ClientService interface {
+	AddFrontendGrant(params *AddFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddFrontendGrantOK, error)
+
 	AddOrganizationMember(params *AddOrganizationMemberParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddOrganizationMemberCreated, error)
 
 	CreateAccount(params *CreateAccountParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateAccountCreated, error)
@@ -42,6 +44,8 @@ type ClientService interface {
 
 	DeleteFrontend(params *DeleteFrontendParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteFrontendOK, error)
 
+	DeleteFrontendGrant(params *DeleteFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteFrontendGrantOK, error)
+
 	DeleteOrganization(params *DeleteOrganizationParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteOrganizationOK, error)
 
 	Grants(params *GrantsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GrantsOK, error)
@@ -61,6 +65,45 @@ type ClientService interface {
 	SetTransport(transport runtime.ClientTransport)
 }
 
+/*
+AddFrontendGrant add frontend grant API
+*/
+func (a *Client) AddFrontendGrant(params *AddFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*AddFrontendGrantOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewAddFrontendGrantParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "addFrontendGrant",
+		Method:             "POST",
+		PathPattern:        "/frontend/grant",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &AddFrontendGrantReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*AddFrontendGrantOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for addFrontendGrant: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 AddOrganizationMember add organization member API
 */
@@ -295,6 +338,45 @@ func (a *Client) DeleteFrontend(params *DeleteFrontendParams, authInfo runtime.C
 	panic(msg)
 }
 
+/*
+DeleteFrontendGrant delete frontend grant API
+*/
+func (a *Client) DeleteFrontendGrant(params *DeleteFrontendGrantParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*DeleteFrontendGrantOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteFrontendGrantParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "deleteFrontendGrant",
+		Method:             "DELETE",
+		PathPattern:        "/frontend/grant",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteFrontendGrantReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*DeleteFrontendGrantOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for deleteFrontendGrant: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 DeleteOrganization delete organization API
 */

rest_client_zrok/admin/delete_frontend_grant_parameters.go

@@ -0,0 +1,146 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewDeleteFrontendGrantParams creates a new DeleteFrontendGrantParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteFrontendGrantParams() *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteFrontendGrantParamsWithTimeout creates a new DeleteFrontendGrantParams object
+// with the ability to set a timeout on a request.
+func NewDeleteFrontendGrantParamsWithTimeout(timeout time.Duration) *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteFrontendGrantParamsWithContext creates a new DeleteFrontendGrantParams object
+// with the ability to set a context for a request.
+func NewDeleteFrontendGrantParamsWithContext(ctx context.Context) *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteFrontendGrantParamsWithHTTPClient creates a new DeleteFrontendGrantParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteFrontendGrantParamsWithHTTPClient(client *http.Client) *DeleteFrontendGrantParams {
+	return &DeleteFrontendGrantParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteFrontendGrantParams contains all the parameters to send to the API endpoint
+
+	for the delete frontend grant operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteFrontendGrantParams struct {
+
+	// Body.
+	Body DeleteFrontendGrantBody
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteFrontendGrantParams) WithDefaults() *DeleteFrontendGrantParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete frontend grant params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteFrontendGrantParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithTimeout(timeout time.Duration) *DeleteFrontendGrantParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithContext(ctx context.Context) *DeleteFrontendGrantParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithHTTPClient(client *http.Client) *DeleteFrontendGrantParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) WithBody(body DeleteFrontendGrantBody) *DeleteFrontendGrantParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the delete frontend grant params
+func (o *DeleteFrontendGrantParams) SetBody(body DeleteFrontendGrantBody) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteFrontendGrantParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_client_zrok/admin/delete_frontend_grant_responses.go

@@ -0,0 +1,255 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// DeleteFrontendGrantReader is a Reader for the DeleteFrontendGrant structure.
+type DeleteFrontendGrantReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteFrontendGrantReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewDeleteFrontendGrantOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 401:
+		result := NewDeleteFrontendGrantUnauthorized()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewDeleteFrontendGrantInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[DELETE /frontend/grant] deleteFrontendGrant", response, response.Code())
+	}
+}
+
+// NewDeleteFrontendGrantOK creates a DeleteFrontendGrantOK with default headers values
+func NewDeleteFrontendGrantOK() *DeleteFrontendGrantOK {
+	return &DeleteFrontendGrantOK{}
+}
+
+/*
+DeleteFrontendGrantOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type DeleteFrontendGrantOK struct {
+}
+
+// IsSuccess returns true when this delete frontend grant o k response has a 2xx status code
+func (o *DeleteFrontendGrantOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this delete frontend grant o k response has a 3xx status code
+func (o *DeleteFrontendGrantOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete frontend grant o k response has a 4xx status code
+func (o *DeleteFrontendGrantOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete frontend grant o k response has a 5xx status code
+func (o *DeleteFrontendGrantOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete frontend grant o k response a status code equal to that given
+func (o *DeleteFrontendGrantOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the delete frontend grant o k response
+func (o *DeleteFrontendGrantOK) Code() int {
+	return 200
+}
+
+func (o *DeleteFrontendGrantOK) Error() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantOK ", 200)
+}
+
+func (o *DeleteFrontendGrantOK) String() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantOK ", 200)
+}
+
+func (o *DeleteFrontendGrantOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteFrontendGrantUnauthorized creates a DeleteFrontendGrantUnauthorized with default headers values
+func NewDeleteFrontendGrantUnauthorized() *DeleteFrontendGrantUnauthorized {
+	return &DeleteFrontendGrantUnauthorized{}
+}
+
+/*
+DeleteFrontendGrantUnauthorized describes a response with status code 401, with default header values.
+
+unauthorized
+*/
+type DeleteFrontendGrantUnauthorized struct {
+}
+
+// IsSuccess returns true when this delete frontend grant unauthorized response has a 2xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete frontend grant unauthorized response has a 3xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete frontend grant unauthorized response has a 4xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this delete frontend grant unauthorized response has a 5xx status code
+func (o *DeleteFrontendGrantUnauthorized) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this delete frontend grant unauthorized response a status code equal to that given
+func (o *DeleteFrontendGrantUnauthorized) IsCode(code int) bool {
+	return code == 401
+}
+
+// Code gets the status code for the delete frontend grant unauthorized response
+func (o *DeleteFrontendGrantUnauthorized) Code() int {
+	return 401
+}
+
+func (o *DeleteFrontendGrantUnauthorized) Error() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantUnauthorized ", 401)
+}
+
+func (o *DeleteFrontendGrantUnauthorized) String() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantUnauthorized ", 401)
+}
+
+func (o *DeleteFrontendGrantUnauthorized) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewDeleteFrontendGrantInternalServerError creates a DeleteFrontendGrantInternalServerError with default headers values
+func NewDeleteFrontendGrantInternalServerError() *DeleteFrontendGrantInternalServerError {
+	return &DeleteFrontendGrantInternalServerError{}
+}
+
+/*
+DeleteFrontendGrantInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type DeleteFrontendGrantInternalServerError struct {
+}
+
+// IsSuccess returns true when this delete frontend grant internal server error response has a 2xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this delete frontend grant internal server error response has a 3xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this delete frontend grant internal server error response has a 4xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this delete frontend grant internal server error response has a 5xx status code
+func (o *DeleteFrontendGrantInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this delete frontend grant internal server error response a status code equal to that given
+func (o *DeleteFrontendGrantInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the delete frontend grant internal server error response
+func (o *DeleteFrontendGrantInternalServerError) Code() int {
+	return 500
+}
+
+func (o *DeleteFrontendGrantInternalServerError) Error() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantInternalServerError ", 500)
+}
+
+func (o *DeleteFrontendGrantInternalServerError) String() string {
+	return fmt.Sprintf("[DELETE /frontend/grant][%d] deleteFrontendGrantInternalServerError ", 500)
+}
+
+func (o *DeleteFrontendGrantInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+DeleteFrontendGrantBody delete frontend grant body
+swagger:model DeleteFrontendGrantBody
+*/
+type DeleteFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this delete frontend grant body
+func (o *DeleteFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete frontend grant body based on context it is used
+func (o *DeleteFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res DeleteFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/embedded_spec.go

@@ -1175,6 +1175,86 @@ func init() {
         }
       }
     },
+    "/frontend/grant": {
+      "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "addFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
     "/frontends": {
       "get": {
         "security": [
@@ -3956,6 +4036,86 @@ func init() {
         }
       }
     },
+    "/frontend/grant": {
+      "post": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "addFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      },
+      "delete": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "admin"
+        ],
+        "operationId": "deleteFrontendGrant",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "type": "object",
+              "properties": {
+                "email": {
+                  "type": "string"
+                },
+                "frontendToken": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok"
+          },
+          "401": {
+            "description": "unauthorized"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
     "/frontends": {
       "get": {
         "security": [

rest_server_zrok/operations/admin/add_frontend_grant.go

@@ -0,0 +1,114 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// AddFrontendGrantHandlerFunc turns a function with the right signature into a add frontend grant handler
+type AddFrontendGrantHandlerFunc func(AddFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn AddFrontendGrantHandlerFunc) Handle(params AddFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// AddFrontendGrantHandler interface for that can handle valid add frontend grant params
+type AddFrontendGrantHandler interface {
+	Handle(AddFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewAddFrontendGrant creates a new http.Handler for the add frontend grant operation
+func NewAddFrontendGrant(ctx *middleware.Context, handler AddFrontendGrantHandler) *AddFrontendGrant {
+	return &AddFrontendGrant{Context: ctx, Handler: handler}
+}
+
+/*
+	AddFrontendGrant swagger:route POST /frontend/grant admin addFrontendGrant
+
+AddFrontendGrant add frontend grant API
+*/
+type AddFrontendGrant struct {
+	Context *middleware.Context
+	Handler AddFrontendGrantHandler
+}
+
+func (o *AddFrontendGrant) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewAddFrontendGrantParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// AddFrontendGrantBody add frontend grant body
+//
+// swagger:model AddFrontendGrantBody
+type AddFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this add frontend grant body
+func (o *AddFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this add frontend grant body based on context it is used
+func (o *AddFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *AddFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *AddFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res AddFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/operations/admin/add_frontend_grant_parameters.go

@@ -0,0 +1,74 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/validate"
+)
+
+// NewAddFrontendGrantParams creates a new AddFrontendGrantParams object
+//
+// There are no default values defined in the spec.
+func NewAddFrontendGrantParams() AddFrontendGrantParams {
+
+	return AddFrontendGrantParams{}
+}
+
+// AddFrontendGrantParams contains all the bound params for the add frontend grant operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters addFrontendGrant
+type AddFrontendGrantParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  In: body
+	*/
+	Body AddFrontendGrantBody
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewAddFrontendGrantParams() beforehand.
+func (o *AddFrontendGrantParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body AddFrontendGrantBody
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(r.Context())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = body
+			}
+		}
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_server_zrok/operations/admin/add_frontend_grant_responses.go

@@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+)
+
+// AddFrontendGrantOKCode is the HTTP code returned for type AddFrontendGrantOK
+const AddFrontendGrantOKCode int = 200
+
+/*
+AddFrontendGrantOK ok
+
+swagger:response addFrontendGrantOK
+*/
+type AddFrontendGrantOK struct {
+}
+
+// NewAddFrontendGrantOK creates AddFrontendGrantOK with default headers values
+func NewAddFrontendGrantOK() *AddFrontendGrantOK {
+
+	return &AddFrontendGrantOK{}
+}
+
+// WriteResponse to the client
+func (o *AddFrontendGrantOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(200)
+}
+
+// AddFrontendGrantUnauthorizedCode is the HTTP code returned for type AddFrontendGrantUnauthorized
+const AddFrontendGrantUnauthorizedCode int = 401
+
+/*
+AddFrontendGrantUnauthorized unauthorized
+
+swagger:response addFrontendGrantUnauthorized
+*/
+type AddFrontendGrantUnauthorized struct {
+}
+
+// NewAddFrontendGrantUnauthorized creates AddFrontendGrantUnauthorized with default headers values
+func NewAddFrontendGrantUnauthorized() *AddFrontendGrantUnauthorized {
+
+	return &AddFrontendGrantUnauthorized{}
+}
+
+// WriteResponse to the client
+func (o *AddFrontendGrantUnauthorized) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(401)
+}
+
+// AddFrontendGrantInternalServerErrorCode is the HTTP code returned for type AddFrontendGrantInternalServerError
+const AddFrontendGrantInternalServerErrorCode int = 500
+
+/*
+AddFrontendGrantInternalServerError internal server error
+
+swagger:response addFrontendGrantInternalServerError
+*/
+type AddFrontendGrantInternalServerError struct {
+}
+
+// NewAddFrontendGrantInternalServerError creates AddFrontendGrantInternalServerError with default headers values
+func NewAddFrontendGrantInternalServerError() *AddFrontendGrantInternalServerError {
+
+	return &AddFrontendGrantInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *AddFrontendGrantInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}

rest_server_zrok/operations/admin/add_frontend_grant_urlbuilder.go

@@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// AddFrontendGrantURL generates an URL for the add frontend grant operation
+type AddFrontendGrantURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *AddFrontendGrantURL) WithBasePath(bp string) *AddFrontendGrantURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *AddFrontendGrantURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *AddFrontendGrantURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/frontend/grant"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *AddFrontendGrantURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *AddFrontendGrantURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *AddFrontendGrantURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on AddFrontendGrantURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on AddFrontendGrantURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *AddFrontendGrantURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}

rest_server_zrok/operations/admin/delete_frontend_grant.go

@@ -0,0 +1,114 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// DeleteFrontendGrantHandlerFunc turns a function with the right signature into a delete frontend grant handler
+type DeleteFrontendGrantHandlerFunc func(DeleteFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn DeleteFrontendGrantHandlerFunc) Handle(params DeleteFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// DeleteFrontendGrantHandler interface for that can handle valid delete frontend grant params
+type DeleteFrontendGrantHandler interface {
+	Handle(DeleteFrontendGrantParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewDeleteFrontendGrant creates a new http.Handler for the delete frontend grant operation
+func NewDeleteFrontendGrant(ctx *middleware.Context, handler DeleteFrontendGrantHandler) *DeleteFrontendGrant {
+	return &DeleteFrontendGrant{Context: ctx, Handler: handler}
+}
+
+/*
+	DeleteFrontendGrant swagger:route DELETE /frontend/grant admin deleteFrontendGrant
+
+DeleteFrontendGrant delete frontend grant API
+*/
+type DeleteFrontendGrant struct {
+	Context *middleware.Context
+	Handler DeleteFrontendGrantHandler
+}
+
+func (o *DeleteFrontendGrant) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewDeleteFrontendGrantParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// DeleteFrontendGrantBody delete frontend grant body
+//
+// swagger:model DeleteFrontendGrantBody
+type DeleteFrontendGrantBody struct {
+
+	// email
+	Email string `json:"email,omitempty"`
+
+	// frontend token
+	FrontendToken string `json:"frontendToken,omitempty"`
+}
+
+// Validate validates this delete frontend grant body
+func (o *DeleteFrontendGrantBody) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this delete frontend grant body based on context it is used
+func (o *DeleteFrontendGrantBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *DeleteFrontendGrantBody) UnmarshalBinary(b []byte) error {
+	var res DeleteFrontendGrantBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/operations/admin/delete_frontend_grant_parameters.go

@@ -0,0 +1,74 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/validate"
+)
+
+// NewDeleteFrontendGrantParams creates a new DeleteFrontendGrantParams object
+//
+// There are no default values defined in the spec.
+func NewDeleteFrontendGrantParams() DeleteFrontendGrantParams {
+
+	return DeleteFrontendGrantParams{}
+}
+
+// DeleteFrontendGrantParams contains all the bound params for the delete frontend grant operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters deleteFrontendGrant
+type DeleteFrontendGrantParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  In: body
+	*/
+	Body DeleteFrontendGrantBody
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewDeleteFrontendGrantParams() beforehand.
+func (o *DeleteFrontendGrantParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	if runtime.HasBody(r) {
+		defer r.Body.Close()
+		var body DeleteFrontendGrantBody
+		if err := route.Consumer.Consume(r.Body, &body); err != nil {
+			res = append(res, errors.NewParseError("body", "body", "", err))
+		} else {
+			// validate body object
+			if err := body.Validate(route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			ctx := validate.WithOperationRequest(r.Context())
+			if err := body.ContextValidate(ctx, route.Formats); err != nil {
+				res = append(res, err)
+			}
+
+			if len(res) == 0 {
+				o.Body = body
+			}
+		}
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_server_zrok/operations/admin/delete_frontend_grant_responses.go

@@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+)
+
+// DeleteFrontendGrantOKCode is the HTTP code returned for type DeleteFrontendGrantOK
+const DeleteFrontendGrantOKCode int = 200
+
+/*
+DeleteFrontendGrantOK ok
+
+swagger:response deleteFrontendGrantOK
+*/
+type DeleteFrontendGrantOK struct {
+}
+
+// NewDeleteFrontendGrantOK creates DeleteFrontendGrantOK with default headers values
+func NewDeleteFrontendGrantOK() *DeleteFrontendGrantOK {
+
+	return &DeleteFrontendGrantOK{}
+}
+
+// WriteResponse to the client
+func (o *DeleteFrontendGrantOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(200)
+}
+
+// DeleteFrontendGrantUnauthorizedCode is the HTTP code returned for type DeleteFrontendGrantUnauthorized
+const DeleteFrontendGrantUnauthorizedCode int = 401
+
+/*
+DeleteFrontendGrantUnauthorized unauthorized
+
+swagger:response deleteFrontendGrantUnauthorized
+*/
+type DeleteFrontendGrantUnauthorized struct {
+}
+
+// NewDeleteFrontendGrantUnauthorized creates DeleteFrontendGrantUnauthorized with default headers values
+func NewDeleteFrontendGrantUnauthorized() *DeleteFrontendGrantUnauthorized {
+
+	return &DeleteFrontendGrantUnauthorized{}
+}
+
+// WriteResponse to the client
+func (o *DeleteFrontendGrantUnauthorized) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(401)
+}
+
+// DeleteFrontendGrantInternalServerErrorCode is the HTTP code returned for type DeleteFrontendGrantInternalServerError
+const DeleteFrontendGrantInternalServerErrorCode int = 500
+
+/*
+DeleteFrontendGrantInternalServerError internal server error
+
+swagger:response deleteFrontendGrantInternalServerError
+*/
+type DeleteFrontendGrantInternalServerError struct {
+}
+
+// NewDeleteFrontendGrantInternalServerError creates DeleteFrontendGrantInternalServerError with default headers values
+func NewDeleteFrontendGrantInternalServerError() *DeleteFrontendGrantInternalServerError {
+
+	return &DeleteFrontendGrantInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *DeleteFrontendGrantInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}

rest_server_zrok/operations/admin/delete_frontend_grant_urlbuilder.go

@@ -0,0 +1,87 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package admin
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+)
+
+// DeleteFrontendGrantURL generates an URL for the delete frontend grant operation
+type DeleteFrontendGrantURL struct {
+	_basePath string
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteFrontendGrantURL) WithBasePath(bp string) *DeleteFrontendGrantURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *DeleteFrontendGrantURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *DeleteFrontendGrantURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/frontend/grant"
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *DeleteFrontendGrantURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *DeleteFrontendGrantURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *DeleteFrontendGrantURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on DeleteFrontendGrantURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on DeleteFrontendGrantURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *DeleteFrontendGrantURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}

rest_server_zrok/operations/zrok_api.go

@@ -53,6 +53,9 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		ShareAccessHandler: share.AccessHandlerFunc(func(params share.AccessParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation share.Access has not yet been implemented")
 		}),
+		AdminAddFrontendGrantHandler: admin.AddFrontendGrantHandlerFunc(func(params admin.AddFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin.AddFrontendGrant has not yet been implemented")
+		}),
 		AdminAddOrganizationMemberHandler: admin.AddOrganizationMemberHandlerFunc(func(params admin.AddOrganizationMemberParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.AddOrganizationMember has not yet been implemented")
 		}),
@@ -80,6 +83,9 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		AdminDeleteFrontendHandler: admin.DeleteFrontendHandlerFunc(func(params admin.DeleteFrontendParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.DeleteFrontend has not yet been implemented")
 		}),
+		AdminDeleteFrontendGrantHandler: admin.DeleteFrontendGrantHandlerFunc(func(params admin.DeleteFrontendGrantParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation admin.DeleteFrontendGrant has not yet been implemented")
+		}),
 		AdminDeleteOrganizationHandler: admin.DeleteOrganizationHandlerFunc(func(params admin.DeleteOrganizationParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.DeleteOrganization has not yet been implemented")
 		}),
@@ -264,6 +270,8 @@ type ZrokAPI struct {
 
 	// ShareAccessHandler sets the operation handler for the access operation
 	ShareAccessHandler share.AccessHandler
+	// AdminAddFrontendGrantHandler sets the operation handler for the add frontend grant operation
+	AdminAddFrontendGrantHandler admin.AddFrontendGrantHandler
 	// AdminAddOrganizationMemberHandler sets the operation handler for the add organization member operation
 	AdminAddOrganizationMemberHandler admin.AddOrganizationMemberHandler
 	// AccountChangePasswordHandler sets the operation handler for the change password operation
@@ -282,6 +290,8 @@ type ZrokAPI struct {
 	AdminCreateOrganizationHandler admin.CreateOrganizationHandler
 	// AdminDeleteFrontendHandler sets the operation handler for the delete frontend operation
 	AdminDeleteFrontendHandler admin.DeleteFrontendHandler
+	// AdminDeleteFrontendGrantHandler sets the operation handler for the delete frontend grant operation
+	AdminDeleteFrontendGrantHandler admin.DeleteFrontendGrantHandler
 	// AdminDeleteOrganizationHandler sets the operation handler for the delete organization operation
 	AdminDeleteOrganizationHandler admin.DeleteOrganizationHandler
 	// EnvironmentDisableHandler sets the operation handler for the disable operation
@@ -454,6 +464,9 @@ func (o *ZrokAPI) Validate() error {
 	if o.ShareAccessHandler == nil {
 		unregistered = append(unregistered, "share.AccessHandler")
 	}
+	if o.AdminAddFrontendGrantHandler == nil {
+		unregistered = append(unregistered, "admin.AddFrontendGrantHandler")
+	}
 	if o.AdminAddOrganizationMemberHandler == nil {
 		unregistered = append(unregistered, "admin.AddOrganizationMemberHandler")
 	}
@@ -481,6 +494,9 @@ func (o *ZrokAPI) Validate() error {
 	if o.AdminDeleteFrontendHandler == nil {
 		unregistered = append(unregistered, "admin.DeleteFrontendHandler")
 	}
+	if o.AdminDeleteFrontendGrantHandler == nil {
+		unregistered = append(unregistered, "admin.DeleteFrontendGrantHandler")
+	}
 	if o.AdminDeleteOrganizationHandler == nil {
 		unregistered = append(unregistered, "admin.DeleteOrganizationHandler")
 	}
@@ -719,6 +735,10 @@ func (o *ZrokAPI) initHandlerCache() {
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
 	}
+	o.handlers["POST"]["/frontend/grant"] = admin.NewAddFrontendGrant(o.context, o.AdminAddFrontendGrantHandler)
+	if o.handlers["POST"] == nil {
+		o.handlers["POST"] = make(map[string]http.Handler)
+	}
 	o.handlers["POST"]["/organization/add"] = admin.NewAddOrganizationMember(o.context, o.AdminAddOrganizationMemberHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
@@ -755,6 +775,10 @@ func (o *ZrokAPI) initHandlerCache() {
 	if o.handlers["DELETE"] == nil {
 		o.handlers["DELETE"] = make(map[string]http.Handler)
 	}
+	o.handlers["DELETE"]["/frontend/grant"] = admin.NewDeleteFrontendGrant(o.context, o.AdminDeleteFrontendGrantHandler)
+	if o.handlers["DELETE"] == nil {
+		o.handlers["DELETE"] = make(map[string]http.Handler)
+	}
 	o.handlers["DELETE"]["/organization"] = admin.NewDeleteOrganization(o.context, o.AdminDeleteOrganizationHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)

sdk/nodejs/sdk/src/api/.openapi-generator/FILES

@@ -9,6 +9,7 @@ apis/index.ts
 index.ts
 models/Access201Response.ts
 models/AccessRequest.ts
+models/AddFrontendGrantRequest.ts
 models/AddOrganizationMemberRequest.ts
 models/AuthUser.ts
 models/ChangePasswordRequest.ts

sdk/nodejs/sdk/src/api/apis/AdminApi.ts

@@ -15,6 +15,7 @@
 
 import * as runtime from '../runtime';
 import type {
+  AddFrontendGrantRequest,
   AddOrganizationMemberRequest,
   CreateFrontend201Response,
   CreateFrontendRequest,
@@ -33,6 +34,8 @@ import type {
   Verify200Response,
 } from '../models/index';
 import {
+    AddFrontendGrantRequestFromJSON,
+    AddFrontendGrantRequestToJSON,
     AddOrganizationMemberRequestFromJSON,
     AddOrganizationMemberRequestToJSON,
     CreateFrontend201ResponseFromJSON,
@@ -67,6 +70,10 @@ import {
     Verify200ResponseToJSON,
 } from '../models/index';
 
+export interface AddFrontendGrantOperationRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface AddOrganizationMemberOperationRequest {
     body?: AddOrganizationMemberRequest;
 }
@@ -91,6 +98,10 @@ export interface DeleteFrontendRequest {
     body?: CreateFrontend201Response;
 }
 
+export interface DeleteFrontendGrantRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface DeleteOrganizationRequest {
     body?: CreateOrganization201Response;
 }
@@ -120,6 +131,36 @@ export interface UpdateFrontendOperationRequest {
  */
 export class AdminApi extends runtime.BaseAPI {
 
+    /**
+     */
+    async addFrontendGrantRaw(requestParameters: AddFrontendGrantOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async addFrontendGrant(requestParameters: AddFrontendGrantOperationRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.addFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async addOrganizationMemberRaw(requestParameters: AddOrganizationMemberOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
@@ -304,6 +345,36 @@ export class AdminApi extends runtime.BaseAPI {
         await this.deleteFrontendRaw(requestParameters, initOverrides);
     }
 
+    /**
+     */
+    async deleteFrontendGrantRaw(requestParameters: DeleteFrontendGrantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteFrontendGrant(requestParameters: DeleteFrontendGrantRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async deleteOrganizationRaw(requestParameters: DeleteOrganizationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {

sdk/nodejs/sdk/src/api/models/AddFrontendGrantRequest.ts

@@ -0,0 +1,73 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * zrok
+ * zrok client access
+ *
+ * The version of the OpenAPI document: 1.0.0
+ * 
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import { mapValues } from '../runtime';
+/**
+ * 
+ * @export
+ * @interface AddFrontendGrantRequest
+ */
+export interface AddFrontendGrantRequest {
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    frontendToken?: string;
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    email?: string;
+}
+
+/**
+ * Check if a given object implements the AddFrontendGrantRequest interface.
+ */
+export function instanceOfAddFrontendGrantRequest(value: object): value is AddFrontendGrantRequest {
+    return true;
+}
+
+export function AddFrontendGrantRequestFromJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestFromJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): AddFrontendGrantRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        
+        'frontendToken': json['frontendToken'] == null ? undefined : json['frontendToken'],
+        'email': json['email'] == null ? undefined : json['email'],
+    };
+}
+
+export function AddFrontendGrantRequestToJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestToJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestToJSONTyped(value?: AddFrontendGrantRequest | null, ignoreDiscriminator: boolean = false): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        
+        'frontendToken': value['frontendToken'],
+        'email': value['email'],
+    };
+}
+

sdk/nodejs/sdk/src/api/models/index.ts

@@ -2,6 +2,7 @@
 /* eslint-disable */
 export * from './Access201Response';
 export * from './AccessRequest';
+export * from './AddFrontendGrantRequest';
 export * from './AddOrganizationMemberRequest';
 export * from './AuthUser';
 export * from './ChangePasswordRequest';

sdk/python/src/.openapi-generator/FILES

@@ -3,6 +3,7 @@ README.md
 docs/Access201Response.md
 docs/AccessRequest.md
 docs/AccountApi.md
+docs/AddFrontendGrantRequest.md
 docs/AddOrganizationMemberRequest.md
 docs/AdminApi.md
 docs/AgentApi.md
@@ -74,6 +75,7 @@ test/__init__.py
 test/test_access201_response.py
 test/test_access_request.py
 test/test_account_api.py
+test/test_add_frontend_grant_request.py
 test/test_add_organization_member_request.py
 test/test_admin_api.py
 test/test_agent_api.py
@@ -154,6 +156,7 @@ zrok_api/exceptions.py
 zrok_api/models/__init__.py
 zrok_api/models/access201_response.py
 zrok_api/models/access_request.py
+zrok_api/models/add_frontend_grant_request.py
 zrok_api/models/add_organization_member_request.py
 zrok_api/models/auth_user.py
 zrok_api/models/change_password_request.py

sdk/python/src/README.md

@@ -100,12 +100,14 @@ Class | Method | HTTP request | Description
 *AccountApi* | [**reset_password**](docs/AccountApi.md#reset_password) | **POST** /resetPassword | 
 *AccountApi* | [**reset_password_request**](docs/AccountApi.md#reset_password_request) | **POST** /resetPasswordRequest | 
 *AccountApi* | [**verify**](docs/AccountApi.md#verify) | **POST** /verify | 
+*AdminApi* | [**add_frontend_grant**](docs/AdminApi.md#add_frontend_grant) | **POST** /frontend/grant | 
 *AdminApi* | [**add_organization_member**](docs/AdminApi.md#add_organization_member) | **POST** /organization/add | 
 *AdminApi* | [**create_account**](docs/AdminApi.md#create_account) | **POST** /account | 
 *AdminApi* | [**create_frontend**](docs/AdminApi.md#create_frontend) | **POST** /frontend | 
 *AdminApi* | [**create_identity**](docs/AdminApi.md#create_identity) | **POST** /identity | 
 *AdminApi* | [**create_organization**](docs/AdminApi.md#create_organization) | **POST** /organization | 
 *AdminApi* | [**delete_frontend**](docs/AdminApi.md#delete_frontend) | **DELETE** /frontend | 
+*AdminApi* | [**delete_frontend_grant**](docs/AdminApi.md#delete_frontend_grant) | **DELETE** /frontend/grant | 
 *AdminApi* | [**delete_organization**](docs/AdminApi.md#delete_organization) | **DELETE** /organization | 
 *AdminApi* | [**grants**](docs/AdminApi.md#grants) | **POST** /grants | 
 *AdminApi* | [**invite_token_generate**](docs/AdminApi.md#invite_token_generate) | **POST** /invite/token/generate | 
@@ -152,6 +154,7 @@ Class | Method | HTTP request | Description
 
  - [Access201Response](docs/Access201Response.md)
  - [AccessRequest](docs/AccessRequest.md)
+ - [AddFrontendGrantRequest](docs/AddFrontendGrantRequest.md)
  - [AddOrganizationMemberRequest](docs/AddOrganizationMemberRequest.md)
  - [AuthUser](docs/AuthUser.md)
  - [ChangePasswordRequest](docs/ChangePasswordRequest.md)

sdk/python/src/docs/AddFrontendGrantRequest.md

@@ -0,0 +1,30 @@
+# AddFrontendGrantRequest
+
+
+## Properties
+
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**frontend_token** | **str** |  | [optional] 
+**email** | **str** |  | [optional] 
+
+## Example
+
+```python
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+
+# TODO update the JSON string below
+json = "{}"
+# create an instance of AddFrontendGrantRequest from a JSON string
+add_frontend_grant_request_instance = AddFrontendGrantRequest.from_json(json)
+# print the JSON string representation of the object
+print(AddFrontendGrantRequest.to_json())
+
+# convert the object into a dict
+add_frontend_grant_request_dict = add_frontend_grant_request_instance.to_dict()
+# create an instance of AddFrontendGrantRequest from a dict
+add_frontend_grant_request_from_dict = AddFrontendGrantRequest.from_dict(add_frontend_grant_request_dict)
+```
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+
+

sdk/python/src/docs/AdminApi.md

@@ -4,12 +4,14 @@ All URIs are relative to */api/v1*
 
 Method | HTTP request | Description
 ------------- | ------------- | -------------
+[**add_frontend_grant**](AdminApi.md#add_frontend_grant) | **POST** /frontend/grant | 
 [**add_organization_member**](AdminApi.md#add_organization_member) | **POST** /organization/add | 
 [**create_account**](AdminApi.md#create_account) | **POST** /account | 
 [**create_frontend**](AdminApi.md#create_frontend) | **POST** /frontend | 
 [**create_identity**](AdminApi.md#create_identity) | **POST** /identity | 
 [**create_organization**](AdminApi.md#create_organization) | **POST** /organization | 
 [**delete_frontend**](AdminApi.md#delete_frontend) | **DELETE** /frontend | 
+[**delete_frontend_grant**](AdminApi.md#delete_frontend_grant) | **DELETE** /frontend/grant | 
 [**delete_organization**](AdminApi.md#delete_organization) | **DELETE** /organization | 
 [**grants**](AdminApi.md#grants) | **POST** /grants | 
 [**invite_token_generate**](AdminApi.md#invite_token_generate) | **POST** /invite/token/generate | 
@@ -20,6 +22,80 @@ Method | HTTP request | Description
 [**update_frontend**](AdminApi.md#update_frontend) | **PATCH** /frontend | 
 
 
+# **add_frontend_grant**
+> add_frontend_grant(body=body)
+
+### Example
+
+* Api Key Authentication (key):
+
+```python
+import zrok_api
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+from zrok_api.rest import ApiException
+from pprint import pprint
+
+# Defining the host is optional and defaults to /api/v1
+# See configuration.py for a list of all supported configuration parameters.
+configuration = zrok_api.Configuration(
+    host = "/api/v1"
+)
+
+# The client must configure the authentication and authorization parameters
+# in accordance with the API server security policy.
+# Examples for each auth method are provided below, use the example that
+# satisfies your auth use case.
+
+# Configure API key authorization: key
+configuration.api_key['key'] = os.environ["API_KEY"]
+
+# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+# configuration.api_key_prefix['key'] = 'Bearer'
+
+# Enter a context with an instance of the API client
+with zrok_api.ApiClient(configuration) as api_client:
+    # Create an instance of the API class
+    api_instance = zrok_api.AdminApi(api_client)
+    body = zrok_api.AddFrontendGrantRequest() # AddFrontendGrantRequest |  (optional)
+
+    try:
+        api_instance.add_frontend_grant(body=body)
+    except Exception as e:
+        print("Exception when calling AdminApi->add_frontend_grant: %s\n" % e)
+```
+
+
+
+### Parameters
+
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **body** | [**AddFrontendGrantRequest**](AddFrontendGrantRequest.md)|  | [optional] 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[key](../README.md#key)
+
+### HTTP request headers
+
+ - **Content-Type**: application/zrok.v1+json
+ - **Accept**: Not defined
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+|-------------|-------------|------------------|
+**200** | ok |  -  |
+**401** | unauthorized |  -  |
+**500** | internal server error |  -  |
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
 # **add_organization_member**
 > add_organization_member(body=body)
 
@@ -480,6 +556,80 @@ void (empty response body)
 
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 
+# **delete_frontend_grant**
+> delete_frontend_grant(body=body)
+
+### Example
+
+* Api Key Authentication (key):
+
+```python
+import zrok_api
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+from zrok_api.rest import ApiException
+from pprint import pprint
+
+# Defining the host is optional and defaults to /api/v1
+# See configuration.py for a list of all supported configuration parameters.
+configuration = zrok_api.Configuration(
+    host = "/api/v1"
+)
+
+# The client must configure the authentication and authorization parameters
+# in accordance with the API server security policy.
+# Examples for each auth method are provided below, use the example that
+# satisfies your auth use case.
+
+# Configure API key authorization: key
+configuration.api_key['key'] = os.environ["API_KEY"]
+
+# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+# configuration.api_key_prefix['key'] = 'Bearer'
+
+# Enter a context with an instance of the API client
+with zrok_api.ApiClient(configuration) as api_client:
+    # Create an instance of the API class
+    api_instance = zrok_api.AdminApi(api_client)
+    body = zrok_api.AddFrontendGrantRequest() # AddFrontendGrantRequest |  (optional)
+
+    try:
+        api_instance.delete_frontend_grant(body=body)
+    except Exception as e:
+        print("Exception when calling AdminApi->delete_frontend_grant: %s\n" % e)
+```
+
+
+
+### Parameters
+
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **body** | [**AddFrontendGrantRequest**](AddFrontendGrantRequest.md)|  | [optional] 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[key](../README.md#key)
+
+### HTTP request headers
+
+ - **Content-Type**: application/zrok.v1+json
+ - **Accept**: Not defined
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+|-------------|-------------|------------------|
+**200** | ok |  -  |
+**401** | unauthorized |  -  |
+**500** | internal server error |  -  |
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
 # **delete_organization**
 > delete_organization(body=body)
 

sdk/python/src/test/test_add_frontend_grant_request.py

@@ -0,0 +1,52 @@
+# coding: utf-8
+
+"""
+    zrok
+
+    zrok client access
+
+    The version of the OpenAPI document: 1.0.0
+    Generated by OpenAPI Generator (https://openapi-generator.tech)
+
+    Do not edit the class manually.
+"""  # noqa: E501
+
+
+import unittest
+
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
+
+class TestAddFrontendGrantRequest(unittest.TestCase):
+    """AddFrontendGrantRequest unit test stubs"""
+
+    def setUp(self):
+        pass
+
+    def tearDown(self):
+        pass
+
+    def make_instance(self, include_optional) -> AddFrontendGrantRequest:
+        """Test AddFrontendGrantRequest
+            include_optional is a boolean, when False only required
+            params are included, when True both required and
+            optional params are included """
+        # uncomment below to create an instance of `AddFrontendGrantRequest`
+        """
+        model = AddFrontendGrantRequest()
+        if include_optional:
+            return AddFrontendGrantRequest(
+                frontend_token = '',
+                email = ''
+            )
+        else:
+            return AddFrontendGrantRequest(
+        )
+        """
+
+    def testAddFrontendGrantRequest(self):
+        """Test AddFrontendGrantRequest"""
+        # inst_req_only = self.make_instance(include_optional=False)
+        # inst_req_and_optional = self.make_instance(include_optional=True)
+
+if __name__ == '__main__':
+    unittest.main()

sdk/python/src/test/test_admin_api.py

@@ -26,6 +26,12 @@ class TestAdminApi(unittest.TestCase):
     def tearDown(self) -> None:
         pass
 
+    def test_add_frontend_grant(self) -> None:
+        """Test case for add_frontend_grant
+
+        """
+        pass
+
     def test_add_organization_member(self) -> None:
         """Test case for add_organization_member
 
@@ -62,6 +68,12 @@ class TestAdminApi(unittest.TestCase):
         """
         pass
 
+    def test_delete_frontend_grant(self) -> None:
+        """Test case for delete_frontend_grant
+
+        """
+        pass
+
     def test_delete_organization(self) -> None:
         """Test case for delete_organization
 

sdk/python/src/zrok_api/__init__.py

@@ -38,6 +38,7 @@ from zrok_api.exceptions import ApiException
 # import models into sdk package
 from zrok_api.models.access201_response import Access201Response
 from zrok_api.models.access_request import AccessRequest
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
 from zrok_api.models.auth_user import AuthUser
 from zrok_api.models.change_password_request import ChangePasswordRequest

sdk/python/src/zrok_api/api/admin_api.py

@@ -17,6 +17,7 @@ from typing import Any, Dict, List, Optional, Tuple, Union
 from typing_extensions import Annotated
 
 from typing import List, Optional
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
 from zrok_api.models.create_frontend201_response import CreateFrontend201Response
 from zrok_api.models.create_frontend_request import CreateFrontendRequest
@@ -52,6 +53,276 @@ class AdminApi:
         self.api_client = api_client
 
 
+    @validate_call
+    def add_frontend_grant(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> None:
+        """add_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        ).data
+
+
+    @validate_call
+    def add_frontend_grant_with_http_info(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> ApiResponse[None]:
+        """add_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        )
+
+
+    @validate_call
+    def add_frontend_grant_without_preload_content(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> RESTResponseType:
+        """add_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._add_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        return response_data.response
+
+
+    def _add_frontend_grant_serialize(
+        self,
+        body,
+        _request_auth,
+        _content_type,
+        _headers,
+        _host_index,
+    ) -> RequestSerialized:
+
+        _host = None
+
+        _collection_formats: Dict[str, str] = {
+        }
+
+        _path_params: Dict[str, str] = {}
+        _query_params: List[Tuple[str, str]] = []
+        _header_params: Dict[str, Optional[str]] = _headers or {}
+        _form_params: List[Tuple[str, str]] = []
+        _files: Dict[
+            str, Union[str, bytes, List[str], List[bytes], List[Tuple[str, bytes]]]
+        ] = {}
+        _body_params: Optional[bytes] = None
+
+        # process the path parameters
+        # process the query parameters
+        # process the header parameters
+        # process the form parameters
+        # process the body parameter
+        if body is not None:
+            _body_params = body
+
+
+
+        # set the HTTP header `Content-Type`
+        if _content_type:
+            _header_params['Content-Type'] = _content_type
+        else:
+            _default_content_type = (
+                self.api_client.select_header_content_type(
+                    [
+                        'application/zrok.v1+json'
+                    ]
+                )
+            )
+            if _default_content_type is not None:
+                _header_params['Content-Type'] = _default_content_type
+
+        # authentication setting
+        _auth_settings: List[str] = [
+            'key'
+        ]
+
+        return self.api_client.param_serialize(
+            method='POST',
+            resource_path='/frontend/grant',
+            path_params=_path_params,
+            query_params=_query_params,
+            header_params=_header_params,
+            body=_body_params,
+            post_params=_form_params,
+            files=_files,
+            auth_settings=_auth_settings,
+            collection_formats=_collection_formats,
+            _host=_host,
+            _request_auth=_request_auth
+        )
+
+
+
+
     @validate_call
     def add_organization_member(
         self,
@@ -1712,6 +1983,276 @@ class AdminApi:
 
 
 
+    @validate_call
+    def delete_frontend_grant(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> None:
+        """delete_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        ).data
+
+
+    @validate_call
+    def delete_frontend_grant_with_http_info(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> ApiResponse[None]:
+        """delete_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        response_data.read()
+        return self.api_client.response_deserialize(
+            response_data=response_data,
+            response_types_map=_response_types_map,
+        )
+
+
+    @validate_call
+    def delete_frontend_grant_without_preload_content(
+        self,
+        body: Optional[AddFrontendGrantRequest] = None,
+        _request_timeout: Union[
+            None,
+            Annotated[StrictFloat, Field(gt=0)],
+            Tuple[
+                Annotated[StrictFloat, Field(gt=0)],
+                Annotated[StrictFloat, Field(gt=0)]
+            ]
+        ] = None,
+        _request_auth: Optional[Dict[StrictStr, Any]] = None,
+        _content_type: Optional[StrictStr] = None,
+        _headers: Optional[Dict[StrictStr, Any]] = None,
+        _host_index: Annotated[StrictInt, Field(ge=0, le=0)] = 0,
+    ) -> RESTResponseType:
+        """delete_frontend_grant
+
+
+        :param body:
+        :type body: AddFrontendGrantRequest
+        :param _request_timeout: timeout setting for this request. If one
+                                 number provided, it will be total request
+                                 timeout. It can also be a pair (tuple) of
+                                 (connection, read) timeouts.
+        :type _request_timeout: int, tuple(int, int), optional
+        :param _request_auth: set to override the auth_settings for an a single
+                              request; this effectively ignores the
+                              authentication in the spec for a single request.
+        :type _request_auth: dict, optional
+        :param _content_type: force content-type for the request.
+        :type _content_type: str, Optional
+        :param _headers: set to override the headers for a single
+                         request; this effectively ignores the headers
+                         in the spec for a single request.
+        :type _headers: dict, optional
+        :param _host_index: set to override the host_index for a single
+                            request; this effectively ignores the host_index
+                            in the spec for a single request.
+        :type _host_index: int, optional
+        :return: Returns the result object.
+        """ # noqa: E501
+
+        _param = self._delete_frontend_grant_serialize(
+            body=body,
+            _request_auth=_request_auth,
+            _content_type=_content_type,
+            _headers=_headers,
+            _host_index=_host_index
+        )
+
+        _response_types_map: Dict[str, Optional[str]] = {
+            '200': None,
+            '401': None,
+            '500': None,
+        }
+        response_data = self.api_client.call_api(
+            *_param,
+            _request_timeout=_request_timeout
+        )
+        return response_data.response
+
+
+    def _delete_frontend_grant_serialize(
+        self,
+        body,
+        _request_auth,
+        _content_type,
+        _headers,
+        _host_index,
+    ) -> RequestSerialized:
+
+        _host = None
+
+        _collection_formats: Dict[str, str] = {
+        }
+
+        _path_params: Dict[str, str] = {}
+        _query_params: List[Tuple[str, str]] = []
+        _header_params: Dict[str, Optional[str]] = _headers or {}
+        _form_params: List[Tuple[str, str]] = []
+        _files: Dict[
+            str, Union[str, bytes, List[str], List[bytes], List[Tuple[str, bytes]]]
+        ] = {}
+        _body_params: Optional[bytes] = None
+
+        # process the path parameters
+        # process the query parameters
+        # process the header parameters
+        # process the form parameters
+        # process the body parameter
+        if body is not None:
+            _body_params = body
+
+
+
+        # set the HTTP header `Content-Type`
+        if _content_type:
+            _header_params['Content-Type'] = _content_type
+        else:
+            _default_content_type = (
+                self.api_client.select_header_content_type(
+                    [
+                        'application/zrok.v1+json'
+                    ]
+                )
+            )
+            if _default_content_type is not None:
+                _header_params['Content-Type'] = _default_content_type
+
+        # authentication setting
+        _auth_settings: List[str] = [
+            'key'
+        ]
+
+        return self.api_client.param_serialize(
+            method='DELETE',
+            resource_path='/frontend/grant',
+            path_params=_path_params,
+            query_params=_query_params,
+            header_params=_header_params,
+            body=_body_params,
+            post_params=_form_params,
+            files=_files,
+            auth_settings=_auth_settings,
+            collection_formats=_collection_formats,
+            _host=_host,
+            _request_auth=_request_auth
+        )
+
+
+
+
     @validate_call
     def delete_organization(
         self,

sdk/python/src/zrok_api/models/__init__.py

@@ -16,6 +16,7 @@
 # import models into model package
 from zrok_api.models.access201_response import Access201Response
 from zrok_api.models.access_request import AccessRequest
+from zrok_api.models.add_frontend_grant_request import AddFrontendGrantRequest
 from zrok_api.models.add_organization_member_request import AddOrganizationMemberRequest
 from zrok_api.models.auth_user import AuthUser
 from zrok_api.models.change_password_request import ChangePasswordRequest

sdk/python/src/zrok_api/models/add_frontend_grant_request.py

@@ -0,0 +1,89 @@
+# coding: utf-8
+
+"""
+    zrok
+
+    zrok client access
+
+    The version of the OpenAPI document: 1.0.0
+    Generated by OpenAPI Generator (https://openapi-generator.tech)
+
+    Do not edit the class manually.
+"""  # noqa: E501
+
+
+from __future__ import annotations
+import pprint
+import re  # noqa: F401
+import json
+
+from pydantic import BaseModel, ConfigDict, Field, StrictStr
+from typing import Any, ClassVar, Dict, List, Optional
+from typing import Optional, Set
+from typing_extensions import Self
+
+class AddFrontendGrantRequest(BaseModel):
+    """
+    AddFrontendGrantRequest
+    """ # noqa: E501
+    frontend_token: Optional[StrictStr] = Field(default=None, alias="frontendToken")
+    email: Optional[StrictStr] = None
+    __properties: ClassVar[List[str]] = ["frontendToken", "email"]
+
+    model_config = ConfigDict(
+        populate_by_name=True,
+        validate_assignment=True,
+        protected_namespaces=(),
+    )
+
+
+    def to_str(self) -> str:
+        """Returns the string representation of the model using alias"""
+        return pprint.pformat(self.model_dump(by_alias=True))
+
+    def to_json(self) -> str:
+        """Returns the JSON representation of the model using alias"""
+        # TODO: pydantic v2: use .model_dump_json(by_alias=True, exclude_unset=True) instead
+        return json.dumps(self.to_dict())
+
+    @classmethod
+    def from_json(cls, json_str: str) -> Optional[Self]:
+        """Create an instance of AddFrontendGrantRequest from a JSON string"""
+        return cls.from_dict(json.loads(json_str))
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Return the dictionary representation of the model using alias.
+
+        This has the following differences from calling pydantic's
+        `self.model_dump(by_alias=True)`:
+
+        * `None` is only added to the output dict for nullable fields that
+          were set at model initialization. Other fields with value `None`
+          are ignored.
+        """
+        excluded_fields: Set[str] = set([
+        ])
+
+        _dict = self.model_dump(
+            by_alias=True,
+            exclude=excluded_fields,
+            exclude_none=True,
+        )
+        return _dict
+
+    @classmethod
+    def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
+        """Create an instance of AddFrontendGrantRequest from a dict"""
+        if obj is None:
+            return None
+
+        if not isinstance(obj, dict):
+            return cls.model_validate(obj)
+
+        _obj = cls.model_validate({
+            "frontendToken": obj.get("frontendToken"),
+            "email": obj.get("email")
+        })
+        return _obj
+
+

specs/zrok.yml

@@ -341,6 +341,54 @@ paths:
         500:
           description: internal server error
 
+  /frontend/grant:
+    post:
+      tags:
+        - admin
+      security:
+        - key: []
+      operationId: addFrontendGrant
+      parameters:
+        - name: body
+          in: body
+          schema:
+            type: object
+            properties:
+              frontendToken:
+                type: string
+              email:
+                type: string
+      responses:
+        200:
+          description: ok
+        401:
+          description: unauthorized
+        500:
+          description: internal server error
+    delete:
+      tags:
+        - admin
+      security:
+        - key: []
+      operationId: deleteFrontendGrant
+      parameters:
+        - name: body
+          in: body
+          schema:
+            type: object
+            properties:
+              frontendToken:
+                type: string
+              email:
+                type: string
+      responses:
+        200:
+          description: ok
+        401:
+          description: unauthorized
+        500:
+          description: internal server error
+
   /frontends:
     get:
       tags:

ui/src/api/.openapi-generator/FILES

@@ -9,6 +9,7 @@ apis/index.ts
 index.ts
 models/Access201Response.ts
 models/AccessRequest.ts
+models/AddFrontendGrantRequest.ts
 models/AddOrganizationMemberRequest.ts
 models/AuthUser.ts
 models/ChangePasswordRequest.ts

ui/src/api/apis/AdminApi.ts

@@ -15,6 +15,7 @@
 
 import * as runtime from '../runtime';
 import type {
+  AddFrontendGrantRequest,
   AddOrganizationMemberRequest,
   CreateFrontend201Response,
   CreateFrontendRequest,
@@ -33,6 +34,8 @@ import type {
   Verify200Response,
 } from '../models/index';
 import {
+    AddFrontendGrantRequestFromJSON,
+    AddFrontendGrantRequestToJSON,
     AddOrganizationMemberRequestFromJSON,
     AddOrganizationMemberRequestToJSON,
     CreateFrontend201ResponseFromJSON,
@@ -67,6 +70,10 @@ import {
     Verify200ResponseToJSON,
 } from '../models/index';
 
+export interface AddFrontendGrantOperationRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface AddOrganizationMemberOperationRequest {
     body?: AddOrganizationMemberRequest;
 }
@@ -91,6 +98,10 @@ export interface DeleteFrontendRequest {
     body?: CreateFrontend201Response;
 }
 
+export interface DeleteFrontendGrantRequest {
+    body?: AddFrontendGrantRequest;
+}
+
 export interface DeleteOrganizationRequest {
     body?: CreateOrganization201Response;
 }
@@ -120,6 +131,36 @@ export interface UpdateFrontendOperationRequest {
  */
 export class AdminApi extends runtime.BaseAPI {
 
+    /**
+     */
+    async addFrontendGrantRaw(requestParameters: AddFrontendGrantOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'POST',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async addFrontendGrant(requestParameters: AddFrontendGrantOperationRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.addFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async addOrganizationMemberRaw(requestParameters: AddOrganizationMemberOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
@@ -304,6 +345,36 @@ export class AdminApi extends runtime.BaseAPI {
         await this.deleteFrontendRaw(requestParameters, initOverrides);
     }
 
+    /**
+     */
+    async deleteFrontendGrantRaw(requestParameters: DeleteFrontendGrantRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters['Content-Type'] = 'application/zrok.v1+json';
+
+        if (this.configuration && this.configuration.apiKey) {
+            headerParameters["x-token"] = await this.configuration.apiKey("x-token"); // key authentication
+        }
+
+        const response = await this.request({
+            path: `/frontend/grant`,
+            method: 'DELETE',
+            headers: headerParameters,
+            query: queryParameters,
+            body: AddFrontendGrantRequestToJSON(requestParameters['body']),
+        }, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     */
+    async deleteFrontendGrant(requestParameters: DeleteFrontendGrantRequest = {}, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<void> {
+        await this.deleteFrontendGrantRaw(requestParameters, initOverrides);
+    }
+
     /**
      */
     async deleteOrganizationRaw(requestParameters: DeleteOrganizationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise<runtime.ApiResponse<void>> {

ui/src/api/models/AddFrontendGrantRequest.ts

@@ -0,0 +1,73 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * zrok
+ * zrok client access
+ *
+ * The version of the OpenAPI document: 1.0.0
+ * 
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import { mapValues } from '../runtime';
+/**
+ * 
+ * @export
+ * @interface AddFrontendGrantRequest
+ */
+export interface AddFrontendGrantRequest {
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    frontendToken?: string;
+    /**
+     * 
+     * @type {string}
+     * @memberof AddFrontendGrantRequest
+     */
+    email?: string;
+}
+
+/**
+ * Check if a given object implements the AddFrontendGrantRequest interface.
+ */
+export function instanceOfAddFrontendGrantRequest(value: object): value is AddFrontendGrantRequest {
+    return true;
+}
+
+export function AddFrontendGrantRequestFromJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestFromJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): AddFrontendGrantRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        
+        'frontendToken': json['frontendToken'] == null ? undefined : json['frontendToken'],
+        'email': json['email'] == null ? undefined : json['email'],
+    };
+}
+
+export function AddFrontendGrantRequestToJSON(json: any): AddFrontendGrantRequest {
+    return AddFrontendGrantRequestToJSONTyped(json, false);
+}
+
+export function AddFrontendGrantRequestToJSONTyped(value?: AddFrontendGrantRequest | null, ignoreDiscriminator: boolean = false): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        
+        'frontendToken': value['frontendToken'],
+        'email': value['email'],
+    };
+}
+

ui/src/api/models/index.ts

@@ -2,6 +2,7 @@
 /* eslint-disable */
 export * from './Access201Response';
 export * from './AccessRequest';
+export * from './AddFrontendGrantRequest';
 export * from './AddOrganizationMemberRequest';
 export * from './AuthUser';
 export * from './ChangePasswordRequest';