From f859fd270e722c828da7631be8f0f9a386999430 Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Wed, 4 Jun 2025 12:03:14 -0500
Subject: [PATCH 01/10] feat(policy): Simple kas key algorithm should be enum.

---
 docs/grpc/index.html                          |   2 +-
 .../key_access_server_registry.swagger.json   |   2 +-
 protocol/go/CHANGELOG.md                      |  30 --
 .../key_access_server_registry.pb.go          | 378 +++++++++---------
 service/integration/kas_registry_key_test.go  |   6 +-
 service/pkg/db/marshalHelpers.go              |  22 +-
 .../policy/db/key_access_server_registry.go   |   6 +
 service/policy/db/models.go                   |   9 +-
 service/policy/db/query.sql                   |   4 +-
 service/policy/db/query.sql.go                |   8 +-
 .../key_access_server_registry.proto          |   2 +-
 11 files changed, 216 insertions(+), 253 deletions(-)
 delete mode 100644 protocol/go/CHANGELOG.md

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index f2dceda4a4..76cce97a47 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -10256,7 +10256,7 @@ <h3 id="policy.kasregistry.SimpleKasPublicKey">SimpleKasPublicKey</h3>
               
                 <tr>
                   <td>algorithm</td>
-                  <td><a href="#string">string</a></td>
+                  <td><a href="#policy.Algorithm">policy.Algorithm</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
index 530c836802..371e2cbf26 100644
--- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
+++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
@@ -645,7 +645,7 @@
       "type": "object",
       "properties": {
         "algorithm": {
-          "type": "string"
+          "$ref": "#/definitions/policyAlgorithm"
         },
         "kid": {
           "type": "string"
diff --git a/protocol/go/CHANGELOG.md b/protocol/go/CHANGELOG.md
deleted file mode 100644
index e6abf60fd6..0000000000
--- a/protocol/go/CHANGELOG.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# Changelog
-
-## [0.3.6](https://github.com/opentdf/platform/compare/protocol/go/v0.3.5...protocol/go/v0.3.6) (2025-05-27)
-
-
-### Features
-
-* **policy:** Update key status's and UpdateKey rpc. ([#2315](https://github.com/opentdf/platform/issues/2315)) ([7908db9](https://github.com/opentdf/platform/commit/7908db9c2be5adeccd3fb9f177187aee53698ee8))
-* **policy** Rename key context structures. ([#2318](https://github.com/opentdf/platform/pull/2318))
-   ([4cb28a9](https://github.com/opentdf/platform/commit/4cb28a9216a208493086fc5d44d38270a9d6f3cc))
-
-## [0.3.5](https://github.com/opentdf/platform/compare/protocol/go/v0.3.4...protocol/go/v0.3.5) (2025-05-23)
-
-
-### Features
-
-* **policy:** Default Platform Keys ([#2254](https://github.com/opentdf/platform/issues/2254)) ([d7447fe](https://github.com/opentdf/platform/commit/d7447fe2604443b4c75c8e547acf414bf78af988))
-
-## [0.3.4](https://github.com/opentdf/platform/compare/protocol/go/v0.3.3...protocol/go/v0.3.4) (2025-05-20)
-
-
-### Features
-
-* **core:** v2 ERS with proto updates ([#2210](https://github.com/opentdf/platform/issues/2210)) ([a161ef8](https://github.com/opentdf/platform/commit/a161ef85d12600672ff695cc84b07579a70c5cac))
-* **policy:** Finish resource mapping groups ([#2224](https://github.com/opentdf/platform/issues/2224)) ([5ff754e](https://github.com/opentdf/platform/commit/5ff754e99189d09ec3698128d1bc51b6f7a90994))
-
-
-### Bug Fixes
-
-* update key_mode to provide more context ([#2226](https://github.com/opentdf/platform/issues/2226)) ([44d0805](https://github.com/opentdf/platform/commit/44d0805fb34d87098ada7b5f7c934f65365f77f1))
diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
index 886c37e99f..291a6c43e2 100644
--- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
+++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
@@ -2851,9 +2851,9 @@ type SimpleKasPublicKey struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
-	Kid       string `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
-	Pem       string `protobuf:"bytes,3,opt,name=pem,proto3" json:"pem,omitempty"`
+	Algorithm policy.Algorithm `protobuf:"varint,1,opt,name=algorithm,proto3,enum=policy.Algorithm" json:"algorithm,omitempty"`
+	Kid       string           `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
+	Pem       string           `protobuf:"bytes,3,opt,name=pem,proto3" json:"pem,omitempty"`
 }
 
 func (x *SimpleKasPublicKey) Reset() {
@@ -2888,11 +2888,11 @@ func (*SimpleKasPublicKey) Descriptor() ([]byte, []int) {
 	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{42}
 }
 
-func (x *SimpleKasPublicKey) GetAlgorithm() string {
+func (x *SimpleKasPublicKey) GetAlgorithm() policy.Algorithm {
 	if x != nil {
 		return x.Algorithm
 	}
-	return ""
+	return policy.Algorithm(0)
 }
 
 func (x *SimpleKasPublicKey) GetKid() string {
@@ -4174,154 +4174,155 @@ var file_policy_kasregistry_key_access_server_registry_proto_rawDesc = []byte{
 	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
 	0x2e, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65,
 	0x72, 0x48, 0x00, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x42, 0x13, 0x0a, 0x0a, 0x61, 0x63, 0x74, 0x69,
-	0x76, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, 0x01, 0x22, 0x56, 0x0a,
+	0x76, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, 0x01, 0x22, 0x69, 0x0a,
 	0x12, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
-	0x6d, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
-	0x6b, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x6e, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b,
-	0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x69,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69, 0x12, 0x45,
-	0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
-	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61,
-	0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0x13, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x51, 0x0a, 0x12, 0x47, 0x65,
-	0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x3b, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
-	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61,
-	0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x62, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x22, 0xa6, 0x01,
-	0x0a, 0x12, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x42, 0x0a, 0x0c, 0x6e, 0x65, 0x77, 0x5f, 0x62, 0x61, 0x73, 0x65,
-	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e,
-	0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x6e, 0x65,
-	0x77, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x4c, 0x0a, 0x11, 0x70, 0x72, 0x65, 0x76,
-	0x69, 0x6f, 0x75, 0x73, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73,
-	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b,
-	0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x42,
-	0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x32, 0xeb, 0x0c, 0x0a, 0x1e, 0x4b, 0x65, 0x79, 0x41, 0x63,
-	0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, 0x0a, 0x14, 0x4c, 0x69,
-	0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
-	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41,
-	0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73,
-	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79,
-	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f,
-	0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x73, 0x90, 0x02, 0x01, 0x12, 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79,
-	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x2d, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
-	0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x70, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
-	0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
-	0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4,
-	0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x90, 0x02, 0x01,
-	0x12, 0x9c, 0x01, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63,
-	0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e,
-	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
-	0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
-	0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, 0x2f, 0x6b, 0x65, 0x79,
-	0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12,
-	0xa1, 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55,
-	0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
-	0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x4b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72,
+	0x69, 0x74, 0x68, 0x6d, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x6e, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70,
+	0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f,
+	0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72,
+	0x69, 0x12, 0x45, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
+	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c,
+	0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0x13, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x42,
+	0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x51, 0x0a,
+	0x12, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x3b, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
+	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c,
+	0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x62, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79,
+	0x22, 0xa6, 0x01, 0x0a, 0x12, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x42, 0x0a, 0x0c, 0x6e, 0x65, 0x77, 0x5f, 0x62,
+	0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
+	0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52,
+	0x0a, 0x6e, 0x65, 0x77, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x4c, 0x0a, 0x11, 0x70,
+	0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70,
+	0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f,
+	0x75, 0x73, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x32, 0xeb, 0x0c, 0x0a, 0x1e, 0x4b, 0x65,
+	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, 0x0a,
+	0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
+	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74,
+	0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15,
+	0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, 0x01, 0x12, 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74,
+	0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12,
+	0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+	0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
+	0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e,
+	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
 	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d,
-	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b,
-	0x69, 0x64, 0x7d, 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65,
+	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d,
+	0x90, 0x02, 0x01, 0x12, 0x9c, 0x01, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65,
 	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e,
 	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
+	0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
 	0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
 	0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
-	0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63,
+	0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63,
 	0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, 0x2f, 0x6b, 0x65, 0x79,
-	0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f,
-	0x7b, 0x69, 0x64, 0x7d, 0x12, 0xaf, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79,
-	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e,
-	0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
-	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41,
-	0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74,
-	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69,
-	0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63,
-	0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x67, 0x72, 0x61,
-	0x6e, 0x74, 0x73, 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
-	0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73,
-	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b,
-	0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43,
-	0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x70,
+	0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, 0x2f,
+	0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65,
+	0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79,
+	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70,
 	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
-	0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
-	0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79,
-	0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65,
-	0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74,
-	0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a,
-	0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
-	0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65,
-	0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x52, 0x6f,
-	0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74,
-	0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73,
-	0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61,
-	0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73,
-	0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x70, 0x6f,
+	0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
+	0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31,
+	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, 0x6b,
+	0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74,
+	0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
+	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65,
+	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, 0x2f,
+	0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65,
+	0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0xaf, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74,
+	0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47,
+	0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
+	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72,
+	0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f,
 	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
-	0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65,
-	0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73,
-	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x70, 0x6f, 0x6c,
+	0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65, 0x79,
+	0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f,
+	0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65,
+	0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61,
+	0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70,
+	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
+	0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12,
+	0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+	0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
+	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74,
+	0x4b, 0x65, 0x79, 0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61,
+	0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65,
+	0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c,
+	0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x00, 0x12, 0x5a, 0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24,
+	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61,
+	0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
+	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a,
+	0x09, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c,
 	0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e,
-	0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x42,
-	0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
-	0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
-	0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f,
-	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x4b,
-	0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x72, 0x65,
-	0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c,
-	0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02, 0x1e, 0x50, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
-	0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x13, 0x50,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x53, 0x65, 0x74,
+	0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74,
+	0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26,
+	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x42,
+	0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42,
+	0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
+	0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
+	0x72, 0x79, 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x50, 0x01, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f,
+	0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02,
+	0x03, 0x50, 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61,
+	0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02,
+	0x1e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x72, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea,
+	0x02, 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -4465,51 +4466,52 @@ var file_policy_kasregistry_key_access_server_registry_proto_depIdxs = []int32{
 	64, // 57: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey
 	39, // 58: policy.kasregistry.RotateKeyResponse.rotated_resources:type_name -> policy.kasregistry.RotatedResources
 	36, // 59: policy.kasregistry.SetBaseKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier
-	42, // 60: policy.kasregistry.SimpleKasKey.public_key:type_name -> policy.kasregistry.SimpleKasPublicKey
-	43, // 61: policy.kasregistry.GetBaseKeyResponse.base_key:type_name -> policy.kasregistry.SimpleKasKey
-	43, // 62: policy.kasregistry.SetBaseKeyResponse.new_base_key:type_name -> policy.kasregistry.SimpleKasKey
-	43, // 63: policy.kasregistry.SetBaseKeyResponse.previous_base_key:type_name -> policy.kasregistry.SimpleKasKey
-	48, // 64: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey
-	59, // 65: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key
-	49, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
-	49, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
-	49, // 68: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
-	60, // 69: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm
-	61, // 70: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode
-	62, // 71: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.PublicKeyCtx
-	63, // 72: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
-	56, // 73: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable
-	2,  // 74: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest
-	0,  // 75: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest
-	4,  // 76: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest
-	6,  // 77: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest
-	8,  // 78: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest
-	26, // 79: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest
-	28, // 80: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest
-	30, // 81: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest
-	32, // 82: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest
-	34, // 83: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest
-	37, // 84: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest
-	41, // 85: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:input_type -> policy.kasregistry.SetBaseKeyRequest
-	44, // 86: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:input_type -> policy.kasregistry.GetBaseKeyRequest
-	3,  // 87: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse
-	1,  // 88: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse
-	5,  // 89: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse
-	7,  // 90: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse
-	9,  // 91: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse
-	27, // 92: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse
-	29, // 93: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse
-	31, // 94: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse
-	33, // 95: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse
-	35, // 96: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse
-	40, // 97: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse
-	46, // 98: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:output_type -> policy.kasregistry.SetBaseKeyResponse
-	45, // 99: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:output_type -> policy.kasregistry.GetBaseKeyResponse
-	87, // [87:100] is the sub-list for method output_type
-	74, // [74:87] is the sub-list for method input_type
-	74, // [74:74] is the sub-list for extension type_name
-	74, // [74:74] is the sub-list for extension extendee
-	0,  // [0:74] is the sub-list for field type_name
+	60, // 60: policy.kasregistry.SimpleKasPublicKey.algorithm:type_name -> policy.Algorithm
+	42, // 61: policy.kasregistry.SimpleKasKey.public_key:type_name -> policy.kasregistry.SimpleKasPublicKey
+	43, // 62: policy.kasregistry.GetBaseKeyResponse.base_key:type_name -> policy.kasregistry.SimpleKasKey
+	43, // 63: policy.kasregistry.SetBaseKeyResponse.new_base_key:type_name -> policy.kasregistry.SimpleKasKey
+	43, // 64: policy.kasregistry.SetBaseKeyResponse.previous_base_key:type_name -> policy.kasregistry.SimpleKasKey
+	48, // 65: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey
+	59, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key
+	49, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
+	49, // 68: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
+	49, // 69: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
+	60, // 70: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm
+	61, // 71: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode
+	62, // 72: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.PublicKeyCtx
+	63, // 73: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
+	56, // 74: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable
+	2,  // 75: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest
+	0,  // 76: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest
+	4,  // 77: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest
+	6,  // 78: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest
+	8,  // 79: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest
+	26, // 80: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest
+	28, // 81: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest
+	30, // 82: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest
+	32, // 83: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest
+	34, // 84: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest
+	37, // 85: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest
+	41, // 86: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:input_type -> policy.kasregistry.SetBaseKeyRequest
+	44, // 87: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:input_type -> policy.kasregistry.GetBaseKeyRequest
+	3,  // 88: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse
+	1,  // 89: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse
+	5,  // 90: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse
+	7,  // 91: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse
+	9,  // 92: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse
+	27, // 93: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse
+	29, // 94: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse
+	31, // 95: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse
+	33, // 96: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse
+	35, // 97: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse
+	40, // 98: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse
+	46, // 99: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:output_type -> policy.kasregistry.SetBaseKeyResponse
+	45, // 100: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:output_type -> policy.kasregistry.GetBaseKeyResponse
+	88, // [88:101] is the sub-list for method output_type
+	75, // [75:88] is the sub-list for method input_type
+	75, // [75:75] is the sub-list for extension type_name
+	75, // [75:75] is the sub-list for extension extendee
+	0,  // [0:75] is the sub-list for field type_name
 }
 
 func init() { file_policy_kasregistry_key_access_server_registry_proto_init() }
diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go
index 5f953b04c7..3203e5f8e7 100644
--- a/service/integration/kas_registry_key_test.go
+++ b/service/integration/kas_registry_key_test.go
@@ -28,7 +28,7 @@ const (
 	validKeyID3              = "key_id_3"
 	keyID4                   = "key_id_4"
 	notFoundKasUUID          = "123e4567-e89b-12d3-a456-426614174000"
-	keyCtx                   = `eyJrZXkiOiJ2YWx1ZSJ9Cg==`
+	keyCtx                   = `YS1wZW0K`
 	providerConfigID         = "123e4567-e89b-12d3-a456-426614174000"
 	rotateKey                = "rotate_key"
 	nonRotateKey             = "non_rotate_key"
@@ -903,6 +903,10 @@ func (s *KasRegistryKeySuite) Test_SetBaseKey_Insert_Success() {
 	s.NotNil(newBaseKey)
 	s.Nil(newBaseKey.GetPreviousBaseKey())
 	s.Equal(key.GetKasKey().GetKey().GetKeyId(), newBaseKey.GetNewBaseKey().GetPublicKey().GetKid())
+	s.Equal(key.GetKasKey().GetKey().GetKeyAlgorithm(), newBaseKey.GetNewBaseKey().GetPublicKey().GetAlgorithm())
+	decodedKeyCtx, err := base64.StdEncoding.DecodeString(keyCtx)
+	s.Require().NoError(err)
+	s.Equal(string(decodedKeyCtx), newBaseKey.GetNewBaseKey().GetPublicKey().GetPem())
 }
 
 func (s *KasRegistryKeySuite) Test_SetBaseKey_CannotSetPublicKeyOnlyKey_Fails() {
diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go
index b8f1fd8f68..5375f9b42b 100644
--- a/service/pkg/db/marshalHelpers.go
+++ b/service/pkg/db/marshalHelpers.go
@@ -1,11 +1,9 @@
 package db
 
 import (
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strconv"
 
 	"github.com/opentdf/platform/protocol/go/common"
 	"github.com/opentdf/platform/protocol/go/policy"
@@ -125,7 +123,7 @@ func KasKeysProtoJSON(keysJSON []byte) ([]*policy.KasKey, error) {
 	return keys, nil
 }
 
-func formatAlg(alg policy.Algorithm) (string, error) {
+func FormatAlg(alg policy.Algorithm) (string, error) {
 	switch alg {
 	case policy.Algorithm_ALGORITHM_RSA_2048:
 		return "rsa:2048", nil
@@ -151,24 +149,6 @@ func UnmarshalSimpleKasKey(keysJSON []byte) (*kasregistry.SimpleKasKey, error) {
 		if err := protojson.Unmarshal(keysJSON, key); err != nil {
 			return nil, err
 		}
-
-		// In the db, this is stored as an integer, which is parsed to a string
-		// and then converted to the correct algorithm format.
-		alg, err := strconv.ParseInt(key.GetPublicKey().GetAlgorithm(), 10, 32)
-		if err != nil {
-			return nil, err
-		}
-		algorithm, err := formatAlg(policy.Algorithm(alg))
-		if err != nil {
-			return nil, err
-		}
-		// The pem should always be present and base64 encoded, as it is required for creating a key.
-		pem, err := base64.StdEncoding.DecodeString(key.GetPublicKey().GetPem())
-		if err != nil {
-			return nil, err
-		}
-		key.PublicKey.Pem = string(pem)
-		key.PublicKey.Algorithm = algorithm
 	}
 	return key, nil
 }
diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go
index cad1a14050..5b1d320dda 100644
--- a/service/policy/db/key_access_server_registry.go
+++ b/service/policy/db/key_access_server_registry.go
@@ -772,6 +772,11 @@ func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error {
 		return err
 	}
 
+	algorithm, err := db.FormatAlg(baseKey.GetPublicKey().GetAlgorithm())
+	if err != nil {
+		return fmt.Errorf("failed to format algorithm: %w", err)
+	}
+
 	keyMapBytes, err := json.Marshal(baseKey)
 	if err != nil {
 		return err
@@ -781,6 +786,7 @@ func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error {
 	if err := json.Unmarshal(keyMapBytes, &keyMap); err != nil {
 		return err
 	}
+	keyMap["algorithm"] = algorithm
 
 	wellknownconfiguration.UpdateConfigurationBaseKey(keyMap)
 	return nil
diff --git a/service/policy/db/models.go b/service/policy/db/models.go
index 06ba7e557b..ba9fe7d908 100644
--- a/service/policy/db/models.go
+++ b/service/policy/db/models.go
@@ -373,10 +373,11 @@ type SubjectConditionSet struct {
 	// Conditions that must be met for the subject entity to be entitled to the attribute value (see protos for JSON structure)
 	Condition []byte `json:"condition"`
 	// Metadata for the condition set (see protos for structure)
-	Metadata       []byte             `json:"metadata"`
-	CreatedAt      pgtype.Timestamptz `json:"created_at"`
-	UpdatedAt      pgtype.Timestamptz `json:"updated_at"`
-	SelectorValues []string           `json:"selector_values"`
+	Metadata  []byte             `json:"metadata"`
+	CreatedAt pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt pgtype.Timestamptz `json:"updated_at"`
+	// Array of cached selector values extracted from the condition JSONB and maintained via trigger.
+	SelectorValues []string `json:"selector_values"`
 }
 
 // Table to store conditions that logically entitle subject entity representations to attribute values
diff --git a/service/policy/db/query.sql b/service/policy/db/query.sql
index 3ef482e4b3..ac96d93a7d 100644
--- a/service/policy/db/query.sql
+++ b/service/policy/db/query.sql
@@ -1700,9 +1700,9 @@ SELECT
     DISTINCT JSONB_BUILD_OBJECT(
        'kas_uri', kas.uri,
        'public_key', JSONB_BUILD_OBJECT(
-            'algorithm', kask.key_algorithm::TEXT,
+            'algorithm', kask.key_algorithm::INTEGER,
             'kid', kask.key_id,
-            'pem', kask.public_key_ctx ->> 'pem'
+            'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
        )
     ) AS base_keys
 FROM base_keys bk
diff --git a/service/policy/db/query.sql.go b/service/policy/db/query.sql.go
index db7d807a77..e44910c1f4 100644
--- a/service/policy/db/query.sql.go
+++ b/service/policy/db/query.sql.go
@@ -3431,9 +3431,9 @@ SELECT
     DISTINCT JSONB_BUILD_OBJECT(
        'kas_uri', kas.uri,
        'public_key', JSONB_BUILD_OBJECT(
-            'algorithm', kask.key_algorithm::TEXT,
+            'algorithm', kask.key_algorithm::INTEGER,
             'kid', kask.key_id,
-            'pem', kask.public_key_ctx ->> 'pem'
+            'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
        )
     ) AS base_keys
 FROM base_keys bk
@@ -3449,9 +3449,9 @@ INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
 //	    DISTINCT JSONB_BUILD_OBJECT(
 //	       'kas_uri', kas.uri,
 //	       'public_key', JSONB_BUILD_OBJECT(
-//	            'algorithm', kask.key_algorithm::TEXT,
+//	            'algorithm', kask.key_algorithm::INTEGER,
 //	            'kid', kask.key_id,
-//	            'pem', kask.public_key_ctx ->> 'pem'
+//	            'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	       )
 //	    ) AS base_keys
 //	FROM base_keys bk
diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto
index 6c5495ab65..23b39677d9 100644
--- a/service/policy/kasregistry/key_access_server_registry.proto
+++ b/service/policy/kasregistry/key_access_server_registry.proto
@@ -605,7 +605,7 @@ message SetBaseKeyRequest {
 }
 
 message SimpleKasPublicKey {
-  string algorithm = 1;
+  Algorithm algorithm = 1;
   string kid = 2;
   string pem = 3;
 }

From 5cd07e7d1727d335ad3463d5341067cd2f1083fb Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Wed, 4 Jun 2025 12:20:57 -0500
Subject: [PATCH 02/10] refactor.

---
 .../policy/db/key_access_server_registry.go   | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go
index 5b1d320dda..91fe22e360 100644
--- a/service/policy/db/key_access_server_registry.go
+++ b/service/policy/db/key_access_server_registry.go
@@ -772,11 +772,6 @@ func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error {
 		return err
 	}
 
-	algorithm, err := db.FormatAlg(baseKey.GetPublicKey().GetAlgorithm())
-	if err != nil {
-		return fmt.Errorf("failed to format algorithm: %w", err)
-	}
-
 	keyMapBytes, err := json.Marshal(baseKey)
 	if err != nil {
 		return err
@@ -786,7 +781,19 @@ func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error {
 	if err := json.Unmarshal(keyMapBytes, &keyMap); err != nil {
 		return err
 	}
-	keyMap["algorithm"] = algorithm
+
+	if baseKey != nil {
+		algorithm, err := db.FormatAlg(baseKey.GetPublicKey().GetAlgorithm())
+		if err != nil {
+			return fmt.Errorf("failed to format algorithm: %w", err)
+		}
+		publicKey, ok := keyMap["public_key"].(map[string]any)
+		if !ok {
+			return fmt.Errorf("failed to cast public_key")
+		}
+		publicKey["algorithm"] = algorithm
+		keyMap["public_key"] = publicKey
+	}
 
 	wellknownconfiguration.UpdateConfigurationBaseKey(keyMap)
 	return nil

From aacf38bd89a3685e8cfa420d994f58b4c27d6e2d Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Wed, 4 Jun 2025 12:33:14 -0500
Subject: [PATCH 03/10] refactor.

---
 service/policy/db/key_access_server_registry.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go
index 91fe22e360..de94d12aab 100644
--- a/service/policy/db/key_access_server_registry.go
+++ b/service/policy/db/key_access_server_registry.go
@@ -789,7 +789,7 @@ func (c PolicyDBClient) SetBaseKeyOnWellKnownConfig(ctx context.Context) error {
 		}
 		publicKey, ok := keyMap["public_key"].(map[string]any)
 		if !ok {
-			return fmt.Errorf("failed to cast public_key")
+			return errors.New("failed to cast public_key")
 		}
 		publicKey["algorithm"] = algorithm
 		keyMap["public_key"] = publicKey

From ebbd00ad0cc70d6e0123396889c91d63e77d9333 Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Wed, 4 Jun 2025 15:42:04 -0500
Subject: [PATCH 04/10] feat(policy): Return simple kas keys from attributes.

---
 docs/grpc/index.html                          |  175 +-
 .../policy/actions/actions.swagger.json       |  164 +-
 .../policy/attributes/attributes.swagger.json |  164 +-
 .../key_access_server_registry.swagger.json   |   66 +-
 .../policy/namespaces/namespaces.swagger.json |  148 +-
 .../registered_resources.swagger.json         |  164 +-
 .../resource_mapping.swagger.json             |  164 +-
 .../subject_mapping.swagger.json              |  164 +-
 .../openapi/policy/unsafe/unsafe.swagger.json |  164 +-
 .../key_access_server_registry.pb.go          |  687 +++-----
 protocol/go/policy/objects.pb.go              | 1528 +++++++++--------
 service/integration/attribute_fqns_test.go    |  130 +-
 service/integration/attribute_values_test.go  |   21 +-
 service/integration/attributes_test.go        |   21 +-
 service/integration/kas_registry_key_test.go  |   41 +-
 service/integration/kas_registry_test.go      |   25 +-
 service/integration/namespaces_test.go        |   14 +-
 service/pkg/db/marshalHelpers.go              |   26 +-
 service/policy/db/attribute_values.go         |    4 +-
 service/policy/db/attributes.go               |    9 +-
 service/policy/db/grant_mappings.go           |   45 +-
 service/policy/db/grant_mappings_test.go      |  111 +-
 .../policy/db/key_access_server_registry.go   |   10 +-
 service/policy/db/namespaces.go               |    4 +-
 service/policy/db/query.sql                   |  113 +-
 service/policy/db/query.sql.go                |  226 +--
 .../key_access_server_registry.proto          |   11 -
 service/policy/objects.proto                  |   20 +-
 28 files changed, 1878 insertions(+), 2541 deletions(-)

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 76cce97a47..5ae43f0328 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -293,6 +293,14 @@ <h2>Table of Contents</h2>
                   <a href="#policy.ResourceMappingGroup"><span class="badge">M</span>ResourceMappingGroup</a>
                 </li>
               
+                <li>
+                  <a href="#policy.SimpleKasKey"><span class="badge">M</span>SimpleKasKey</a>
+                </li>
+              
+                <li>
+                  <a href="#policy.SimpleKasPublicKey"><span class="badge">M</span>SimpleKasPublicKey</a>
+                </li>
+              
                 <li>
                   <a href="#policy.SubjectConditionSet"><span class="badge">M</span>SubjectConditionSet</a>
                 </li>
@@ -1187,14 +1195,6 @@ <h2>Table of Contents</h2>
                   <a href="#policy.kasregistry.SetBaseKeyResponse"><span class="badge">M</span>SetBaseKeyResponse</a>
                 </li>
               
-                <li>
-                  <a href="#policy.kasregistry.SimpleKasKey"><span class="badge">M</span>SimpleKasKey</a>
-                </li>
-              
-                <li>
-                  <a href="#policy.kasregistry.SimpleKasPublicKey"><span class="badge">M</span>SimpleKasPublicKey</a>
-                </li>
-              
                 <li>
                   <a href="#policy.kasregistry.UpdateKeyAccessServerRequest"><span class="badge">M</span>UpdateKeyAccessServerRequest</a>
                 </li>
@@ -2264,7 +2264,7 @@ <h3 id="policy.Attribute">Attribute</h3>
               
                 <tr>
                   <td>kas_keys</td>
-                  <td><a href="#policy.KasKey">KasKey</a></td>
+                  <td><a href="#policy.SimpleKasKey">SimpleKasKey</a></td>
                   <td>repeated</td>
                   <td><p>Keys associated with the attribute </p></td>
                 </tr>
@@ -2556,7 +2556,7 @@ <h3 id="policy.KeyAccessServer">KeyAccessServer</h3>
               
                 <tr>
                   <td>kas_keys</td>
-                  <td><a href="#policy.KasKey">KasKey</a></td>
+                  <td><a href="#policy.SimpleKasKey">SimpleKasKey</a></td>
                   <td>repeated</td>
                   <td><p>Kas keys associated with this KAS </p></td>
                 </tr>
@@ -2683,7 +2683,7 @@ <h3 id="policy.Namespace">Namespace</h3>
               
                 <tr>
                   <td>kas_keys</td>
-                  <td><a href="#policy.KasKey">KasKey</a></td>
+                  <td><a href="#policy.SimpleKasKey">SimpleKasKey</a></td>
                   <td>repeated</td>
                   <td><p>Keys for the namespace </p></td>
                 </tr>
@@ -3027,6 +3027,82 @@ <h3 id="policy.ResourceMappingGroup">ResourceMappingGroup</h3>
 
         
       
+        <h3 id="policy.SimpleKasKey">SimpleKasKey</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>kas_uri</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p>The URL of the Key Access Server </p></td>
+                </tr>
+              
+                <tr>
+                  <td>public_key</td>
+                  <td><a href="#policy.SimpleKasPublicKey">SimpleKasPublicKey</a></td>
+                  <td></td>
+                  <td><p>The public key of the Key that belongs to the KAS </p></td>
+                </tr>
+              
+                <tr>
+                  <td>kas_id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p>The ID of the Key Access Server </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
+        <h3 id="policy.SimpleKasPublicKey">SimpleKasPublicKey</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>algorithm</td>
+                  <td><a href="#policy.Algorithm">Algorithm</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>kid</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>pem</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
         <h3 id="policy.SubjectConditionSet">SubjectConditionSet</h3>
         <p>A container for multiple Subject Sets, each containing Condition Groups, each</p><p>containing Conditions. Multiple Subject Sets in a SubjectConditionSet are</p><p>evaluated with AND logic. As each Subject Mapping has only one Attribute</p><p>Value, the SubjectConditionSet is reusable across multiple Subject Mappings /</p><p>Attribute Values and is an independent unit.</p>
 
@@ -3300,7 +3376,7 @@ <h3 id="policy.Value">Value</h3>
               
                 <tr>
                   <td>kas_keys</td>
-                  <td><a href="#policy.KasKey">KasKey</a></td>
+                  <td><a href="#policy.SimpleKasKey">SimpleKasKey</a></td>
                   <td>repeated</td>
                   <td><p> </p></td>
                 </tr>
@@ -9117,7 +9193,7 @@ <h3 id="policy.kasregistry.GetBaseKeyResponse">GetBaseKeyResponse</h3>
               
                 <tr>
                   <td>base_key</td>
-                  <td><a href="#policy.kasregistry.SimpleKasKey">SimpleKasKey</a></td>
+                  <td><a href="#policy.SimpleKasKey">policy.SimpleKasKey</a></td>
                   <td></td>
                   <td><p>The current base key </p></td>
                 </tr>
@@ -10194,14 +10270,14 @@ <h3 id="policy.kasregistry.SetBaseKeyResponse">SetBaseKeyResponse</h3>
               
                 <tr>
                   <td>new_base_key</td>
-                  <td><a href="#policy.kasregistry.SimpleKasKey">SimpleKasKey</a></td>
+                  <td><a href="#policy.SimpleKasKey">policy.SimpleKasKey</a></td>
                   <td></td>
                   <td><p>The key that was set as base </p></td>
                 </tr>
               
                 <tr>
                   <td>previous_base_key</td>
-                  <td><a href="#policy.kasregistry.SimpleKasKey">SimpleKasKey</a></td>
+                  <td><a href="#policy.SimpleKasKey">policy.SimpleKasKey</a></td>
                   <td></td>
                   <td><p>The previous base key, if any </p></td>
                 </tr>
@@ -10213,75 +10289,6 @@ <h3 id="policy.kasregistry.SetBaseKeyResponse">SetBaseKeyResponse</h3>
 
         
       
-        <h3 id="policy.kasregistry.SimpleKasKey">SimpleKasKey</h3>
-        <p></p>
-
-        
-          <table class="field-table">
-            <thead>
-              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
-            </thead>
-            <tbody>
-              
-                <tr>
-                  <td>kas_uri</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
-                  <td><p>The URL of the Key Access Server </p></td>
-                </tr>
-              
-                <tr>
-                  <td>public_key</td>
-                  <td><a href="#policy.kasregistry.SimpleKasPublicKey">SimpleKasPublicKey</a></td>
-                  <td></td>
-                  <td><p>The public key of the Key that belongs to the KAS </p></td>
-                </tr>
-              
-            </tbody>
-          </table>
-
-          
-
-        
-      
-        <h3 id="policy.kasregistry.SimpleKasPublicKey">SimpleKasPublicKey</h3>
-        <p></p>
-
-        
-          <table class="field-table">
-            <thead>
-              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
-            </thead>
-            <tbody>
-              
-                <tr>
-                  <td>algorithm</td>
-                  <td><a href="#policy.Algorithm">policy.Algorithm</a></td>
-                  <td></td>
-                  <td><p> </p></td>
-                </tr>
-              
-                <tr>
-                  <td>kid</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
-                  <td><p> </p></td>
-                </tr>
-              
-                <tr>
-                  <td>pem</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
-                  <td><p> </p></td>
-                </tr>
-              
-            </tbody>
-          </table>
-
-          
-
-        
-      
         <h3 id="policy.kasregistry.UpdateKeyAccessServerRequest">UpdateKeyAccessServerRequest</h3>
         <p></p>
 
diff --git a/docs/openapi/policy/actions/actions.swagger.json b/docs/openapi/policy/actions/actions.swagger.json
index 037f64ba58..45ed7bfb58 100644
--- a/docs/openapi/policy/actions/actions.swagger.json
+++ b/docs/openapi/policy/actions/actions.swagger.json
@@ -171,51 +171,6 @@
       "default": "ALGORITHM_UNSPECIFIED",
       "description": "Supported key algorithms."
     },
-    "policyAsymmetricKey": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyId": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyAlgorithm": {
-          "$ref": "#/definitions/policyAlgorithm",
-          "title": "Required"
-        },
-        "keyStatus": {
-          "$ref": "#/definitions/policyKeyStatus",
-          "title": "Required"
-        },
-        "keyMode": {
-          "$ref": "#/definitions/policyKeyMode",
-          "description": "Specifies how the key is managed (local or remote)",
-          "title": "Required"
-        },
-        "publicKeyCtx": {
-          "$ref": "#/definitions/policyPublicKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Required"
-        },
-        "privateKeyCtx": {
-          "$ref": "#/definitions/policyPrivateKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Optional"
-        },
-        "providerConfig": {
-          "$ref": "#/definitions/policyKeyProviderConfig",
-          "description": "Configuration for the key provider",
-          "title": "Optional"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata fields"
-        }
-      }
-    },
     "policyAttribute": {
       "type": "object",
       "properties": {
@@ -260,7 +215,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys associated with the attribute"
         },
@@ -327,20 +282,6 @@
       },
       "title": "A collection of Conditions evaluated by the boolean_operator provided"
     },
-    "policyKasKey": {
-      "type": "object",
-      "properties": {
-        "kasId": {
-          "type": "string"
-        },
-        "key": {
-          "$ref": "#/definitions/policyAsymmetricKey"
-        },
-        "kasUri": {
-          "type": "string"
-        }
-      }
-    },
     "policyKasPublicKey": {
       "type": "object",
       "properties": {
@@ -406,7 +347,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -421,47 +362,6 @@
       },
       "title": "Key Access Server Registry"
     },
-    "policyKeyMode": {
-      "type": "string",
-      "enum": [
-        "KEY_MODE_UNSPECIFIED",
-        "KEY_MODE_CONFIG_ROOT_KEY",
-        "KEY_MODE_PROVIDER_ROOT_KEY",
-        "KEY_MODE_REMOTE",
-        "KEY_MODE_PUBLIC_KEY_ONLY"
-      ],
-      "default": "KEY_MODE_UNSPECIFIED",
-      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
-    },
-    "policyKeyProviderConfig": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "configJson": {
-          "type": "string",
-          "format": "byte"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata"
-        }
-      }
-    },
-    "policyKeyStatus": {
-      "type": "string",
-      "enum": [
-        "KEY_STATUS_UNSPECIFIED",
-        "KEY_STATUS_ACTIVE",
-        "KEY_STATUS_ROTATED"
-      ],
-      "default": "KEY_STATUS_UNSPECIFIED",
-      "title": "The status of the key"
-    },
     "policyNamespace": {
       "type": "object",
       "properties": {
@@ -495,7 +395,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys for the namespace"
         }
@@ -536,21 +436,6 @@
         }
       }
     },
-    "policyPrivateKeyCtx": {
-      "type": "object",
-      "properties": {
-        "keyId": {
-          "type": "string",
-          "description": "Key ID for the symmetric key wrapping this key.",
-          "title": "Required"
-        },
-        "wrappedKey": {
-          "type": "string",
-          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
-          "title": "Optional"
-        }
-      }
-    },
     "policyPublicKey": {
       "type": "object",
       "properties": {
@@ -565,16 +450,6 @@
       },
       "title": "Deprecated"
     },
-    "policyPublicKeyCtx": {
-      "type": "object",
-      "properties": {
-        "pem": {
-          "type": "string",
-          "description": "Base64 encoded public key in PEM format",
-          "title": "Required"
-        }
-      }
-    },
     "policyResourceMapping": {
       "type": "object",
       "properties": {
@@ -620,6 +495,37 @@
       },
       "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
     },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
     "policySourceType": {
       "type": "string",
       "enum": [
@@ -742,7 +648,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           }
         },
         "resourceMappings": {
diff --git a/docs/openapi/policy/attributes/attributes.swagger.json b/docs/openapi/policy/attributes/attributes.swagger.json
index f20affd8f4..3566c3d8e5 100644
--- a/docs/openapi/policy/attributes/attributes.swagger.json
+++ b/docs/openapi/policy/attributes/attributes.swagger.json
@@ -1028,51 +1028,6 @@
       "default": "ALGORITHM_UNSPECIFIED",
       "description": "Supported key algorithms."
     },
-    "policyAsymmetricKey": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyId": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyAlgorithm": {
-          "$ref": "#/definitions/policyAlgorithm",
-          "title": "Required"
-        },
-        "keyStatus": {
-          "$ref": "#/definitions/policyKeyStatus",
-          "title": "Required"
-        },
-        "keyMode": {
-          "$ref": "#/definitions/policyKeyMode",
-          "description": "Specifies how the key is managed (local or remote)",
-          "title": "Required"
-        },
-        "publicKeyCtx": {
-          "$ref": "#/definitions/policyPublicKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Required"
-        },
-        "privateKeyCtx": {
-          "$ref": "#/definitions/policyPrivateKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Optional"
-        },
-        "providerConfig": {
-          "$ref": "#/definitions/policyKeyProviderConfig",
-          "description": "Configuration for the key provider",
-          "title": "Optional"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata fields"
-        }
-      }
-    },
     "policyAttribute": {
       "type": "object",
       "properties": {
@@ -1117,7 +1072,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys associated with the attribute"
         },
@@ -1212,20 +1167,6 @@
       },
       "title": "A collection of Conditions evaluated by the boolean_operator provided"
     },
-    "policyKasKey": {
-      "type": "object",
-      "properties": {
-        "kasId": {
-          "type": "string"
-        },
-        "key": {
-          "$ref": "#/definitions/policyAsymmetricKey"
-        },
-        "kasUri": {
-          "type": "string"
-        }
-      }
-    },
     "policyKasPublicKey": {
       "type": "object",
       "properties": {
@@ -1291,7 +1232,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -1306,47 +1247,6 @@
       },
       "title": "Key Access Server Registry"
     },
-    "policyKeyMode": {
-      "type": "string",
-      "enum": [
-        "KEY_MODE_UNSPECIFIED",
-        "KEY_MODE_CONFIG_ROOT_KEY",
-        "KEY_MODE_PROVIDER_ROOT_KEY",
-        "KEY_MODE_REMOTE",
-        "KEY_MODE_PUBLIC_KEY_ONLY"
-      ],
-      "default": "KEY_MODE_UNSPECIFIED",
-      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
-    },
-    "policyKeyProviderConfig": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "configJson": {
-          "type": "string",
-          "format": "byte"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata"
-        }
-      }
-    },
-    "policyKeyStatus": {
-      "type": "string",
-      "enum": [
-        "KEY_STATUS_UNSPECIFIED",
-        "KEY_STATUS_ACTIVE",
-        "KEY_STATUS_ROTATED"
-      ],
-      "default": "KEY_STATUS_UNSPECIFIED",
-      "title": "The status of the key"
-    },
     "policyNamespace": {
       "type": "object",
       "properties": {
@@ -1380,7 +1280,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys for the namespace"
         }
@@ -1421,21 +1321,6 @@
         }
       }
     },
-    "policyPrivateKeyCtx": {
-      "type": "object",
-      "properties": {
-        "keyId": {
-          "type": "string",
-          "description": "Key ID for the symmetric key wrapping this key.",
-          "title": "Required"
-        },
-        "wrappedKey": {
-          "type": "string",
-          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
-          "title": "Optional"
-        }
-      }
-    },
     "policyPublicKey": {
       "type": "object",
       "properties": {
@@ -1450,16 +1335,6 @@
       },
       "title": "Deprecated"
     },
-    "policyPublicKeyCtx": {
-      "type": "object",
-      "properties": {
-        "pem": {
-          "type": "string",
-          "description": "Base64 encoded public key in PEM format",
-          "title": "Required"
-        }
-      }
-    },
     "policyResourceMapping": {
       "type": "object",
       "properties": {
@@ -1505,6 +1380,37 @@
       },
       "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
     },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
     "policySourceType": {
       "type": "string",
       "enum": [
@@ -1627,7 +1533,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           }
         },
         "resourceMappings": {
diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
index 371e2cbf26..e45294f7d1 100644
--- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
+++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
@@ -437,7 +437,7 @@
       "type": "object",
       "properties": {
         "baseKey": {
-          "$ref": "#/definitions/kasregistrySimpleKasKey",
+          "$ref": "#/definitions/policySimpleKasKey",
           "title": "The current base key"
         }
       }
@@ -619,42 +619,15 @@
       "type": "object",
       "properties": {
         "newBaseKey": {
-          "$ref": "#/definitions/kasregistrySimpleKasKey",
+          "$ref": "#/definitions/policySimpleKasKey",
           "title": "The key that was set as base"
         },
         "previousBaseKey": {
-          "$ref": "#/definitions/kasregistrySimpleKasKey",
+          "$ref": "#/definitions/policySimpleKasKey",
           "title": "The previous base key, if any"
         }
       }
     },
-    "kasregistrySimpleKasKey": {
-      "type": "object",
-      "properties": {
-        "kasUri": {
-          "type": "string",
-          "title": "The URL of the Key Access Server"
-        },
-        "publicKey": {
-          "$ref": "#/definitions/kasregistrySimpleKasPublicKey",
-          "title": "The public key of the Key that belongs to the KAS"
-        }
-      }
-    },
-    "kasregistrySimpleKasPublicKey": {
-      "type": "object",
-      "properties": {
-        "algorithm": {
-          "$ref": "#/definitions/policyAlgorithm"
-        },
-        "kid": {
-          "type": "string"
-        },
-        "pem": {
-          "type": "string"
-        }
-      }
-    },
     "kasregistryUpdateKeyAccessServerResponse": {
       "type": "object",
       "properties": {
@@ -810,7 +783,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -940,6 +913,37 @@
         }
       }
     },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
     "policySourceType": {
       "type": "string",
       "enum": [
diff --git a/docs/openapi/policy/namespaces/namespaces.swagger.json b/docs/openapi/policy/namespaces/namespaces.swagger.json
index 7000a5ad45..f3e8dcced2 100644
--- a/docs/openapi/policy/namespaces/namespaces.swagger.json
+++ b/docs/openapi/policy/namespaces/namespaces.swagger.json
@@ -472,65 +472,6 @@
       "default": "ALGORITHM_UNSPECIFIED",
       "description": "Supported key algorithms."
     },
-    "policyAsymmetricKey": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyId": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyAlgorithm": {
-          "$ref": "#/definitions/policyAlgorithm",
-          "title": "Required"
-        },
-        "keyStatus": {
-          "$ref": "#/definitions/policyKeyStatus",
-          "title": "Required"
-        },
-        "keyMode": {
-          "$ref": "#/definitions/policyKeyMode",
-          "description": "Specifies how the key is managed (local or remote)",
-          "title": "Required"
-        },
-        "publicKeyCtx": {
-          "$ref": "#/definitions/policyPublicKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Required"
-        },
-        "privateKeyCtx": {
-          "$ref": "#/definitions/policyPrivateKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Optional"
-        },
-        "providerConfig": {
-          "$ref": "#/definitions/policyKeyProviderConfig",
-          "description": "Configuration for the key provider",
-          "title": "Optional"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata fields"
-        }
-      }
-    },
-    "policyKasKey": {
-      "type": "object",
-      "properties": {
-        "kasId": {
-          "type": "string"
-        },
-        "key": {
-          "$ref": "#/definitions/policyAsymmetricKey"
-        },
-        "kasUri": {
-          "type": "string"
-        }
-      }
-    },
     "policyKasPublicKey": {
       "type": "object",
       "properties": {
@@ -596,7 +537,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -611,47 +552,6 @@
       },
       "title": "Key Access Server Registry"
     },
-    "policyKeyMode": {
-      "type": "string",
-      "enum": [
-        "KEY_MODE_UNSPECIFIED",
-        "KEY_MODE_CONFIG_ROOT_KEY",
-        "KEY_MODE_PROVIDER_ROOT_KEY",
-        "KEY_MODE_REMOTE",
-        "KEY_MODE_PUBLIC_KEY_ONLY"
-      ],
-      "default": "KEY_MODE_UNSPECIFIED",
-      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
-    },
-    "policyKeyProviderConfig": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "configJson": {
-          "type": "string",
-          "format": "byte"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata"
-        }
-      }
-    },
-    "policyKeyStatus": {
-      "type": "string",
-      "enum": [
-        "KEY_STATUS_UNSPECIFIED",
-        "KEY_STATUS_ACTIVE",
-        "KEY_STATUS_ROTATED"
-      ],
-      "default": "KEY_STATUS_UNSPECIFIED",
-      "title": "The status of the key"
-    },
     "policyNamespace": {
       "type": "object",
       "properties": {
@@ -685,7 +585,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys for the namespace"
         }
@@ -726,21 +626,6 @@
         }
       }
     },
-    "policyPrivateKeyCtx": {
-      "type": "object",
-      "properties": {
-        "keyId": {
-          "type": "string",
-          "description": "Key ID for the symmetric key wrapping this key.",
-          "title": "Required"
-        },
-        "wrappedKey": {
-          "type": "string",
-          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
-          "title": "Optional"
-        }
-      }
-    },
     "policyPublicKey": {
       "type": "object",
       "properties": {
@@ -755,13 +640,34 @@
       },
       "title": "Deprecated"
     },
-    "policyPublicKeyCtx": {
+    "policySimpleKasKey": {
       "type": "object",
       "properties": {
-        "pem": {
+        "kasUri": {
           "type": "string",
-          "description": "Base64 encoded public key in PEM format",
-          "title": "Required"
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
         }
       }
     },
diff --git a/docs/openapi/policy/registeredresources/registered_resources.swagger.json b/docs/openapi/policy/registeredresources/registered_resources.swagger.json
index c6075478bf..70307e2be1 100644
--- a/docs/openapi/policy/registeredresources/registered_resources.swagger.json
+++ b/docs/openapi/policy/registeredresources/registered_resources.swagger.json
@@ -109,51 +109,6 @@
       "default": "ALGORITHM_UNSPECIFIED",
       "description": "Supported key algorithms."
     },
-    "policyAsymmetricKey": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyId": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyAlgorithm": {
-          "$ref": "#/definitions/policyAlgorithm",
-          "title": "Required"
-        },
-        "keyStatus": {
-          "$ref": "#/definitions/policyKeyStatus",
-          "title": "Required"
-        },
-        "keyMode": {
-          "$ref": "#/definitions/policyKeyMode",
-          "description": "Specifies how the key is managed (local or remote)",
-          "title": "Required"
-        },
-        "publicKeyCtx": {
-          "$ref": "#/definitions/policyPublicKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Required"
-        },
-        "privateKeyCtx": {
-          "$ref": "#/definitions/policyPrivateKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Optional"
-        },
-        "providerConfig": {
-          "$ref": "#/definitions/policyKeyProviderConfig",
-          "description": "Configuration for the key provider",
-          "title": "Optional"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata fields"
-        }
-      }
-    },
     "policyAttribute": {
       "type": "object",
       "properties": {
@@ -198,7 +153,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys associated with the attribute"
         },
@@ -265,20 +220,6 @@
       },
       "title": "A collection of Conditions evaluated by the boolean_operator provided"
     },
-    "policyKasKey": {
-      "type": "object",
-      "properties": {
-        "kasId": {
-          "type": "string"
-        },
-        "key": {
-          "$ref": "#/definitions/policyAsymmetricKey"
-        },
-        "kasUri": {
-          "type": "string"
-        }
-      }
-    },
     "policyKasPublicKey": {
       "type": "object",
       "properties": {
@@ -344,7 +285,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -359,47 +300,6 @@
       },
       "title": "Key Access Server Registry"
     },
-    "policyKeyMode": {
-      "type": "string",
-      "enum": [
-        "KEY_MODE_UNSPECIFIED",
-        "KEY_MODE_CONFIG_ROOT_KEY",
-        "KEY_MODE_PROVIDER_ROOT_KEY",
-        "KEY_MODE_REMOTE",
-        "KEY_MODE_PUBLIC_KEY_ONLY"
-      ],
-      "default": "KEY_MODE_UNSPECIFIED",
-      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
-    },
-    "policyKeyProviderConfig": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "configJson": {
-          "type": "string",
-          "format": "byte"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata"
-        }
-      }
-    },
-    "policyKeyStatus": {
-      "type": "string",
-      "enum": [
-        "KEY_STATUS_UNSPECIFIED",
-        "KEY_STATUS_ACTIVE",
-        "KEY_STATUS_ROTATED"
-      ],
-      "default": "KEY_STATUS_UNSPECIFIED",
-      "title": "The status of the key"
-    },
     "policyNamespace": {
       "type": "object",
       "properties": {
@@ -433,7 +333,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys for the namespace"
         }
@@ -474,21 +374,6 @@
         }
       }
     },
-    "policyPrivateKeyCtx": {
-      "type": "object",
-      "properties": {
-        "keyId": {
-          "type": "string",
-          "description": "Key ID for the symmetric key wrapping this key.",
-          "title": "Required"
-        },
-        "wrappedKey": {
-          "type": "string",
-          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
-          "title": "Optional"
-        }
-      }
-    },
     "policyPublicKey": {
       "type": "object",
       "properties": {
@@ -503,16 +388,6 @@
       },
       "title": "Deprecated"
     },
-    "policyPublicKeyCtx": {
-      "type": "object",
-      "properties": {
-        "pem": {
-          "type": "string",
-          "description": "Base64 encoded public key in PEM format",
-          "title": "Required"
-        }
-      }
-    },
     "policyRegisteredResource": {
       "type": "object",
       "properties": {
@@ -623,6 +498,37 @@
       },
       "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
     },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
     "policySourceType": {
       "type": "string",
       "enum": [
@@ -745,7 +651,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           }
         },
         "resourceMappings": {
diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
index 838e093dbf..537960e5b6 100644
--- a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
+++ b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
@@ -534,51 +534,6 @@
       "default": "ALGORITHM_UNSPECIFIED",
       "description": "Supported key algorithms."
     },
-    "policyAsymmetricKey": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyId": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyAlgorithm": {
-          "$ref": "#/definitions/policyAlgorithm",
-          "title": "Required"
-        },
-        "keyStatus": {
-          "$ref": "#/definitions/policyKeyStatus",
-          "title": "Required"
-        },
-        "keyMode": {
-          "$ref": "#/definitions/policyKeyMode",
-          "description": "Specifies how the key is managed (local or remote)",
-          "title": "Required"
-        },
-        "publicKeyCtx": {
-          "$ref": "#/definitions/policyPublicKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Required"
-        },
-        "privateKeyCtx": {
-          "$ref": "#/definitions/policyPrivateKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Optional"
-        },
-        "providerConfig": {
-          "$ref": "#/definitions/policyKeyProviderConfig",
-          "description": "Configuration for the key provider",
-          "title": "Optional"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata fields"
-        }
-      }
-    },
     "policyAttribute": {
       "type": "object",
       "properties": {
@@ -623,7 +578,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys associated with the attribute"
         },
@@ -690,20 +645,6 @@
       },
       "title": "A collection of Conditions evaluated by the boolean_operator provided"
     },
-    "policyKasKey": {
-      "type": "object",
-      "properties": {
-        "kasId": {
-          "type": "string"
-        },
-        "key": {
-          "$ref": "#/definitions/policyAsymmetricKey"
-        },
-        "kasUri": {
-          "type": "string"
-        }
-      }
-    },
     "policyKasPublicKey": {
       "type": "object",
       "properties": {
@@ -769,7 +710,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -784,47 +725,6 @@
       },
       "title": "Key Access Server Registry"
     },
-    "policyKeyMode": {
-      "type": "string",
-      "enum": [
-        "KEY_MODE_UNSPECIFIED",
-        "KEY_MODE_CONFIG_ROOT_KEY",
-        "KEY_MODE_PROVIDER_ROOT_KEY",
-        "KEY_MODE_REMOTE",
-        "KEY_MODE_PUBLIC_KEY_ONLY"
-      ],
-      "default": "KEY_MODE_UNSPECIFIED",
-      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
-    },
-    "policyKeyProviderConfig": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "configJson": {
-          "type": "string",
-          "format": "byte"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata"
-        }
-      }
-    },
-    "policyKeyStatus": {
-      "type": "string",
-      "enum": [
-        "KEY_STATUS_UNSPECIFIED",
-        "KEY_STATUS_ACTIVE",
-        "KEY_STATUS_ROTATED"
-      ],
-      "default": "KEY_STATUS_UNSPECIFIED",
-      "title": "The status of the key"
-    },
     "policyNamespace": {
       "type": "object",
       "properties": {
@@ -858,7 +758,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys for the namespace"
         }
@@ -899,21 +799,6 @@
         }
       }
     },
-    "policyPrivateKeyCtx": {
-      "type": "object",
-      "properties": {
-        "keyId": {
-          "type": "string",
-          "description": "Key ID for the symmetric key wrapping this key.",
-          "title": "Required"
-        },
-        "wrappedKey": {
-          "type": "string",
-          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
-          "title": "Optional"
-        }
-      }
-    },
     "policyPublicKey": {
       "type": "object",
       "properties": {
@@ -928,16 +813,6 @@
       },
       "title": "Deprecated"
     },
-    "policyPublicKeyCtx": {
-      "type": "object",
-      "properties": {
-        "pem": {
-          "type": "string",
-          "description": "Base64 encoded public key in PEM format",
-          "title": "Required"
-        }
-      }
-    },
     "policyResourceMapping": {
       "type": "object",
       "properties": {
@@ -983,6 +858,37 @@
       },
       "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
     },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
     "policySourceType": {
       "type": "string",
       "enum": [
@@ -1105,7 +1011,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           }
         },
         "resourceMappings": {
diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
index fd2b6915a7..acb3f6cc7a 100644
--- a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
+++ b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
@@ -541,51 +541,6 @@
       "default": "ALGORITHM_UNSPECIFIED",
       "description": "Supported key algorithms."
     },
-    "policyAsymmetricKey": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyId": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyAlgorithm": {
-          "$ref": "#/definitions/policyAlgorithm",
-          "title": "Required"
-        },
-        "keyStatus": {
-          "$ref": "#/definitions/policyKeyStatus",
-          "title": "Required"
-        },
-        "keyMode": {
-          "$ref": "#/definitions/policyKeyMode",
-          "description": "Specifies how the key is managed (local or remote)",
-          "title": "Required"
-        },
-        "publicKeyCtx": {
-          "$ref": "#/definitions/policyPublicKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Required"
-        },
-        "privateKeyCtx": {
-          "$ref": "#/definitions/policyPrivateKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Optional"
-        },
-        "providerConfig": {
-          "$ref": "#/definitions/policyKeyProviderConfig",
-          "description": "Configuration for the key provider",
-          "title": "Optional"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata fields"
-        }
-      }
-    },
     "policyAttribute": {
       "type": "object",
       "properties": {
@@ -630,7 +585,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys associated with the attribute"
         },
@@ -697,20 +652,6 @@
       },
       "title": "A collection of Conditions evaluated by the boolean_operator provided"
     },
-    "policyKasKey": {
-      "type": "object",
-      "properties": {
-        "kasId": {
-          "type": "string"
-        },
-        "key": {
-          "$ref": "#/definitions/policyAsymmetricKey"
-        },
-        "kasUri": {
-          "type": "string"
-        }
-      }
-    },
     "policyKasPublicKey": {
       "type": "object",
       "properties": {
@@ -776,7 +717,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -791,47 +732,6 @@
       },
       "title": "Key Access Server Registry"
     },
-    "policyKeyMode": {
-      "type": "string",
-      "enum": [
-        "KEY_MODE_UNSPECIFIED",
-        "KEY_MODE_CONFIG_ROOT_KEY",
-        "KEY_MODE_PROVIDER_ROOT_KEY",
-        "KEY_MODE_REMOTE",
-        "KEY_MODE_PUBLIC_KEY_ONLY"
-      ],
-      "default": "KEY_MODE_UNSPECIFIED",
-      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
-    },
-    "policyKeyProviderConfig": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "configJson": {
-          "type": "string",
-          "format": "byte"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata"
-        }
-      }
-    },
-    "policyKeyStatus": {
-      "type": "string",
-      "enum": [
-        "KEY_STATUS_UNSPECIFIED",
-        "KEY_STATUS_ACTIVE",
-        "KEY_STATUS_ROTATED"
-      ],
-      "default": "KEY_STATUS_UNSPECIFIED",
-      "title": "The status of the key"
-    },
     "policyNamespace": {
       "type": "object",
       "properties": {
@@ -865,7 +765,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys for the namespace"
         }
@@ -906,21 +806,6 @@
         }
       }
     },
-    "policyPrivateKeyCtx": {
-      "type": "object",
-      "properties": {
-        "keyId": {
-          "type": "string",
-          "description": "Key ID for the symmetric key wrapping this key.",
-          "title": "Required"
-        },
-        "wrappedKey": {
-          "type": "string",
-          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
-          "title": "Optional"
-        }
-      }
-    },
     "policyPublicKey": {
       "type": "object",
       "properties": {
@@ -935,16 +820,6 @@
       },
       "title": "Deprecated"
     },
-    "policyPublicKeyCtx": {
-      "type": "object",
-      "properties": {
-        "pem": {
-          "type": "string",
-          "description": "Base64 encoded public key in PEM format",
-          "title": "Required"
-        }
-      }
-    },
     "policyResourceMapping": {
       "type": "object",
       "properties": {
@@ -990,6 +865,37 @@
       },
       "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
     },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
     "policySourceType": {
       "type": "string",
       "enum": [
@@ -1124,7 +1030,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           }
         },
         "resourceMappings": {
diff --git a/docs/openapi/policy/unsafe/unsafe.swagger.json b/docs/openapi/policy/unsafe/unsafe.swagger.json
index 95e6e81152..6ddf8251cc 100644
--- a/docs/openapi/policy/unsafe/unsafe.swagger.json
+++ b/docs/openapi/policy/unsafe/unsafe.swagger.json
@@ -431,51 +431,6 @@
       "default": "ALGORITHM_UNSPECIFIED",
       "description": "Supported key algorithms."
     },
-    "policyAsymmetricKey": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyId": {
-          "type": "string",
-          "title": "Required"
-        },
-        "keyAlgorithm": {
-          "$ref": "#/definitions/policyAlgorithm",
-          "title": "Required"
-        },
-        "keyStatus": {
-          "$ref": "#/definitions/policyKeyStatus",
-          "title": "Required"
-        },
-        "keyMode": {
-          "$ref": "#/definitions/policyKeyMode",
-          "description": "Specifies how the key is managed (local or remote)",
-          "title": "Required"
-        },
-        "publicKeyCtx": {
-          "$ref": "#/definitions/policyPublicKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Required"
-        },
-        "privateKeyCtx": {
-          "$ref": "#/definitions/policyPrivateKeyCtx",
-          "description": "Specific structure based on key provider implementation",
-          "title": "Optional"
-        },
-        "providerConfig": {
-          "$ref": "#/definitions/policyKeyProviderConfig",
-          "description": "Configuration for the key provider",
-          "title": "Optional"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata fields"
-        }
-      }
-    },
     "policyAttribute": {
       "type": "object",
       "properties": {
@@ -520,7 +475,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys associated with the attribute"
         },
@@ -587,20 +542,6 @@
       },
       "title": "A collection of Conditions evaluated by the boolean_operator provided"
     },
-    "policyKasKey": {
-      "type": "object",
-      "properties": {
-        "kasId": {
-          "type": "string"
-        },
-        "key": {
-          "$ref": "#/definitions/policyAsymmetricKey"
-        },
-        "kasUri": {
-          "type": "string"
-        }
-      }
-    },
     "policyKasPublicKey": {
       "type": "object",
       "properties": {
@@ -691,7 +632,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Kas keys associated with this KAS"
         },
@@ -706,47 +647,6 @@
       },
       "title": "Key Access Server Registry"
     },
-    "policyKeyMode": {
-      "type": "string",
-      "enum": [
-        "KEY_MODE_UNSPECIFIED",
-        "KEY_MODE_CONFIG_ROOT_KEY",
-        "KEY_MODE_PROVIDER_ROOT_KEY",
-        "KEY_MODE_REMOTE",
-        "KEY_MODE_PUBLIC_KEY_ONLY"
-      ],
-      "default": "KEY_MODE_UNSPECIFIED",
-      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
-    },
-    "policyKeyProviderConfig": {
-      "type": "object",
-      "properties": {
-        "id": {
-          "type": "string"
-        },
-        "name": {
-          "type": "string"
-        },
-        "configJson": {
-          "type": "string",
-          "format": "byte"
-        },
-        "metadata": {
-          "$ref": "#/definitions/commonMetadata",
-          "title": "Common metadata"
-        }
-      }
-    },
-    "policyKeyStatus": {
-      "type": "string",
-      "enum": [
-        "KEY_STATUS_UNSPECIFIED",
-        "KEY_STATUS_ACTIVE",
-        "KEY_STATUS_ROTATED"
-      ],
-      "default": "KEY_STATUS_UNSPECIFIED",
-      "title": "The status of the key"
-    },
     "policyNamespace": {
       "type": "object",
       "properties": {
@@ -780,27 +680,12 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           },
           "title": "Keys for the namespace"
         }
       }
     },
-    "policyPrivateKeyCtx": {
-      "type": "object",
-      "properties": {
-        "keyId": {
-          "type": "string",
-          "description": "Key ID for the symmetric key wrapping this key.",
-          "title": "Required"
-        },
-        "wrappedKey": {
-          "type": "string",
-          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
-          "title": "Optional"
-        }
-      }
-    },
     "policyPublicKey": {
       "type": "object",
       "properties": {
@@ -815,16 +700,6 @@
       },
       "title": "Deprecated"
     },
-    "policyPublicKeyCtx": {
-      "type": "object",
-      "properties": {
-        "pem": {
-          "type": "string",
-          "description": "Base64 encoded public key in PEM format",
-          "title": "Required"
-        }
-      }
-    },
     "policyResourceMapping": {
       "type": "object",
       "properties": {
@@ -870,6 +745,37 @@
       },
       "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
     },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
     "policySourceType": {
       "type": "string",
       "enum": [
@@ -992,7 +898,7 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/policyKasKey"
+            "$ref": "#/definitions/policySimpleKasKey"
           }
         },
         "resourceMappings": {
diff --git a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
index 291a6c43e2..38d4182621 100644
--- a/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
+++ b/protocol/go/policy/kasregistry/key_access_server_registry.pb.go
@@ -2846,124 +2846,6 @@ func (*SetBaseKeyRequest_Id) isSetBaseKeyRequest_ActiveKey() {}
 
 func (*SetBaseKeyRequest_Key) isSetBaseKeyRequest_ActiveKey() {}
 
-type SimpleKasPublicKey struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Algorithm policy.Algorithm `protobuf:"varint,1,opt,name=algorithm,proto3,enum=policy.Algorithm" json:"algorithm,omitempty"`
-	Kid       string           `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
-	Pem       string           `protobuf:"bytes,3,opt,name=pem,proto3" json:"pem,omitempty"`
-}
-
-func (x *SimpleKasPublicKey) Reset() {
-	*x = SimpleKasPublicKey{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SimpleKasPublicKey) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SimpleKasPublicKey) ProtoMessage() {}
-
-func (x *SimpleKasPublicKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SimpleKasPublicKey.ProtoReflect.Descriptor instead.
-func (*SimpleKasPublicKey) Descriptor() ([]byte, []int) {
-	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{42}
-}
-
-func (x *SimpleKasPublicKey) GetAlgorithm() policy.Algorithm {
-	if x != nil {
-		return x.Algorithm
-	}
-	return policy.Algorithm(0)
-}
-
-func (x *SimpleKasPublicKey) GetKid() string {
-	if x != nil {
-		return x.Kid
-	}
-	return ""
-}
-
-func (x *SimpleKasPublicKey) GetPem() string {
-	if x != nil {
-		return x.Pem
-	}
-	return ""
-}
-
-type SimpleKasKey struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	KasUri    string              `protobuf:"bytes,1,opt,name=kas_uri,json=kasUri,proto3" json:"kas_uri,omitempty"`          // The URL of the Key Access Server
-	PublicKey *SimpleKasPublicKey `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` // The public key of the Key that belongs to the KAS
-}
-
-func (x *SimpleKasKey) Reset() {
-	*x = SimpleKasKey{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SimpleKasKey) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SimpleKasKey) ProtoMessage() {}
-
-func (x *SimpleKasKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SimpleKasKey.ProtoReflect.Descriptor instead.
-func (*SimpleKasKey) Descriptor() ([]byte, []int) {
-	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{43}
-}
-
-func (x *SimpleKasKey) GetKasUri() string {
-	if x != nil {
-		return x.KasUri
-	}
-	return ""
-}
-
-func (x *SimpleKasKey) GetPublicKey() *SimpleKasPublicKey {
-	if x != nil {
-		return x.PublicKey
-	}
-	return nil
-}
-
 type GetBaseKeyRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -2973,7 +2855,7 @@ type GetBaseKeyRequest struct {
 func (x *GetBaseKeyRequest) Reset() {
 	*x = GetBaseKeyRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44]
+		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2986,7 +2868,7 @@ func (x *GetBaseKeyRequest) String() string {
 func (*GetBaseKeyRequest) ProtoMessage() {}
 
 func (x *GetBaseKeyRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44]
+	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2999,7 +2881,7 @@ func (x *GetBaseKeyRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GetBaseKeyRequest.ProtoReflect.Descriptor instead.
 func (*GetBaseKeyRequest) Descriptor() ([]byte, []int) {
-	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{44}
+	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{42}
 }
 
 type GetBaseKeyResponse struct {
@@ -3007,13 +2889,13 @@ type GetBaseKeyResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	BaseKey *SimpleKasKey `protobuf:"bytes,1,opt,name=base_key,json=baseKey,proto3" json:"base_key,omitempty"` // The current base key
+	BaseKey *policy.SimpleKasKey `protobuf:"bytes,1,opt,name=base_key,json=baseKey,proto3" json:"base_key,omitempty"` // The current base key
 }
 
 func (x *GetBaseKeyResponse) Reset() {
 	*x = GetBaseKeyResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45]
+		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -3026,7 +2908,7 @@ func (x *GetBaseKeyResponse) String() string {
 func (*GetBaseKeyResponse) ProtoMessage() {}
 
 func (x *GetBaseKeyResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45]
+	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -3039,10 +2921,10 @@ func (x *GetBaseKeyResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GetBaseKeyResponse.ProtoReflect.Descriptor instead.
 func (*GetBaseKeyResponse) Descriptor() ([]byte, []int) {
-	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{45}
+	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{43}
 }
 
-func (x *GetBaseKeyResponse) GetBaseKey() *SimpleKasKey {
+func (x *GetBaseKeyResponse) GetBaseKey() *policy.SimpleKasKey {
 	if x != nil {
 		return x.BaseKey
 	}
@@ -3054,14 +2936,14 @@ type SetBaseKeyResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	NewBaseKey      *SimpleKasKey `protobuf:"bytes,1,opt,name=new_base_key,json=newBaseKey,proto3" json:"new_base_key,omitempty"`                // The key that was set as base
-	PreviousBaseKey *SimpleKasKey `protobuf:"bytes,2,opt,name=previous_base_key,json=previousBaseKey,proto3" json:"previous_base_key,omitempty"` // The previous base key, if any
+	NewBaseKey      *policy.SimpleKasKey `protobuf:"bytes,1,opt,name=new_base_key,json=newBaseKey,proto3" json:"new_base_key,omitempty"`                // The key that was set as base
+	PreviousBaseKey *policy.SimpleKasKey `protobuf:"bytes,2,opt,name=previous_base_key,json=previousBaseKey,proto3" json:"previous_base_key,omitempty"` // The previous base key, if any
 }
 
 func (x *SetBaseKeyResponse) Reset() {
 	*x = SetBaseKeyResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46]
+		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -3074,7 +2956,7 @@ func (x *SetBaseKeyResponse) String() string {
 func (*SetBaseKeyResponse) ProtoMessage() {}
 
 func (x *SetBaseKeyResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46]
+	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -3087,17 +2969,17 @@ func (x *SetBaseKeyResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SetBaseKeyResponse.ProtoReflect.Descriptor instead.
 func (*SetBaseKeyResponse) Descriptor() ([]byte, []int) {
-	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{46}
+	return file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP(), []int{44}
 }
 
-func (x *SetBaseKeyResponse) GetNewBaseKey() *SimpleKasKey {
+func (x *SetBaseKeyResponse) GetNewBaseKey() *policy.SimpleKasKey {
 	if x != nil {
 		return x.NewBaseKey
 	}
 	return nil
 }
 
-func (x *SetBaseKeyResponse) GetPreviousBaseKey() *SimpleKasKey {
+func (x *SetBaseKeyResponse) GetPreviousBaseKey() *policy.SimpleKasKey {
 	if x != nil {
 		return x.PreviousBaseKey
 	}
@@ -3118,7 +3000,7 @@ type ListPublicKeyMappingResponse_PublicKeyMapping struct {
 func (x *ListPublicKeyMappingResponse_PublicKeyMapping) Reset() {
 	*x = ListPublicKeyMappingResponse_PublicKeyMapping{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47]
+		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -3131,7 +3013,7 @@ func (x *ListPublicKeyMappingResponse_PublicKeyMapping) String() string {
 func (*ListPublicKeyMappingResponse_PublicKeyMapping) ProtoMessage() {}
 
 func (x *ListPublicKeyMappingResponse_PublicKeyMapping) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47]
+	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -3189,7 +3071,7 @@ type ListPublicKeyMappingResponse_PublicKey struct {
 func (x *ListPublicKeyMappingResponse_PublicKey) Reset() {
 	*x = ListPublicKeyMappingResponse_PublicKey{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48]
+		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -3202,7 +3084,7 @@ func (x *ListPublicKeyMappingResponse_PublicKey) String() string {
 func (*ListPublicKeyMappingResponse_PublicKey) ProtoMessage() {}
 
 func (x *ListPublicKeyMappingResponse_PublicKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48]
+	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -3258,7 +3140,7 @@ type ListPublicKeyMappingResponse_Association struct {
 func (x *ListPublicKeyMappingResponse_Association) Reset() {
 	*x = ListPublicKeyMappingResponse_Association{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49]
+		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -3271,7 +3153,7 @@ func (x *ListPublicKeyMappingResponse_Association) String() string {
 func (*ListPublicKeyMappingResponse_Association) ProtoMessage() {}
 
 func (x *ListPublicKeyMappingResponse_Association) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49]
+	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -3326,7 +3208,7 @@ type RotateKeyRequest_NewKey struct {
 func (x *RotateKeyRequest_NewKey) Reset() {
 	*x = RotateKeyRequest_NewKey{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50]
+		mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -3339,7 +3221,7 @@ func (x *RotateKeyRequest_NewKey) String() string {
 func (*RotateKeyRequest_NewKey) ProtoMessage() {}
 
 func (x *RotateKeyRequest_NewKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50]
+	mi := &file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -4174,155 +4056,139 @@ var file_policy_kasregistry_key_access_server_registry_proto_rawDesc = []byte{
 	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
 	0x2e, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65,
 	0x72, 0x48, 0x00, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x42, 0x13, 0x0a, 0x0a, 0x61, 0x63, 0x74, 0x69,
-	0x76, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, 0x01, 0x22, 0x69, 0x0a,
-	0x12, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x4b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72,
-	0x69, 0x74, 0x68, 0x6d, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x6e, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70,
-	0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f,
-	0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72,
-	0x69, 0x12, 0x45, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
-	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c,
-	0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70,
-	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0x13, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x42,
-	0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x51, 0x0a,
-	0x12, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x12, 0x3b, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
-	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c,
-	0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x62, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79,
-	0x22, 0xa6, 0x01, 0x0a, 0x12, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x42, 0x0a, 0x0c, 0x6e, 0x65, 0x77, 0x5f, 0x62,
-	0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52,
-	0x0a, 0x6e, 0x65, 0x77, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x4c, 0x0a, 0x11, 0x70,
-	0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70,
-	0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f,
-	0x75, 0x73, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x32, 0xeb, 0x0c, 0x0a, 0x1e, 0x4b, 0x65,
-	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67,
-	0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01, 0x0a,
-	0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
-	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b,
-	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x76, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x05, 0xba, 0x48, 0x02, 0x08, 0x01, 0x22, 0x13, 0x0a,
+	0x11, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x22, 0x45, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65,
+	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79,
+	0x52, 0x07, 0x62, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x22, 0x8e, 0x01, 0x0a, 0x12, 0x53, 0x65,
+	0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x36, 0x0a, 0x0c, 0x6e, 0x65, 0x77, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x6e, 0x65,
+	0x77, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x40, 0x0a, 0x11, 0x70, 0x72, 0x65, 0x76,
+	0x69, 0x6f, 0x75, 0x73, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x69, 0x6d,
+	0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x0f, 0x70, 0x72, 0x65, 0x76, 0x69,
+	0x6f, 0x75, 0x73, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x32, 0xeb, 0x0c, 0x0a, 0x1e, 0x4b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65,
+	0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x99, 0x01,
+	0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x2f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
 	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74,
 	0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15,
-	0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, 0x01, 0x12, 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74,
-	0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12,
-	0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73,
+	0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x15, 0x12, 0x13, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x90, 0x02, 0x01, 0x12, 0x98, 0x01, 0x0a, 0x12, 0x47, 0x65,
+	0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x12, 0x2d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
+	0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x2e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
 	0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
-	0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e,
+	0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63,
+	0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64,
+	0x7d, 0x90, 0x02, 0x01, 0x12, 0x9c, 0x01, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30,
 	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
-	0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x12, 0x18, 0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d,
-	0x90, 0x02, 0x01, 0x12, 0x9c, 0x01, 0x0a, 0x15, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65,
+	0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13,
+	0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65,
 	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e,
 	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
+	0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
 	0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
 	0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
-	0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63,
+	0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63,
 	0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x3a, 0x01, 0x2a, 0x22, 0x13, 0x2f,
+	0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f,
 	0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x73, 0x12, 0xa1, 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79,
-	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x30, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
-	0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
-	0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31,
-	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
-	0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x3a, 0x01, 0x2a, 0x32, 0x18, 0x2f, 0x6b,
-	0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74,
-	0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
-	0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x41,
-	0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
-	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65,
-	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18, 0x2f,
-	0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0xaf, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73, 0x74,
+	0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x9e, 0x01, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65,
+	0x74, 0x65, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
+	0x72, 0x12, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65,
+	0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b, 0x65, 0x79,
+	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73,
+	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x2a, 0x18,
+	0x2f, 0x6b, 0x65, 0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x73, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0xaf, 0x01, 0x0a, 0x19, 0x4c, 0x69, 0x73,
+	0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74,
 	0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47,
-	0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
-	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b,
-	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72,
-	0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
-	0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65, 0x79,
-	0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x2f,
-	0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72, 0x65,
-	0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70,
+	0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x70,
 	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
-	0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x12,
-	0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
-	0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72,
-	0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73, 0x74,
-	0x4b, 0x65, 0x79, 0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61,
-	0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65,
-	0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c,
-	0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x00, 0x12, 0x5a, 0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24,
-	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
-	0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61,
-	0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a, 0x0a,
-	0x09, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c,
+	0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1c, 0x12, 0x1a, 0x2f, 0x6b, 0x65,
+	0x79, 0x2d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73,
+	0x2f, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x90, 0x02, 0x01, 0x12, 0x5a, 0x0a, 0x09, 0x43, 0x72,
+	0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x43, 0x72, 0x65,
+	0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
+	0x72, 0x79, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x06, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79,
+	0x12, 0x21, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73,
+	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x08, 0x4c, 0x69, 0x73,
+	0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x23, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
+	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4b,
+	0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x70, 0x6f, 0x6c,
 	0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e,
-	0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67,
-	0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x53, 0x65, 0x74,
+	0x4c, 0x69, 0x73, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x00, 0x12, 0x5a, 0x0a, 0x09, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12,
+	0x24, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+	0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b,
+	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74,
+	0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5a,
+	0x0a, 0x09, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x2e, 0x70, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
+	0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65,
+	0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x53, 0x65,
+	0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65,
+	0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x26, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+	0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x47, 0x65, 0x74,
 	0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74,
+	0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74,
 	0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26,
 	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
-	0x74, 0x72, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x5d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x42,
-	0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42,
-	0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d, 0x2e,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x72, 0x79, 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
-	0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x50, 0x01, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f,
-	0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2, 0x02,
-	0x03, 0x50, 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61,
-	0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2, 0x02,
-	0x1e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
-	0x74, 0x72, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea,
-	0x02, 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67,
-	0x69, 0x73, 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x74, 0x72, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0xdb, 0x01, 0x0a, 0x16, 0x63, 0x6f, 0x6d,
+	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x72, 0x79, 0x42, 0x1c, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x50, 0x01, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d,
+	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x2f, 0x6b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xa2,
+	0x02, 0x03, 0x50, 0x4b, 0x58, 0xaa, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b,
+	0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xca, 0x02, 0x12, 0x50, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0xe2,
+	0x02, 0x1e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x4b, 0x61, 0x73, 0x72, 0x65, 0x67, 0x69,
+	0x73, 0x74, 0x72, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0xea, 0x02, 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x4b, 0x61, 0x73, 0x72, 0x65,
+	0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -4337,7 +4203,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_rawDescGZIP() []by
 	return file_policy_kasregistry_key_access_server_registry_proto_rawDescData
 }
 
-var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 51)
+var file_policy_kasregistry_key_access_server_registry_proto_msgTypes = make([]protoimpl.MessageInfo, 49)
 var file_policy_kasregistry_key_access_server_registry_proto_goTypes = []interface{}{
 	(*GetKeyAccessServerRequest)(nil),                     // 0: policy.kasregistry.GetKeyAccessServerRequest
 	(*GetKeyAccessServerResponse)(nil),                    // 1: policy.kasregistry.GetKeyAccessServerResponse
@@ -4381,137 +4247,134 @@ var file_policy_kasregistry_key_access_server_registry_proto_goTypes = []interfa
 	(*RotatedResources)(nil),                              // 39: policy.kasregistry.RotatedResources
 	(*RotateKeyResponse)(nil),                             // 40: policy.kasregistry.RotateKeyResponse
 	(*SetBaseKeyRequest)(nil),                             // 41: policy.kasregistry.SetBaseKeyRequest
-	(*SimpleKasPublicKey)(nil),                            // 42: policy.kasregistry.SimpleKasPublicKey
-	(*SimpleKasKey)(nil),                                  // 43: policy.kasregistry.SimpleKasKey
-	(*GetBaseKeyRequest)(nil),                             // 44: policy.kasregistry.GetBaseKeyRequest
-	(*GetBaseKeyResponse)(nil),                            // 45: policy.kasregistry.GetBaseKeyResponse
-	(*SetBaseKeyResponse)(nil),                            // 46: policy.kasregistry.SetBaseKeyResponse
-	(*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 47: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping
-	(*ListPublicKeyMappingResponse_PublicKey)(nil),        // 48: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey
-	(*ListPublicKeyMappingResponse_Association)(nil),      // 49: policy.kasregistry.ListPublicKeyMappingResponse.Association
-	(*RotateKeyRequest_NewKey)(nil),                       // 50: policy.kasregistry.RotateKeyRequest.NewKey
-	(*policy.KeyAccessServer)(nil),                        // 51: policy.KeyAccessServer
-	(*policy.PageRequest)(nil),                            // 52: policy.PageRequest
-	(*policy.PageResponse)(nil),                           // 53: policy.PageResponse
-	(*policy.PublicKey)(nil),                              // 54: policy.PublicKey
-	(policy.SourceType)(0),                                // 55: policy.SourceType
-	(*common.MetadataMutable)(nil),                        // 56: common.MetadataMutable
-	(common.MetadataUpdateEnum)(0),                        // 57: common.MetadataUpdateEnum
-	(*policy.KasPublicKey)(nil),                           // 58: policy.KasPublicKey
-	(*policy.Key)(nil),                                    // 59: policy.Key
-	(policy.Algorithm)(0),                                 // 60: policy.Algorithm
-	(policy.KeyMode)(0),                                   // 61: policy.KeyMode
-	(*policy.PublicKeyCtx)(nil),                           // 62: policy.PublicKeyCtx
-	(*policy.PrivateKeyCtx)(nil),                          // 63: policy.PrivateKeyCtx
-	(*policy.KasKey)(nil),                                 // 64: policy.KasKey
+	(*GetBaseKeyRequest)(nil),                             // 42: policy.kasregistry.GetBaseKeyRequest
+	(*GetBaseKeyResponse)(nil),                            // 43: policy.kasregistry.GetBaseKeyResponse
+	(*SetBaseKeyResponse)(nil),                            // 44: policy.kasregistry.SetBaseKeyResponse
+	(*ListPublicKeyMappingResponse_PublicKeyMapping)(nil), // 45: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping
+	(*ListPublicKeyMappingResponse_PublicKey)(nil),        // 46: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey
+	(*ListPublicKeyMappingResponse_Association)(nil),      // 47: policy.kasregistry.ListPublicKeyMappingResponse.Association
+	(*RotateKeyRequest_NewKey)(nil),                       // 48: policy.kasregistry.RotateKeyRequest.NewKey
+	(*policy.KeyAccessServer)(nil),                        // 49: policy.KeyAccessServer
+	(*policy.PageRequest)(nil),                            // 50: policy.PageRequest
+	(*policy.PageResponse)(nil),                           // 51: policy.PageResponse
+	(*policy.PublicKey)(nil),                              // 52: policy.PublicKey
+	(policy.SourceType)(0),                                // 53: policy.SourceType
+	(*common.MetadataMutable)(nil),                        // 54: common.MetadataMutable
+	(common.MetadataUpdateEnum)(0),                        // 55: common.MetadataUpdateEnum
+	(*policy.KasPublicKey)(nil),                           // 56: policy.KasPublicKey
+	(*policy.Key)(nil),                                    // 57: policy.Key
+	(policy.Algorithm)(0),                                 // 58: policy.Algorithm
+	(policy.KeyMode)(0),                                   // 59: policy.KeyMode
+	(*policy.PublicKeyCtx)(nil),                           // 60: policy.PublicKeyCtx
+	(*policy.PrivateKeyCtx)(nil),                          // 61: policy.PrivateKeyCtx
+	(*policy.KasKey)(nil),                                 // 62: policy.KasKey
+	(*policy.SimpleKasKey)(nil),                           // 63: policy.SimpleKasKey
 }
 var file_policy_kasregistry_key_access_server_registry_proto_depIdxs = []int32{
-	51, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
-	52, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest
-	51, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer
-	53, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse
-	54, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
-	55, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType
-	56, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
-	51, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
-	54, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
-	55, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType
-	56, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
-	57, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
-	51, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
-	51, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
-	51, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer
+	49, // 0: policy.kasregistry.GetKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+	50, // 1: policy.kasregistry.ListKeyAccessServersRequest.pagination:type_name -> policy.PageRequest
+	49, // 2: policy.kasregistry.ListKeyAccessServersResponse.key_access_servers:type_name -> policy.KeyAccessServer
+	51, // 3: policy.kasregistry.ListKeyAccessServersResponse.pagination:type_name -> policy.PageResponse
+	52, // 4: policy.kasregistry.CreateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
+	53, // 5: policy.kasregistry.CreateKeyAccessServerRequest.source_type:type_name -> policy.SourceType
+	54, // 6: policy.kasregistry.CreateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
+	49, // 7: policy.kasregistry.CreateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+	52, // 8: policy.kasregistry.UpdateKeyAccessServerRequest.public_key:type_name -> policy.PublicKey
+	53, // 9: policy.kasregistry.UpdateKeyAccessServerRequest.source_type:type_name -> policy.SourceType
+	54, // 10: policy.kasregistry.UpdateKeyAccessServerRequest.metadata:type_name -> common.MetadataMutable
+	55, // 11: policy.kasregistry.UpdateKeyAccessServerRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
+	49, // 12: policy.kasregistry.UpdateKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+	49, // 13: policy.kasregistry.DeleteKeyAccessServerResponse.key_access_server:type_name -> policy.KeyAccessServer
+	49, // 14: policy.kasregistry.KeyAccessServerGrants.key_access_server:type_name -> policy.KeyAccessServer
 	10, // 15: policy.kasregistry.KeyAccessServerGrants.namespace_grants:type_name -> policy.kasregistry.GrantedPolicyObject
 	10, // 16: policy.kasregistry.KeyAccessServerGrants.attribute_grants:type_name -> policy.kasregistry.GrantedPolicyObject
 	10, // 17: policy.kasregistry.KeyAccessServerGrants.value_grants:type_name -> policy.kasregistry.GrantedPolicyObject
-	58, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey
-	56, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable
-	59, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key
-	59, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key
-	52, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest
-	59, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key
-	53, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse
-	52, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest
-	47, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping
-	53, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse
-	56, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable
-	57, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
-	59, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key
-	59, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key
-	59, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key
-	52, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest
+	56, // 18: policy.kasregistry.CreatePublicKeyRequest.key:type_name -> policy.KasPublicKey
+	54, // 19: policy.kasregistry.CreatePublicKeyRequest.metadata:type_name -> common.MetadataMutable
+	57, // 20: policy.kasregistry.CreatePublicKeyResponse.key:type_name -> policy.Key
+	57, // 21: policy.kasregistry.GetPublicKeyResponse.key:type_name -> policy.Key
+	50, // 22: policy.kasregistry.ListPublicKeysRequest.pagination:type_name -> policy.PageRequest
+	57, // 23: policy.kasregistry.ListPublicKeysResponse.keys:type_name -> policy.Key
+	51, // 24: policy.kasregistry.ListPublicKeysResponse.pagination:type_name -> policy.PageResponse
+	50, // 25: policy.kasregistry.ListPublicKeyMappingRequest.pagination:type_name -> policy.PageRequest
+	45, // 26: policy.kasregistry.ListPublicKeyMappingResponse.public_key_mappings:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping
+	51, // 27: policy.kasregistry.ListPublicKeyMappingResponse.pagination:type_name -> policy.PageResponse
+	54, // 28: policy.kasregistry.UpdatePublicKeyRequest.metadata:type_name -> common.MetadataMutable
+	55, // 29: policy.kasregistry.UpdatePublicKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
+	57, // 30: policy.kasregistry.UpdatePublicKeyResponse.key:type_name -> policy.Key
+	57, // 31: policy.kasregistry.DeactivatePublicKeyResponse.key:type_name -> policy.Key
+	57, // 32: policy.kasregistry.ActivatePublicKeyResponse.key:type_name -> policy.Key
+	50, // 33: policy.kasregistry.ListKeyAccessServerGrantsRequest.pagination:type_name -> policy.PageRequest
 	11, // 34: policy.kasregistry.ListKeyAccessServerGrantsResponse.grants:type_name -> policy.kasregistry.KeyAccessServerGrants
-	53, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse
-	60, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm
-	61, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode
-	62, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.PublicKeyCtx
-	63, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.PrivateKeyCtx
-	56, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable
-	64, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey
+	51, // 35: policy.kasregistry.ListKeyAccessServerGrantsResponse.pagination:type_name -> policy.PageResponse
+	58, // 36: policy.kasregistry.CreateKeyRequest.key_algorithm:type_name -> policy.Algorithm
+	59, // 37: policy.kasregistry.CreateKeyRequest.key_mode:type_name -> policy.KeyMode
+	60, // 38: policy.kasregistry.CreateKeyRequest.public_key_ctx:type_name -> policy.PublicKeyCtx
+	61, // 39: policy.kasregistry.CreateKeyRequest.private_key_ctx:type_name -> policy.PrivateKeyCtx
+	54, // 40: policy.kasregistry.CreateKeyRequest.metadata:type_name -> common.MetadataMutable
+	62, // 41: policy.kasregistry.CreateKeyResponse.kas_key:type_name -> policy.KasKey
 	36, // 42: policy.kasregistry.GetKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier
-	64, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey
-	60, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm
-	52, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest
-	64, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey
-	53, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse
-	56, // 48: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable
-	57, // 49: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
-	64, // 50: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey
+	62, // 43: policy.kasregistry.GetKeyResponse.kas_key:type_name -> policy.KasKey
+	58, // 44: policy.kasregistry.ListKeysRequest.key_algorithm:type_name -> policy.Algorithm
+	50, // 45: policy.kasregistry.ListKeysRequest.pagination:type_name -> policy.PageRequest
+	62, // 46: policy.kasregistry.ListKeysResponse.kas_keys:type_name -> policy.KasKey
+	51, // 47: policy.kasregistry.ListKeysResponse.pagination:type_name -> policy.PageResponse
+	54, // 48: policy.kasregistry.UpdateKeyRequest.metadata:type_name -> common.MetadataMutable
+	55, // 49: policy.kasregistry.UpdateKeyRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
+	62, // 50: policy.kasregistry.UpdateKeyResponse.kas_key:type_name -> policy.KasKey
 	36, // 51: policy.kasregistry.RotateKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier
-	50, // 52: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey
-	64, // 53: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey
+	48, // 52: policy.kasregistry.RotateKeyRequest.new_key:type_name -> policy.kasregistry.RotateKeyRequest.NewKey
+	62, // 53: policy.kasregistry.RotatedResources.rotated_out_key:type_name -> policy.KasKey
 	38, // 54: policy.kasregistry.RotatedResources.attribute_definition_mappings:type_name -> policy.kasregistry.ChangeMappings
 	38, // 55: policy.kasregistry.RotatedResources.attribute_value_mappings:type_name -> policy.kasregistry.ChangeMappings
 	38, // 56: policy.kasregistry.RotatedResources.namespace_mappings:type_name -> policy.kasregistry.ChangeMappings
-	64, // 57: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey
+	62, // 57: policy.kasregistry.RotateKeyResponse.kas_key:type_name -> policy.KasKey
 	39, // 58: policy.kasregistry.RotateKeyResponse.rotated_resources:type_name -> policy.kasregistry.RotatedResources
 	36, // 59: policy.kasregistry.SetBaseKeyRequest.key:type_name -> policy.kasregistry.KasKeyIdentifier
-	60, // 60: policy.kasregistry.SimpleKasPublicKey.algorithm:type_name -> policy.Algorithm
-	42, // 61: policy.kasregistry.SimpleKasKey.public_key:type_name -> policy.kasregistry.SimpleKasPublicKey
-	43, // 62: policy.kasregistry.GetBaseKeyResponse.base_key:type_name -> policy.kasregistry.SimpleKasKey
-	43, // 63: policy.kasregistry.SetBaseKeyResponse.new_base_key:type_name -> policy.kasregistry.SimpleKasKey
-	43, // 64: policy.kasregistry.SetBaseKeyResponse.previous_base_key:type_name -> policy.kasregistry.SimpleKasKey
-	48, // 65: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey
-	59, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key
-	49, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
-	49, // 68: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
-	49, // 69: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
-	60, // 70: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm
-	61, // 71: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode
-	62, // 72: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.PublicKeyCtx
-	63, // 73: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
-	56, // 74: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable
-	2,  // 75: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest
-	0,  // 76: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest
-	4,  // 77: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest
-	6,  // 78: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest
-	8,  // 79: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest
-	26, // 80: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest
-	28, // 81: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest
-	30, // 82: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest
-	32, // 83: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest
-	34, // 84: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest
-	37, // 85: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest
-	41, // 86: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:input_type -> policy.kasregistry.SetBaseKeyRequest
-	44, // 87: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:input_type -> policy.kasregistry.GetBaseKeyRequest
-	3,  // 88: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse
-	1,  // 89: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse
-	5,  // 90: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse
-	7,  // 91: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse
-	9,  // 92: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse
-	27, // 93: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse
-	29, // 94: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse
-	31, // 95: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse
-	33, // 96: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse
-	35, // 97: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse
-	40, // 98: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse
-	46, // 99: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:output_type -> policy.kasregistry.SetBaseKeyResponse
-	45, // 100: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:output_type -> policy.kasregistry.GetBaseKeyResponse
-	88, // [88:101] is the sub-list for method output_type
-	75, // [75:88] is the sub-list for method input_type
-	75, // [75:75] is the sub-list for extension type_name
-	75, // [75:75] is the sub-list for extension extendee
-	0,  // [0:75] is the sub-list for field type_name
+	63, // 60: policy.kasregistry.GetBaseKeyResponse.base_key:type_name -> policy.SimpleKasKey
+	63, // 61: policy.kasregistry.SetBaseKeyResponse.new_base_key:type_name -> policy.SimpleKasKey
+	63, // 62: policy.kasregistry.SetBaseKeyResponse.previous_base_key:type_name -> policy.SimpleKasKey
+	46, // 63: policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping.public_keys:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.PublicKey
+	57, // 64: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.key:type_name -> policy.Key
+	47, // 65: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.values:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
+	47, // 66: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.definitions:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
+	47, // 67: policy.kasregistry.ListPublicKeyMappingResponse.PublicKey.namespaces:type_name -> policy.kasregistry.ListPublicKeyMappingResponse.Association
+	58, // 68: policy.kasregistry.RotateKeyRequest.NewKey.algorithm:type_name -> policy.Algorithm
+	59, // 69: policy.kasregistry.RotateKeyRequest.NewKey.key_mode:type_name -> policy.KeyMode
+	60, // 70: policy.kasregistry.RotateKeyRequest.NewKey.public_key_ctx:type_name -> policy.PublicKeyCtx
+	61, // 71: policy.kasregistry.RotateKeyRequest.NewKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
+	54, // 72: policy.kasregistry.RotateKeyRequest.NewKey.metadata:type_name -> common.MetadataMutable
+	2,  // 73: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:input_type -> policy.kasregistry.ListKeyAccessServersRequest
+	0,  // 74: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:input_type -> policy.kasregistry.GetKeyAccessServerRequest
+	4,  // 75: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:input_type -> policy.kasregistry.CreateKeyAccessServerRequest
+	6,  // 76: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:input_type -> policy.kasregistry.UpdateKeyAccessServerRequest
+	8,  // 77: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:input_type -> policy.kasregistry.DeleteKeyAccessServerRequest
+	26, // 78: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:input_type -> policy.kasregistry.ListKeyAccessServerGrantsRequest
+	28, // 79: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:input_type -> policy.kasregistry.CreateKeyRequest
+	30, // 80: policy.kasregistry.KeyAccessServerRegistryService.GetKey:input_type -> policy.kasregistry.GetKeyRequest
+	32, // 81: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:input_type -> policy.kasregistry.ListKeysRequest
+	34, // 82: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:input_type -> policy.kasregistry.UpdateKeyRequest
+	37, // 83: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:input_type -> policy.kasregistry.RotateKeyRequest
+	41, // 84: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:input_type -> policy.kasregistry.SetBaseKeyRequest
+	42, // 85: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:input_type -> policy.kasregistry.GetBaseKeyRequest
+	3,  // 86: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers:output_type -> policy.kasregistry.ListKeyAccessServersResponse
+	1,  // 87: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer:output_type -> policy.kasregistry.GetKeyAccessServerResponse
+	5,  // 88: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer:output_type -> policy.kasregistry.CreateKeyAccessServerResponse
+	7,  // 89: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer:output_type -> policy.kasregistry.UpdateKeyAccessServerResponse
+	9,  // 90: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer:output_type -> policy.kasregistry.DeleteKeyAccessServerResponse
+	27, // 91: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants:output_type -> policy.kasregistry.ListKeyAccessServerGrantsResponse
+	29, // 92: policy.kasregistry.KeyAccessServerRegistryService.CreateKey:output_type -> policy.kasregistry.CreateKeyResponse
+	31, // 93: policy.kasregistry.KeyAccessServerRegistryService.GetKey:output_type -> policy.kasregistry.GetKeyResponse
+	33, // 94: policy.kasregistry.KeyAccessServerRegistryService.ListKeys:output_type -> policy.kasregistry.ListKeysResponse
+	35, // 95: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey:output_type -> policy.kasregistry.UpdateKeyResponse
+	40, // 96: policy.kasregistry.KeyAccessServerRegistryService.RotateKey:output_type -> policy.kasregistry.RotateKeyResponse
+	44, // 97: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey:output_type -> policy.kasregistry.SetBaseKeyResponse
+	43, // 98: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey:output_type -> policy.kasregistry.GetBaseKeyResponse
+	86, // [86:99] is the sub-list for method output_type
+	73, // [73:86] is the sub-list for method input_type
+	73, // [73:73] is the sub-list for extension type_name
+	73, // [73:73] is the sub-list for extension extendee
+	0,  // [0:73] is the sub-list for field type_name
 }
 
 func init() { file_policy_kasregistry_key_access_server_registry_proto_init() }
@@ -5025,30 +4888,6 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 			}
 		}
 		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[42].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SimpleKasPublicKey); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SimpleKasKey); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*GetBaseKeyRequest); i {
 			case 0:
 				return &v.state
@@ -5060,7 +4899,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 				return nil
 			}
 		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45].Exporter = func(v interface{}, i int) interface{} {
+		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[43].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*GetBaseKeyResponse); i {
 			case 0:
 				return &v.state
@@ -5072,7 +4911,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 				return nil
 			}
 		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46].Exporter = func(v interface{}, i int) interface{} {
+		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[44].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SetBaseKeyResponse); i {
 			case 0:
 				return &v.state
@@ -5084,7 +4923,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 				return nil
 			}
 		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47].Exporter = func(v interface{}, i int) interface{} {
+		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[45].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ListPublicKeyMappingResponse_PublicKeyMapping); i {
 			case 0:
 				return &v.state
@@ -5096,7 +4935,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 				return nil
 			}
 		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48].Exporter = func(v interface{}, i int) interface{} {
+		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[46].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ListPublicKeyMappingResponse_PublicKey); i {
 			case 0:
 				return &v.state
@@ -5108,7 +4947,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 				return nil
 			}
 		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[49].Exporter = func(v interface{}, i int) interface{} {
+		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[47].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*ListPublicKeyMappingResponse_Association); i {
 			case 0:
 				return &v.state
@@ -5120,7 +4959,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 				return nil
 			}
 		}
-		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[50].Exporter = func(v interface{}, i int) interface{} {
+		file_policy_kasregistry_key_access_server_registry_proto_msgTypes[48].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RotateKeyRequest_NewKey); i {
 			case 0:
 				return &v.state
@@ -5179,7 +5018,7 @@ func file_policy_kasregistry_key_access_server_registry_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_policy_kasregistry_key_access_server_registry_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   51,
+			NumMessages:   49,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go
index 83c556505e..70a5002bd3 100644
--- a/protocol/go/policy/objects.pb.go
+++ b/protocol/go/policy/objects.pb.go
@@ -520,7 +520,133 @@ func (x Action_StandardAction) Number() protoreflect.EnumNumber {
 
 // Deprecated: Use Action_StandardAction.Descriptor instead.
 func (Action_StandardAction) EnumDescriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{4, 0}
+	return file_policy_objects_proto_rawDescGZIP(), []int{6, 0}
+}
+
+type SimpleKasPublicKey struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Algorithm Algorithm `protobuf:"varint,1,opt,name=algorithm,proto3,enum=policy.Algorithm" json:"algorithm,omitempty"`
+	Kid       string    `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
+	Pem       string    `protobuf:"bytes,3,opt,name=pem,proto3" json:"pem,omitempty"`
+}
+
+func (x *SimpleKasPublicKey) Reset() {
+	*x = SimpleKasPublicKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_policy_objects_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SimpleKasPublicKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SimpleKasPublicKey) ProtoMessage() {}
+
+func (x *SimpleKasPublicKey) ProtoReflect() protoreflect.Message {
+	mi := &file_policy_objects_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SimpleKasPublicKey.ProtoReflect.Descriptor instead.
+func (*SimpleKasPublicKey) Descriptor() ([]byte, []int) {
+	return file_policy_objects_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *SimpleKasPublicKey) GetAlgorithm() Algorithm {
+	if x != nil {
+		return x.Algorithm
+	}
+	return Algorithm_ALGORITHM_UNSPECIFIED
+}
+
+func (x *SimpleKasPublicKey) GetKid() string {
+	if x != nil {
+		return x.Kid
+	}
+	return ""
+}
+
+func (x *SimpleKasPublicKey) GetPem() string {
+	if x != nil {
+		return x.Pem
+	}
+	return ""
+}
+
+type SimpleKasKey struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KasUri    string              `protobuf:"bytes,1,opt,name=kas_uri,json=kasUri,proto3" json:"kas_uri,omitempty"`          // The URL of the Key Access Server
+	PublicKey *SimpleKasPublicKey `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` // The public key of the Key that belongs to the KAS
+	KasId     string              `protobuf:"bytes,3,opt,name=kas_id,json=kasId,proto3" json:"kas_id,omitempty"`             // The ID of the Key Access Server
+}
+
+func (x *SimpleKasKey) Reset() {
+	*x = SimpleKasKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_policy_objects_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SimpleKasKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SimpleKasKey) ProtoMessage() {}
+
+func (x *SimpleKasKey) ProtoReflect() protoreflect.Message {
+	mi := &file_policy_objects_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SimpleKasKey.ProtoReflect.Descriptor instead.
+func (*SimpleKasKey) Descriptor() ([]byte, []int) {
+	return file_policy_objects_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *SimpleKasKey) GetKasUri() string {
+	if x != nil {
+		return x.KasUri
+	}
+	return ""
+}
+
+func (x *SimpleKasKey) GetPublicKey() *SimpleKasPublicKey {
+	if x != nil {
+		return x.PublicKey
+	}
+	return nil
+}
+
+func (x *SimpleKasKey) GetKasId() string {
+	if x != nil {
+		return x.KasId
+	}
+	return ""
 }
 
 type KeyProviderConfig struct {
@@ -538,7 +664,7 @@ type KeyProviderConfig struct {
 func (x *KeyProviderConfig) Reset() {
 	*x = KeyProviderConfig{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[0]
+		mi := &file_policy_objects_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -551,7 +677,7 @@ func (x *KeyProviderConfig) String() string {
 func (*KeyProviderConfig) ProtoMessage() {}
 
 func (x *KeyProviderConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[0]
+	mi := &file_policy_objects_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -564,7 +690,7 @@ func (x *KeyProviderConfig) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KeyProviderConfig.ProtoReflect.Descriptor instead.
 func (*KeyProviderConfig) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{0}
+	return file_policy_objects_proto_rawDescGZIP(), []int{2}
 }
 
 func (x *KeyProviderConfig) GetId() string {
@@ -612,13 +738,13 @@ type Namespace struct {
 	// KAS grants for the namespace
 	Grants []*KeyAccessServer `protobuf:"bytes,6,rep,name=grants,proto3" json:"grants,omitempty"`
 	// Keys for the namespace
-	KasKeys []*KasKey `protobuf:"bytes,7,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
+	KasKeys []*SimpleKasKey `protobuf:"bytes,7,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
 }
 
 func (x *Namespace) Reset() {
 	*x = Namespace{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[1]
+		mi := &file_policy_objects_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -631,7 +757,7 @@ func (x *Namespace) String() string {
 func (*Namespace) ProtoMessage() {}
 
 func (x *Namespace) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[1]
+	mi := &file_policy_objects_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -644,7 +770,7 @@ func (x *Namespace) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Namespace.ProtoReflect.Descriptor instead.
 func (*Namespace) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{1}
+	return file_policy_objects_proto_rawDescGZIP(), []int{3}
 }
 
 func (x *Namespace) GetId() string {
@@ -689,7 +815,7 @@ func (x *Namespace) GetGrants() []*KeyAccessServer {
 	return nil
 }
 
-func (x *Namespace) GetKasKeys() []*KasKey {
+func (x *Namespace) GetKasKeys() []*SimpleKasKey {
 	if x != nil {
 		return x.KasKeys
 	}
@@ -715,7 +841,7 @@ type Attribute struct {
 	// active by default until explicitly deactivated
 	Active *wrapperspb.BoolValue `protobuf:"bytes,8,opt,name=active,proto3" json:"active,omitempty"`
 	// Keys associated with the attribute
-	KasKeys []*KasKey `protobuf:"bytes,9,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
+	KasKeys []*SimpleKasKey `protobuf:"bytes,9,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
 	// Common metadata
 	Metadata *common.Metadata `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"`
 }
@@ -723,7 +849,7 @@ type Attribute struct {
 func (x *Attribute) Reset() {
 	*x = Attribute{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[2]
+		mi := &file_policy_objects_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -736,7 +862,7 @@ func (x *Attribute) String() string {
 func (*Attribute) ProtoMessage() {}
 
 func (x *Attribute) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[2]
+	mi := &file_policy_objects_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -749,7 +875,7 @@ func (x *Attribute) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Attribute.ProtoReflect.Descriptor instead.
 func (*Attribute) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{2}
+	return file_policy_objects_proto_rawDescGZIP(), []int{4}
 }
 
 func (x *Attribute) GetId() string {
@@ -808,7 +934,7 @@ func (x *Attribute) GetActive() *wrapperspb.BoolValue {
 	return nil
 }
 
-func (x *Attribute) GetKasKeys() []*KasKey {
+func (x *Attribute) GetKasKeys() []*SimpleKasKey {
 	if x != nil {
 		return x.KasKeys
 	}
@@ -839,7 +965,7 @@ type Value struct {
 	Active *wrapperspb.BoolValue `protobuf:"bytes,7,opt,name=active,proto3" json:"active,omitempty"`
 	// subject mapping
 	SubjectMappings  []*SubjectMapping  `protobuf:"bytes,8,rep,name=subject_mappings,json=subjectMappings,proto3" json:"subject_mappings,omitempty"`
-	KasKeys          []*KasKey          `protobuf:"bytes,9,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
+	KasKeys          []*SimpleKasKey    `protobuf:"bytes,9,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
 	ResourceMappings []*ResourceMapping `protobuf:"bytes,10,rep,name=resource_mappings,json=resourceMappings,proto3" json:"resource_mappings,omitempty"`
 	// Common metadata
 	Metadata *common.Metadata `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"`
@@ -848,7 +974,7 @@ type Value struct {
 func (x *Value) Reset() {
 	*x = Value{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[3]
+		mi := &file_policy_objects_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -861,7 +987,7 @@ func (x *Value) String() string {
 func (*Value) ProtoMessage() {}
 
 func (x *Value) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[3]
+	mi := &file_policy_objects_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -874,7 +1000,7 @@ func (x *Value) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Value.ProtoReflect.Descriptor instead.
 func (*Value) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{3}
+	return file_policy_objects_proto_rawDescGZIP(), []int{5}
 }
 
 func (x *Value) GetId() string {
@@ -926,7 +1052,7 @@ func (x *Value) GetSubjectMappings() []*SubjectMapping {
 	return nil
 }
 
-func (x *Value) GetKasKeys() []*KasKey {
+func (x *Value) GetKasKeys() []*SimpleKasKey {
 	if x != nil {
 		return x.KasKeys
 	}
@@ -969,7 +1095,7 @@ type Action struct {
 func (x *Action) Reset() {
 	*x = Action{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[4]
+		mi := &file_policy_objects_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -982,7 +1108,7 @@ func (x *Action) String() string {
 func (*Action) ProtoMessage() {}
 
 func (x *Action) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[4]
+	mi := &file_policy_objects_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -995,7 +1121,7 @@ func (x *Action) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Action.ProtoReflect.Descriptor instead.
 func (*Action) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{4}
+	return file_policy_objects_proto_rawDescGZIP(), []int{6}
 }
 
 func (x *Action) GetId() string {
@@ -1078,7 +1204,7 @@ type SubjectMapping struct {
 func (x *SubjectMapping) Reset() {
 	*x = SubjectMapping{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[5]
+		mi := &file_policy_objects_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1091,7 +1217,7 @@ func (x *SubjectMapping) String() string {
 func (*SubjectMapping) ProtoMessage() {}
 
 func (x *SubjectMapping) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[5]
+	mi := &file_policy_objects_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1104,7 +1230,7 @@ func (x *SubjectMapping) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SubjectMapping.ProtoReflect.Descriptor instead.
 func (*SubjectMapping) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{5}
+	return file_policy_objects_proto_rawDescGZIP(), []int{7}
 }
 
 func (x *SubjectMapping) GetId() string {
@@ -1164,7 +1290,7 @@ type Condition struct {
 func (x *Condition) Reset() {
 	*x = Condition{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[6]
+		mi := &file_policy_objects_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1177,7 +1303,7 @@ func (x *Condition) String() string {
 func (*Condition) ProtoMessage() {}
 
 func (x *Condition) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[6]
+	mi := &file_policy_objects_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1190,7 +1316,7 @@ func (x *Condition) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Condition.ProtoReflect.Descriptor instead.
 func (*Condition) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{6}
+	return file_policy_objects_proto_rawDescGZIP(), []int{8}
 }
 
 func (x *Condition) GetSubjectExternalSelectorValue() string {
@@ -1228,7 +1354,7 @@ type ConditionGroup struct {
 func (x *ConditionGroup) Reset() {
 	*x = ConditionGroup{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[7]
+		mi := &file_policy_objects_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1241,7 +1367,7 @@ func (x *ConditionGroup) String() string {
 func (*ConditionGroup) ProtoMessage() {}
 
 func (x *ConditionGroup) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[7]
+	mi := &file_policy_objects_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1254,7 +1380,7 @@ func (x *ConditionGroup) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ConditionGroup.ProtoReflect.Descriptor instead.
 func (*ConditionGroup) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{7}
+	return file_policy_objects_proto_rawDescGZIP(), []int{9}
 }
 
 func (x *ConditionGroup) GetConditions() []*Condition {
@@ -1284,7 +1410,7 @@ type SubjectSet struct {
 func (x *SubjectSet) Reset() {
 	*x = SubjectSet{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[8]
+		mi := &file_policy_objects_proto_msgTypes[10]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1297,7 +1423,7 @@ func (x *SubjectSet) String() string {
 func (*SubjectSet) ProtoMessage() {}
 
 func (x *SubjectSet) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[8]
+	mi := &file_policy_objects_proto_msgTypes[10]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1310,7 +1436,7 @@ func (x *SubjectSet) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SubjectSet.ProtoReflect.Descriptor instead.
 func (*SubjectSet) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{8}
+	return file_policy_objects_proto_rawDescGZIP(), []int{10}
 }
 
 func (x *SubjectSet) GetConditionGroups() []*ConditionGroup {
@@ -1338,7 +1464,7 @@ type SubjectConditionSet struct {
 func (x *SubjectConditionSet) Reset() {
 	*x = SubjectConditionSet{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[9]
+		mi := &file_policy_objects_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1351,7 +1477,7 @@ func (x *SubjectConditionSet) String() string {
 func (*SubjectConditionSet) ProtoMessage() {}
 
 func (x *SubjectConditionSet) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[9]
+	mi := &file_policy_objects_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1364,7 +1490,7 @@ func (x *SubjectConditionSet) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SubjectConditionSet.ProtoReflect.Descriptor instead.
 func (*SubjectConditionSet) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{9}
+	return file_policy_objects_proto_rawDescGZIP(), []int{11}
 }
 
 func (x *SubjectConditionSet) GetId() string {
@@ -1410,7 +1536,7 @@ type SubjectProperty struct {
 func (x *SubjectProperty) Reset() {
 	*x = SubjectProperty{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[10]
+		mi := &file_policy_objects_proto_msgTypes[12]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1423,7 +1549,7 @@ func (x *SubjectProperty) String() string {
 func (*SubjectProperty) ProtoMessage() {}
 
 func (x *SubjectProperty) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[10]
+	mi := &file_policy_objects_proto_msgTypes[12]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1436,7 +1562,7 @@ func (x *SubjectProperty) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SubjectProperty.ProtoReflect.Descriptor instead.
 func (*SubjectProperty) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{10}
+	return file_policy_objects_proto_rawDescGZIP(), []int{12}
 }
 
 func (x *SubjectProperty) GetExternalSelectorValue() string {
@@ -1473,7 +1599,7 @@ type ResourceMappingGroup struct {
 func (x *ResourceMappingGroup) Reset() {
 	*x = ResourceMappingGroup{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[11]
+		mi := &file_policy_objects_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1486,7 +1612,7 @@ func (x *ResourceMappingGroup) String() string {
 func (*ResourceMappingGroup) ProtoMessage() {}
 
 func (x *ResourceMappingGroup) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[11]
+	mi := &file_policy_objects_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1499,7 +1625,7 @@ func (x *ResourceMappingGroup) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ResourceMappingGroup.ProtoReflect.Descriptor instead.
 func (*ResourceMappingGroup) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{11}
+	return file_policy_objects_proto_rawDescGZIP(), []int{13}
 }
 
 func (x *ResourceMappingGroup) GetId() string {
@@ -1547,7 +1673,7 @@ type ResourceMapping struct {
 func (x *ResourceMapping) Reset() {
 	*x = ResourceMapping{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[12]
+		mi := &file_policy_objects_proto_msgTypes[14]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1560,7 +1686,7 @@ func (x *ResourceMapping) String() string {
 func (*ResourceMapping) ProtoMessage() {}
 
 func (x *ResourceMapping) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[12]
+	mi := &file_policy_objects_proto_msgTypes[14]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1573,7 +1699,7 @@ func (x *ResourceMapping) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ResourceMapping.ProtoReflect.Descriptor instead.
 func (*ResourceMapping) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{12}
+	return file_policy_objects_proto_rawDescGZIP(), []int{14}
 }
 
 func (x *ResourceMapping) GetId() string {
@@ -1625,7 +1751,7 @@ type KeyAccessServer struct {
 	// The source of the KAS: (INTERNAL, EXTERNAL)
 	SourceType SourceType `protobuf:"varint,4,opt,name=source_type,json=sourceType,proto3,enum=policy.SourceType" json:"source_type,omitempty"`
 	// Kas keys associated with this KAS
-	KasKeys []*KasKey `protobuf:"bytes,5,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
+	KasKeys []*SimpleKasKey `protobuf:"bytes,5,rep,name=kas_keys,json=kasKeys,proto3" json:"kas_keys,omitempty"`
 	// Optional
 	// Unique name of the KAS instance
 	Name string `protobuf:"bytes,20,opt,name=name,proto3" json:"name,omitempty"`
@@ -1636,7 +1762,7 @@ type KeyAccessServer struct {
 func (x *KeyAccessServer) Reset() {
 	*x = KeyAccessServer{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[13]
+		mi := &file_policy_objects_proto_msgTypes[15]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1649,7 +1775,7 @@ func (x *KeyAccessServer) String() string {
 func (*KeyAccessServer) ProtoMessage() {}
 
 func (x *KeyAccessServer) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[13]
+	mi := &file_policy_objects_proto_msgTypes[15]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1662,7 +1788,7 @@ func (x *KeyAccessServer) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KeyAccessServer.ProtoReflect.Descriptor instead.
 func (*KeyAccessServer) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{13}
+	return file_policy_objects_proto_rawDescGZIP(), []int{15}
 }
 
 func (x *KeyAccessServer) GetId() string {
@@ -1693,7 +1819,7 @@ func (x *KeyAccessServer) GetSourceType() SourceType {
 	return SourceType_SOURCE_TYPE_UNSPECIFIED
 }
 
-func (x *KeyAccessServer) GetKasKeys() []*KasKey {
+func (x *KeyAccessServer) GetKasKeys() []*SimpleKasKey {
 	if x != nil {
 		return x.KasKeys
 	}
@@ -1732,7 +1858,7 @@ type Key struct {
 func (x *Key) Reset() {
 	*x = Key{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[14]
+		mi := &file_policy_objects_proto_msgTypes[16]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1745,7 +1871,7 @@ func (x *Key) String() string {
 func (*Key) ProtoMessage() {}
 
 func (x *Key) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[14]
+	mi := &file_policy_objects_proto_msgTypes[16]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1758,7 +1884,7 @@ func (x *Key) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Key.ProtoReflect.Descriptor instead.
 func (*Key) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{14}
+	return file_policy_objects_proto_rawDescGZIP(), []int{16}
 }
 
 func (x *Key) GetId() string {
@@ -1823,7 +1949,7 @@ type KasPublicKey struct {
 func (x *KasPublicKey) Reset() {
 	*x = KasPublicKey{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[15]
+		mi := &file_policy_objects_proto_msgTypes[17]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1836,7 +1962,7 @@ func (x *KasPublicKey) String() string {
 func (*KasPublicKey) ProtoMessage() {}
 
 func (x *KasPublicKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[15]
+	mi := &file_policy_objects_proto_msgTypes[17]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1849,7 +1975,7 @@ func (x *KasPublicKey) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KasPublicKey.ProtoReflect.Descriptor instead.
 func (*KasPublicKey) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{15}
+	return file_policy_objects_proto_rawDescGZIP(), []int{17}
 }
 
 func (x *KasPublicKey) GetPem() string {
@@ -1886,7 +2012,7 @@ type KasPublicKeySet struct {
 func (x *KasPublicKeySet) Reset() {
 	*x = KasPublicKeySet{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[16]
+		mi := &file_policy_objects_proto_msgTypes[18]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1899,7 +2025,7 @@ func (x *KasPublicKeySet) String() string {
 func (*KasPublicKeySet) ProtoMessage() {}
 
 func (x *KasPublicKeySet) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[16]
+	mi := &file_policy_objects_proto_msgTypes[18]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1912,7 +2038,7 @@ func (x *KasPublicKeySet) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KasPublicKeySet.ProtoReflect.Descriptor instead.
 func (*KasPublicKeySet) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{16}
+	return file_policy_objects_proto_rawDescGZIP(), []int{18}
 }
 
 func (x *KasPublicKeySet) GetKeys() []*KasPublicKey {
@@ -1938,7 +2064,7 @@ type PublicKey struct {
 func (x *PublicKey) Reset() {
 	*x = PublicKey{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[17]
+		mi := &file_policy_objects_proto_msgTypes[19]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -1951,7 +2077,7 @@ func (x *PublicKey) String() string {
 func (*PublicKey) ProtoMessage() {}
 
 func (x *PublicKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[17]
+	mi := &file_policy_objects_proto_msgTypes[19]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1964,7 +2090,7 @@ func (x *PublicKey) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PublicKey.ProtoReflect.Descriptor instead.
 func (*PublicKey) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{17}
+	return file_policy_objects_proto_rawDescGZIP(), []int{19}
 }
 
 func (m *PublicKey) GetPublicKey() isPublicKey_PublicKey {
@@ -2021,7 +2147,7 @@ type RegisteredResource struct {
 func (x *RegisteredResource) Reset() {
 	*x = RegisteredResource{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[18]
+		mi := &file_policy_objects_proto_msgTypes[20]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2034,7 +2160,7 @@ func (x *RegisteredResource) String() string {
 func (*RegisteredResource) ProtoMessage() {}
 
 func (x *RegisteredResource) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[18]
+	mi := &file_policy_objects_proto_msgTypes[20]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2047,7 +2173,7 @@ func (x *RegisteredResource) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RegisteredResource.ProtoReflect.Descriptor instead.
 func (*RegisteredResource) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{18}
+	return file_policy_objects_proto_rawDescGZIP(), []int{20}
 }
 
 func (x *RegisteredResource) GetId() string {
@@ -2094,7 +2220,7 @@ type RegisteredResourceValue struct {
 func (x *RegisteredResourceValue) Reset() {
 	*x = RegisteredResourceValue{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[19]
+		mi := &file_policy_objects_proto_msgTypes[21]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2107,7 +2233,7 @@ func (x *RegisteredResourceValue) String() string {
 func (*RegisteredResourceValue) ProtoMessage() {}
 
 func (x *RegisteredResourceValue) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[19]
+	mi := &file_policy_objects_proto_msgTypes[21]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2120,7 +2246,7 @@ func (x *RegisteredResourceValue) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RegisteredResourceValue.ProtoReflect.Descriptor instead.
 func (*RegisteredResourceValue) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{19}
+	return file_policy_objects_proto_rawDescGZIP(), []int{21}
 }
 
 func (x *RegisteredResourceValue) GetId() string {
@@ -2171,7 +2297,7 @@ type KasKey struct {
 func (x *KasKey) Reset() {
 	*x = KasKey{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[20]
+		mi := &file_policy_objects_proto_msgTypes[22]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2184,7 +2310,7 @@ func (x *KasKey) String() string {
 func (*KasKey) ProtoMessage() {}
 
 func (x *KasKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[20]
+	mi := &file_policy_objects_proto_msgTypes[22]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2197,7 +2323,7 @@ func (x *KasKey) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KasKey.ProtoReflect.Descriptor instead.
 func (*KasKey) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{20}
+	return file_policy_objects_proto_rawDescGZIP(), []int{22}
 }
 
 func (x *KasKey) GetKasId() string {
@@ -2233,7 +2359,7 @@ type PublicKeyCtx struct {
 func (x *PublicKeyCtx) Reset() {
 	*x = PublicKeyCtx{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[21]
+		mi := &file_policy_objects_proto_msgTypes[23]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2246,7 +2372,7 @@ func (x *PublicKeyCtx) String() string {
 func (*PublicKeyCtx) ProtoMessage() {}
 
 func (x *PublicKeyCtx) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[21]
+	mi := &file_policy_objects_proto_msgTypes[23]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2259,7 +2385,7 @@ func (x *PublicKeyCtx) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PublicKeyCtx.ProtoReflect.Descriptor instead.
 func (*PublicKeyCtx) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{21}
+	return file_policy_objects_proto_rawDescGZIP(), []int{23}
 }
 
 func (x *PublicKeyCtx) GetPem() string {
@@ -2283,7 +2409,7 @@ type PrivateKeyCtx struct {
 func (x *PrivateKeyCtx) Reset() {
 	*x = PrivateKeyCtx{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[22]
+		mi := &file_policy_objects_proto_msgTypes[24]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2296,7 +2422,7 @@ func (x *PrivateKeyCtx) String() string {
 func (*PrivateKeyCtx) ProtoMessage() {}
 
 func (x *PrivateKeyCtx) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[22]
+	mi := &file_policy_objects_proto_msgTypes[24]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2309,7 +2435,7 @@ func (x *PrivateKeyCtx) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PrivateKeyCtx.ProtoReflect.Descriptor instead.
 func (*PrivateKeyCtx) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{22}
+	return file_policy_objects_proto_rawDescGZIP(), []int{24}
 }
 
 func (x *PrivateKeyCtx) GetKeyId() string {
@@ -2354,7 +2480,7 @@ type AsymmetricKey struct {
 func (x *AsymmetricKey) Reset() {
 	*x = AsymmetricKey{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[23]
+		mi := &file_policy_objects_proto_msgTypes[25]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2367,7 +2493,7 @@ func (x *AsymmetricKey) String() string {
 func (*AsymmetricKey) ProtoMessage() {}
 
 func (x *AsymmetricKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[23]
+	mi := &file_policy_objects_proto_msgTypes[25]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2380,7 +2506,7 @@ func (x *AsymmetricKey) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use AsymmetricKey.ProtoReflect.Descriptor instead.
 func (*AsymmetricKey) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{23}
+	return file_policy_objects_proto_rawDescGZIP(), []int{25}
 }
 
 func (x *AsymmetricKey) GetId() string {
@@ -2464,7 +2590,7 @@ type SymmetricKey struct {
 func (x *SymmetricKey) Reset() {
 	*x = SymmetricKey{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[24]
+		mi := &file_policy_objects_proto_msgTypes[26]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2477,7 +2603,7 @@ func (x *SymmetricKey) String() string {
 func (*SymmetricKey) ProtoMessage() {}
 
 func (x *SymmetricKey) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[24]
+	mi := &file_policy_objects_proto_msgTypes[26]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2490,7 +2616,7 @@ func (x *SymmetricKey) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SymmetricKey.ProtoReflect.Descriptor instead.
 func (*SymmetricKey) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{24}
+	return file_policy_objects_proto_rawDescGZIP(), []int{26}
 }
 
 func (x *SymmetricKey) GetId() string {
@@ -2557,7 +2683,7 @@ type RegisteredResourceValue_ActionAttributeValue struct {
 func (x *RegisteredResourceValue_ActionAttributeValue) Reset() {
 	*x = RegisteredResourceValue_ActionAttributeValue{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_policy_objects_proto_msgTypes[25]
+		mi := &file_policy_objects_proto_msgTypes[27]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -2570,7 +2696,7 @@ func (x *RegisteredResourceValue_ActionAttributeValue) String() string {
 func (*RegisteredResourceValue_ActionAttributeValue) ProtoMessage() {}
 
 func (x *RegisteredResourceValue_ActionAttributeValue) ProtoReflect() protoreflect.Message {
-	mi := &file_policy_objects_proto_msgTypes[25]
+	mi := &file_policy_objects_proto_msgTypes[27]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2583,7 +2709,7 @@ func (x *RegisteredResourceValue_ActionAttributeValue) ProtoReflect() protorefle
 
 // Deprecated: Use RegisteredResourceValue_ActionAttributeValue.ProtoReflect.Descriptor instead.
 func (*RegisteredResourceValue_ActionAttributeValue) Descriptor() ([]byte, []int) {
-	return file_policy_objects_proto_rawDescGZIP(), []int{19, 0}
+	return file_policy_objects_proto_rawDescGZIP(), []int{21, 0}
 }
 
 func (x *RegisteredResourceValue_ActionAttributeValue) GetId() string {
@@ -2624,481 +2750,497 @@ var file_policy_objects_proto_rawDesc = []byte{
 	0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
 	0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x22, 0x86, 0x01, 0x0a, 0x11, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x5f, 0x6a, 0x73, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52,
-	0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4a, 0x73, 0x6f, 0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e,
-	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52,
-	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xff, 0x01, 0x0a, 0x09, 0x4e, 0x61,
-	0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x66,
-	0x71, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x32, 0x0a,
-	0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76,
-	0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20,
+	0x22, 0x69, 0x0a, 0x12, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69,
+	0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x2e, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x09, 0x61, 0x6c,
+	0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x65, 0x6d,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x79, 0x0a, 0x0c, 0x53,
+	0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b,
+	0x61, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61,
+	0x73, 0x55, 0x72, 0x69, 0x12, 0x39, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b,
+	0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69,
+	0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
+	0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x6b, 0x61, 0x73, 0x49, 0x64, 0x22, 0x86, 0x01, 0x0a, 0x11, 0x4b, 0x65, 0x79, 0x50, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x0e, 0x0a, 0x02,
+	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x6a, 0x73, 0x6f, 0x6e, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4a, 0x73, 0x6f,
+	0x6e, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20,
 	0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12,
-	0x2f, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
-	0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73,
-	0x12, 0x29, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x07, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x4b,
-	0x65, 0x79, 0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x22, 0x97, 0x03, 0x0a, 0x09,
-	0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d,
-	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52,
-	0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
-	0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x3e,
-	0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1d, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52,
-	0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08,
-	0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x25,
-	0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d,
-	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22,
+	0x85, 0x02, 0x0a, 0x09, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x0e, 0x0a,
+	0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a,
+	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d,
+	0x65, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x66, 0x71, 0x6e, 0x12, 0x32, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
+	0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
+	0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2f, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18,
 	0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b,
 	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x06,
-	0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x07, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x32, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69,
-	0x76, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x29, 0x0a, 0x08,
-	0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e,
-	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07,
-	0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64,
+	0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65,
+	0x79, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07,
+	0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x22, 0x9d, 0x03, 0x0a, 0x09, 0x41, 0x74, 0x74, 0x72,
+	0x69, 0x62, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2f, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
+	0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d,
+	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x3e, 0x0a, 0x04, 0x72, 0x75,
+	0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x2e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54,
+	0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82,
+	0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x25, 0x0a, 0x06, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65,
+	0x73, 0x12, 0x2f, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63,
+	0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e,
+	0x74, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x66, 0x71, 0x6e, 0x12, 0x32, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x18, 0x08,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65,
+	0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f,
+	0x6b, 0x65, 0x79, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79,
+	0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xcc, 0x03, 0x0a, 0x05, 0x56, 0x61, 0x6c, 0x75,
+	0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69,
+	0x64, 0x12, 0x2f, 0x0a, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x74,
+	0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75,
+	0x74, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x2f, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e,
+	0x74, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
+	0x72, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e,
+	0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x32, 0x0a, 0x06, 0x61,
+	0x63, 0x74, 0x69, 0x76, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f,
+	0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12,
+	0x41, 0x0a, 0x10, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69,
+	0x6e, 0x67, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+	0x67, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+	0x67, 0x73, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x09,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x69,
+	0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b,
+	0x65, 0x79, 0x73, 0x12, 0x44, 0x0a, 0x11, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f,
+	0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17,
+	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x10, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x52, 0x07, 0x6d,
+	0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, 0x22, 0xa8, 0x02, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f,
+	0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69,
+	0x64, 0x12, 0x3b, 0x0a, 0x08, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0e, 0x32, 0x1d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74,
+	0x69, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x41, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x48, 0x00, 0x52, 0x08, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x12, 0x18,
+	0x0a, 0x06, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
+	0x52, 0x06, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x08,
+	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10,
+	0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x6c, 0x0a, 0x0e, 0x53, 0x74,
+	0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x1b,
+	0x53, 0x54, 0x41, 0x4e, 0x44, 0x41, 0x52, 0x44, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f,
+	0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1b, 0x0a,
+	0x17, 0x53, 0x54, 0x41, 0x4e, 0x44, 0x41, 0x52, 0x44, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e,
+	0x5f, 0x44, 0x45, 0x43, 0x52, 0x59, 0x50, 0x54, 0x10, 0x01, 0x12, 0x1c, 0x0a, 0x18, 0x53, 0x54,
+	0x41, 0x4e, 0x44, 0x41, 0x52, 0x44, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x52,
+	0x41, 0x4e, 0x53, 0x4d, 0x49, 0x54, 0x10, 0x02, 0x42, 0x07, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x22, 0x81, 0x02, 0x0a, 0x0e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70,
+	0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x02, 0x69, 0x64, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+	0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x61, 0x74,
+	0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x4f, 0x0a, 0x15,
+	0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f,
+	0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64,
+	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x13, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63,
+	0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a,
+	0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e,
+	0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07,
+	0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64,
 	0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
 	0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xc6, 0x03, 0x0a, 0x05, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12,
-	0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12,
-	0x2f, 0x0a, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x74, 0x74, 0x72,
-	0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65,
-	0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x2f, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73,
-	0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52,
-	0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x66, 0x71, 0x6e, 0x18, 0x06,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x66, 0x71, 0x6e, 0x12, 0x32, 0x0a, 0x06, 0x61, 0x63, 0x74,
-	0x69, 0x76, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c,
-	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x41, 0x0a,
-	0x10, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
-	0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52,
-	0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73,
-	0x12, 0x29, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x09, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x4b,
-	0x65, 0x79, 0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x44, 0x0a, 0x11, 0x72,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73,
-	0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52,
-	0x10, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
-	0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4a,
-	0x04, 0x08, 0x04, 0x10, 0x05, 0x52, 0x07, 0x6d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, 0x22, 0xa8,
-	0x02, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x3b, 0x0a, 0x08, 0x73, 0x74, 0x61,
-	0x6e, 0x64, 0x61, 0x72, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1d, 0x2e, 0x70, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x6e,
-	0x64, 0x61, 0x72, 0x64, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x00, 0x52, 0x08, 0x73, 0x74,
-	0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x12, 0x18, 0x0a, 0x06, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x06, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d,
-	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x22, 0x6c, 0x0a, 0x0e, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x41, 0x63,
-	0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x1b, 0x53, 0x54, 0x41, 0x4e, 0x44, 0x41, 0x52, 0x44,
-	0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46,
-	0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1b, 0x0a, 0x17, 0x53, 0x54, 0x41, 0x4e, 0x44, 0x41, 0x52,
-	0x44, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x44, 0x45, 0x43, 0x52, 0x59, 0x50, 0x54,
-	0x10, 0x01, 0x12, 0x1c, 0x0a, 0x18, 0x53, 0x54, 0x41, 0x4e, 0x44, 0x41, 0x52, 0x44, 0x5f, 0x41,
-	0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x52, 0x41, 0x4e, 0x53, 0x4d, 0x49, 0x54, 0x10, 0x02,
-	0x42, 0x07, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x81, 0x02, 0x0a, 0x0e, 0x53, 0x75,
-	0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02,
-	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x36, 0x0a, 0x0f,
-	0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f,
-	0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62,
-	0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74,
-	0x52, 0x13, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe9, 0x01, 0x0a, 0x09, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74,
+	0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65,
+	0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
+	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48,
+	0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74,
+	0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c,
+	0x75, 0x65, 0x12, 0x4b, 0x0a, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75,
+	0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72,
+	0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01,
+	0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12,
+	0x40, 0x0a, 0x17, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72,
+	0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09,
+	0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a,
+	0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65,
+	0x73, 0x22, 0xa7, 0x01, 0x0a, 0x0e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47,
+	0x72, 0x6f, 0x75, 0x70, 0x12, 0x3b, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f,
+	0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05,
+	0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e,
+	0x73, 0x12, 0x58, 0x0a, 0x10, 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x5f, 0x6f, 0x70, 0x65,
+	0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f,
+	0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba,
+	0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x0f, 0x62, 0x6f, 0x6f, 0x6c,
+	0x65, 0x61, 0x6e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x22, 0x59, 0x0a, 0x0a, 0x53,
+	0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x12, 0x4b, 0x0a, 0x10, 0x63, 0x6f, 0x6e,
+	0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e,
+	0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x42, 0x08, 0xba, 0x48, 0x05,
+	0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e,
+	0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x22, 0x94, 0x01, 0x0a, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65,
+	0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x0e,
+	0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x3f,
+	0x0a, 0x0c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x73, 0x18, 0x03,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75,
+	0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02,
+	0x08, 0x01, 0x52, 0x0b, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x73, 0x12,
 	0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28,
 	0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe9, 0x01,
-	0x0a, 0x09, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x1f, 0x73,
-	0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f,
-	0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75,
-	0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c,
-	0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x4b, 0x0a, 0x08, 0x6f, 0x70,
-	0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70,
-	0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d,
-	0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f,
-	0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x40, 0x0a, 0x17, 0x73, 0x75, 0x62, 0x6a, 0x65,
-	0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02,
-	0x08, 0x01, 0x52, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x72,
-	0x6e, 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x22, 0xa7, 0x01, 0x0a, 0x0e, 0x43, 0x6f,
-	0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x3b, 0x0a, 0x0a,
-	0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74,
-	0x69, 0x6f, 0x6e, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0a, 0x63,
-	0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x58, 0x0a, 0x10, 0x62, 0x6f, 0x6f,
-	0x6c, 0x65, 0x61, 0x6e, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e,
-	0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70,
-	0x65, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01, 0x82, 0x01, 0x02,
-	0x10, 0x01, 0x52, 0x0f, 0x62, 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x4f, 0x70, 0x65, 0x72, 0x61,
-	0x74, 0x6f, 0x72, 0x22, 0x59, 0x0a, 0x0a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65,
-	0x74, 0x12, 0x4b, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x67,
-	0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x70, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72,
-	0x6f, 0x75, 0x70, 0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0f, 0x63,
-	0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x22, 0x94,
-	0x01, 0x0a, 0x13, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74,
-	0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x3f, 0x0a, 0x0c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63,
-	0x74, 0x5f, 0x73, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74,
-	0x42, 0x08, 0xba, 0x48, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0b, 0x73, 0x75, 0x62, 0x6a,
-	0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
-	0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x7c, 0x0a, 0x0f, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74,
-	0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x12, 0x42, 0x0a, 0x17, 0x65, 0x78, 0x74, 0x65,
-	0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0xc8, 0x01,
-	0x01, 0x72, 0x02, 0x10, 0x01, 0x52, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53,
-	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x25, 0x0a, 0x0e,
-	0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x56, 0x61,
-	0x6c, 0x75, 0x65, 0x22, 0x9b, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x0e, 0x0a, 0x02,
-	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x29, 0x0a, 0x0c,
-	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65,
-	0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18,
-	0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x22, 0xd9, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61,
-	0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
-	0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x12, 0x3e, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65,
-	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x06, 0xba, 0x48, 0x03,
-	0xc8, 0x01, 0x01, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61,
-	0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x18, 0x04, 0x20, 0x03,
-	0x28, 0x09, 0x52, 0x05, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x12, 0x32, 0x0a, 0x05, 0x67, 0x72, 0x6f,
-	0x75, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
-	0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0xff, 0x04,
-	0x0a, 0x0f, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69,
-	0x64, 0x12, 0x87, 0x03, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42,
-	0xf4, 0x02, 0xba, 0x48, 0xf0, 0x02, 0xba, 0x01, 0xec, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f,
-	0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73,
-	0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c,
-	0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f,
-	0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c,
-	0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f,
-	0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61,
-	0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20,
-	0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69,
-	0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72,
-	0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61,
-	0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e,
-	0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20,
-	0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20,
-	0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x8b, 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e,
-	0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3f,
-	0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b,
-	0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c,
-	0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f,
-	0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28,
-	0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30,
-	0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29,
-	0x3f, 0x29, 0x2a, 0x28, 0x3a, 0x5b, 0x30, 0x2d, 0x39, 0x5d, 0x2b, 0x29, 0x3f, 0x28, 0x2f, 0x2e,
-	0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x30, 0x0a, 0x0a, 0x70,
-	0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x33, 0x0a,
-	0x0b, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x75, 0x72,
-	0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79,
-	0x70, 0x65, 0x12, 0x29, 0x0a, 0x08, 0x6b, 0x61, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x05,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61,
-	0x73, 0x4b, 0x65, 0x79, 0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a,
-	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d,
-	0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22,
-	0x97, 0x02, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x37, 0x0a, 0x09, 0x69, 0x73, 0x5f, 0x61, 0x63,
-	0x74, 0x69, 0x76, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f,
-	0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x08, 0x69, 0x73, 0x41, 0x63, 0x74, 0x69, 0x76, 0x65,
-	0x12, 0x39, 0x0a, 0x0a, 0x77, 0x61, 0x73, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65,
-	0x52, 0x09, 0x77, 0x61, 0x73, 0x4d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70,
-	0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x12, 0x29, 0x0a, 0x03, 0x6b, 0x61, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x03, 0x6b, 0x61, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d,
+	0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x7c, 0x0a,
+	0x0f, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79,
+	0x12, 0x42, 0x0a, 0x17, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c,
+	0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0xc8, 0x01, 0x01, 0x72, 0x02, 0x10, 0x01, 0x52, 0x15, 0x65,
+	0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56,
+	0x61, 0x6c, 0x75, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c,
+	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x65, 0x78,
+	0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x9b, 0x01, 0x0a, 0x14,
+	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47,
+	0x72, 0x6f, 0x75, 0x70, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x02, 0x69, 0x64, 0x12, 0x29, 0x0a, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
+	0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8,
+	0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12,
+	0x1a, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06, 0xba,
+	0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d,
 	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e,
 	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52,
-	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x84, 0x01, 0x0a, 0x0c, 0x4b, 0x61,
-	0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x03, 0x70, 0x65,
-	0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01,
-	0x18, 0x80, 0x40, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x12, 0x1b, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x09, 0xba, 0x48, 0x06, 0x72, 0x04, 0x10, 0x01, 0x18, 0x20,
-	0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x39, 0x0a, 0x03, 0x61, 0x6c, 0x67, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50,
-	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x42,
-	0x0a, 0xba, 0x48, 0x07, 0x82, 0x01, 0x04, 0x10, 0x01, 0x20, 0x00, 0x52, 0x03, 0x61, 0x6c, 0x67,
-	0x22, 0x3b, 0x0a, 0x0f, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xe0, 0x03,
-	0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06,
-	0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba,
-	0x48, 0xe5, 0x02, 0xba, 0x01, 0xe1, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72,
-	0x6d, 0x61, 0x74, 0x12, 0xcf, 0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62,
-	0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65,
-	0x2e, 0x67, 0x2e, 0x2c, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65,
-	0x6d, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77,
-	0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c,
-	0x20, 0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20,
-	0x73, 0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61,
-	0x72, 0x74, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20,
-	0x61, 0x6e, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20,
-	0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63,
-	0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61,
-	0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61,
-	0x73, 0x68, 0x65, 0x73, 0x2e, 0x1a, 0x80, 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74,
-	0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x5b,
-	0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41,
-	0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b,
-	0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e,
-	0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a,
-	0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d,
-	0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28,
-	0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f,
-	0x74, 0x65, 0x12, 0x31, 0x0a, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50,
-	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63,
-	0x61, 0x63, 0x68, 0x65, 0x64, 0x42, 0x0c, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f,
-	0x6b, 0x65, 0x79, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
-	0x22, 0x9f, 0x01, 0x0a, 0x12, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x06, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f,
+	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xd9, 0x01, 0x0a, 0x0f, 0x52, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a,
+	0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2c, 0x0a,
+	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3e, 0x0a, 0x0f, 0x61,
+	0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61,
+	0x6c, 0x75, 0x65, 0x42, 0x06, 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0e, 0x61, 0x74, 0x74,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74,
+	0x65, 0x72, 0x6d, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x74, 0x65, 0x72, 0x6d,
+	0x73, 0x12, 0x32, 0x0a, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x05,
+	0x67, 0x72, 0x6f, 0x75, 0x70, 0x22, 0x85, 0x05, 0x0a, 0x0f, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x87, 0x03, 0x0a, 0x03, 0x75, 0x72,
+	0x69, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xf4, 0x02, 0xba, 0x48, 0xf0, 0x02, 0xba, 0x01,
+	0xec, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0xcf,
+	0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76,
+	0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67, 0x2e, 0x2c, 0x20,
+	0x27, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f, 0x2e, 0x63, 0x6f,
+	0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x20, 0x62, 0x79,
+	0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73, 0x65, 0x67, 0x6d,
+	0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65, 0x67, 0x6d, 0x65,
+	0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x61, 0x6e,
+	0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e, 0x20, 0x61, 0x6c,
+	0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61,
+	0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69,
+	0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c, 0x70, 0x68, 0x61,
+	0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61, 0x63, 0x74, 0x65,
+	0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68, 0x65, 0x73, 0x2e,
+	0x1a, 0x8b, 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28,
+	0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3f, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d, 0x7a, 0x41,
+	0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d,
+	0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41,
+	0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61, 0x2d, 0x7a,
+	0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30,
+	0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a,
+	0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x3a, 0x5b, 0x30, 0x2d,
+	0x39, 0x5d, 0x2b, 0x29, 0x3f, 0x28, 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x52, 0x03,
+	0x75, 0x72, 0x69, 0x12, 0x30, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65,
+	0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x33, 0x0a, 0x0b, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f,
+	0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x12, 0x2e, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2f, 0x0a, 0x08, 0x6b, 0x61,
+	0x73, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70,
+	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x4b, 0x61, 0x73, 0x4b,
+	0x65, 0x79, 0x52, 0x07, 0x6b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12,
+	0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x97, 0x02,
+	0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x37, 0x0a, 0x09, 0x69, 0x73, 0x5f, 0x61, 0x63, 0x74, 0x69,
+	0x76, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56,
+	0x61, 0x6c, 0x75, 0x65, 0x52, 0x08, 0x69, 0x73, 0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12, 0x39,
+	0x0a, 0x0a, 0x77, 0x61, 0x73, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09,
+	0x77, 0x61, 0x73, 0x4d, 0x61, 0x70, 0x70, 0x65, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29,
+	0x0a, 0x03, 0x6b, 0x61, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x52, 0x03, 0x6b, 0x61, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x84, 0x01, 0x0a, 0x0c, 0x4b, 0x61, 0x73, 0x50,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x18, 0x80,
+	0x40, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x12, 0x1b, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x42, 0x09, 0xba, 0x48, 0x06, 0x72, 0x04, 0x10, 0x01, 0x18, 0x20, 0x52, 0x03,
+	0x6b, 0x69, 0x64, 0x12, 0x39, 0x0a, 0x03, 0x61, 0x6c, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0a, 0xba,
+	0x48, 0x07, 0x82, 0x01, 0x04, 0x10, 0x01, 0x20, 0x00, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22, 0x3b,
+	0x0a, 0x0f, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65,
+	0x74, 0x12, 0x28, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xe0, 0x03, 0x0a, 0x09,
+	0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06, 0x72, 0x65,
+	0x6d, 0x6f, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba, 0x48, 0xe5,
+	0x02, 0xba, 0x01, 0xe1, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61,
+	0x74, 0x12, 0xcf, 0x01, 0x55, 0x52, 0x49, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20,
+	0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x52, 0x4c, 0x20, 0x28, 0x65, 0x2e, 0x67,
+	0x2e, 0x2c, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x6d, 0x6f,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x27, 0x29, 0x20, 0x66, 0x6f, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64,
+	0x20, 0x62, 0x79, 0x20, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x73,
+	0x65, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x20, 0x45, 0x61, 0x63, 0x68, 0x20, 0x73, 0x65,
+	0x67, 0x6d, 0x65, 0x6e, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x73, 0x74, 0x61, 0x72, 0x74,
+	0x20, 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x61, 0x6e,
+	0x20, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68,
+	0x61, 0x72, 0x61, 0x63, 0x74, 0x65, 0x72, 0x2c, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x63, 0x6f, 0x6e,
+	0x74, 0x61, 0x69, 0x6e, 0x20, 0x68, 0x79, 0x70, 0x68, 0x65, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x6c,
+	0x70, 0x68, 0x61, 0x6e, 0x75, 0x6d, 0x65, 0x72, 0x69, 0x63, 0x20, 0x63, 0x68, 0x61, 0x72, 0x61,
+	0x63, 0x74, 0x65, 0x72, 0x73, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x73, 0x6c, 0x61, 0x73, 0x68,
+	0x65, 0x73, 0x2e, 0x1a, 0x80, 0x01, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68,
+	0x65, 0x73, 0x28, 0x27, 0x5e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x5b, 0x61, 0x2d,
+	0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a,
+	0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d,
+	0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x28, 0x5c, 0x5c, 0x2e, 0x5b, 0x61,
+	0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x28, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d,
+	0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61,
+	0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x2f, 0x2e,
+	0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65,
+	0x12, 0x31, 0x0a, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63,
+	0x68, 0x65, 0x64, 0x42, 0x0c, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65,
+	0x79, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x22, 0x9f,
+	0x01, 0x0a, 0x12, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x06, 0x76, 0x61, 0x6c,
+	0x75, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65,
+	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0x22, 0xca, 0x03, 0x0a, 0x17, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x02,
+	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
+	0x75, 0x65, 0x12, 0x36, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65,
+	0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x6c, 0x0a, 0x17, 0x61, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x70, 0x6f,
 	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x22, 0xca, 0x03, 0x0a, 0x17, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65,
-	0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e,
-	0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x14,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x12, 0x36, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
-	0x63, 0x65, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x6c, 0x0a, 0x17,
-	0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65,
-	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x65,
-	0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x2e, 0x41,
-	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61,
-	0x6c, 0x75, 0x65, 0x52, 0x15, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69,
-	0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63,
-	0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08,
-	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x1a, 0xb4, 0x01, 0x0a, 0x14, 0x41, 0x63, 0x74,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x2e, 0x41, 0x63, 0x74,
 	0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69,
-	0x64, 0x12, 0x26, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74,
-	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x52, 0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22,
-	0x61, 0x0a, 0x06, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73,
-	0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x61, 0x73, 0x49, 0x64,
-	0x12, 0x27, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69,
-	0x63, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73,
-	0x5f, 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55,
-	0x72, 0x69, 0x22, 0x29, 0x0a, 0x0c, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43,
-	0x74, 0x78, 0x12, 0x19, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42,
-	0x07, 0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x50, 0x0a,
-	0x0d, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x1e,
-	0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07,
-	0xba, 0x48, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1f,
-	0x0a, 0x0b, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22,
-	0xb9, 0x03, 0x0a, 0x0d, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65,
-	0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69,
-	0x64, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x36, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x5f,
-	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74,
-	0x68, 0x6d, 0x52, 0x0c, 0x6b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
-	0x12, 0x30, 0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65,
-	0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74,
-	0x75, 0x73, 0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x05,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65,
-	0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x3a,
-	0x0a, 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78,
-	0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
-	0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0c, 0x70, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x3d, 0x0a, 0x0f, 0x70, 0x72,
-	0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x07, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x69,
-	0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0d, 0x70, 0x72, 0x69, 0x76,
-	0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f,
-	0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50,
-	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70,
-	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a,
-	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x9e, 0x02, 0x0a, 0x0c,
-	0x53, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02,
-	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x15, 0x0a, 0x06,
-	0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x65,
-	0x79, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x2e, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53,
-	0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64,
-	0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64,
-	0x65, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x0c, 0x52, 0x06, 0x6b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72,
-	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x06, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79,
-	0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e,
-	0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c,
-	0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2a, 0xb3, 0x01, 0x0a,
-	0x15, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79,
-	0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42,
-	0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e,
-	0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
-	0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55,
-	0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4c, 0x4c,
-	0x5f, 0x4f, 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55,
-	0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55,
-	0x4d, 0x5f, 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x54,
-	0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50,
-	0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, 0x48, 0x59,
-	0x10, 0x03, 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61,
-	0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75,
-	0x6d, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50,
-	0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e,
-	0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
-	0x12, 0x24, 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50,
-	0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55,
-	0x4d, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43,
-	0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54,
-	0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, 0x10, 0x02,
-	0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50,
-	0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55,
-	0x4d, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x03, 0x2a,
-	0x90, 0x01, 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f,
-	0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27,
+	0x65, 0x52, 0x15, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75,
+	0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65,
+	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x1a, 0xb4, 0x01, 0x0a, 0x14, 0x41, 0x63, 0x74, 0x69, 0x6f,
+	0x6e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12,
+	0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12,
+	0x26, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52,
+	0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x0f, 0x61, 0x74, 0x74, 0x72, 0x69,
+	0x62, 0x75, 0x74, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x0d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
+	0x0e, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12,
+	0x2c, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x61, 0x0a,
+	0x06, 0x4b, 0x61, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x61, 0x73, 0x5f, 0x69,
+	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x61, 0x73, 0x49, 0x64, 0x12, 0x27,
+	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b,
+	0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6b, 0x61, 0x73, 0x5f, 0x75,
+	0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x61, 0x73, 0x55, 0x72, 0x69,
+	0x22, 0x29, 0x0a, 0x0c, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78,
+	0x12, 0x19, 0x0a, 0x03, 0x70, 0x65, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba,
+	0x48, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x03, 0x70, 0x65, 0x6d, 0x22, 0x50, 0x0a, 0x0d, 0x50,
+	0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x1e, 0x0a, 0x06,
+	0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xba, 0x48,
+	0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b,
+	0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, 0xb9, 0x03,
+	0x0a, 0x0d, 0x41, 0x73, 0x79, 0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
+	0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12,
+	0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x36, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x6c,
+	0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
+	0x52, 0x0c, 0x6b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x30,
+	0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x53,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
+	0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x4d,
+	0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x3a, 0x0a, 0x0e,
+	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x06,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0c, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x3d, 0x0a, 0x0f, 0x70, 0x72, 0x69, 0x76,
+	0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x07, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x72, 0x69, 0x76, 0x61,
+	0x74, 0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x52, 0x0d, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74,
+	0x65, 0x4b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76, 0x69,
+	0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72, 0x6f,
+	0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72, 0x6f,
+	0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x08, 0x6d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e,
+	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52,
+	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x9e, 0x02, 0x0a, 0x0c, 0x53, 0x79,
+	0x6d, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65,
+	0x79, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49,
+	0x64, 0x12, 0x30, 0x0a, 0x0a, 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b,
+	0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x09, 0x6b, 0x65, 0x79, 0x53, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x12, 0x2a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0f, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b,
+	0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12,
+	0x17, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x5f, 0x63, 0x74, 0x78, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c,
+	0x52, 0x06, 0x6b, 0x65, 0x79, 0x43, 0x74, 0x78, 0x12, 0x42, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x76,
+	0x69, 0x64, 0x65, 0x72, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x19, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x65, 0x79, 0x50, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x70, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x08,
+	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10,
+	0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41,
+	0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65,
+	0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54,
+	0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d,
+	0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23,
+	0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45,
+	0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f,
+	0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45,
+	0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f,
+	0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52,
+	0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
+	0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, 0x48, 0x59, 0x10, 0x03,
+	0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70,
+	0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12,
+	0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49,
+	0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d,
+	0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24,
+	0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e,
+	0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f,
+	0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f,
+	0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52,
+	0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d,
+	0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e,
+	0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f,
+	0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01,
+	0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65,
+	0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f,
+	0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f,
+	0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43,
+	0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49,
+	0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50,
+	0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e,
 	0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41,
-	0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50,
-	0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4f, 0x4e,
-	0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x22,
-	0x0a, 0x1e, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c,
-	0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4f, 0x52,
-	0x10, 0x02, 0x2a, 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65,
-	0x12, 0x1b, 0x0a, 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a,
-	0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, 0x54,
-	0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43,
-	0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10,
-	0x02, 0x2a, 0x88, 0x02, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, 0x53,
-	0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f,
-	0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44,
-	0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43,
-	0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53,
-	0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f,
-	0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45,
-	0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x28,
-	0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59,
-	0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43,
-	0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f,
-	0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45,
-	0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31,
-	0x10, 0x06, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43,
-	0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43,
-	0x5f, 0x53, 0x45, 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07, 0x2a, 0x9b, 0x01, 0x0a,
-	0x09, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x19, 0x0a, 0x15, 0x41, 0x4c,
-	0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46,
-	0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54,
-	0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x16, 0x0a,
-	0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34,
-	0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54,
-	0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11,
-	0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x33, 0x38,
-	0x34, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d,
-	0x5f, 0x45, 0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10, 0x05, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65,
-	0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53,
-	0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
-	0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55,
-	0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45,
-	0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44,
-	0x10, 0x02, 0x2a, 0x94, 0x01, 0x0a, 0x07, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18,
-	0x0a, 0x14, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45,
-	0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f,
-	0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54,
-	0x5f, 0x4b, 0x45, 0x59, 0x10, 0x01, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f,
-	0x44, 0x45, 0x5f, 0x50, 0x52, 0x4f, 0x56, 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54,
-	0x5f, 0x4b, 0x45, 0x59, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f,
-	0x44, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f, 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b,
-	0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b,
-	0x45, 0x59, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f,
-	0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74,
-	0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
-	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61,
-	0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67,
-	0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02,
-	0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0xe2, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02,
+	0x2a, 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b,
+	0x0a, 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e,
+	0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53,
+	0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x52,
+	0x4e, 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f,
+	0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x02, 0x2a,
+	0x88, 0x02, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
+	0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, 0x53, 0x5f, 0x50,
+	0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e,
+	0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
+	0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b,
+	0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f,
+	0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55,
+	0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55,
+	0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x28, 0x0a, 0x24,
+	0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41,
+	0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32,
+	0x35, 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55,
+	0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55,
+	0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x10, 0x06,
+	0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b,
+	0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53,
+	0x45, 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07, 0x2a, 0x9b, 0x01, 0x0a, 0x09, 0x41,
+	0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x19, 0x0a, 0x15, 0x41, 0x4c, 0x47, 0x4f,
+	0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
+	0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d,
+	0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x41,
+	0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39,
+	0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d,
+	0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c,
+	0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x10,
+	0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45,
+	0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10, 0x05, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x53,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41,
+	0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10,
+	0x00, 0x12, 0x15, 0x0a, 0x11, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f,
+	0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45, 0x59, 0x5f,
+	0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02,
+	0x2a, 0x94, 0x01, 0x0a, 0x07, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14,
+	0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
+	0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f,
+	0x44, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b,
+	0x45, 0x59, 0x10, 0x01, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45,
+	0x5f, 0x50, 0x52, 0x4f, 0x56, 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b,
+	0x45, 0x59, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45,
+	0x5f, 0x52, 0x45, 0x4d, 0x4f, 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59,
+	0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59,
+	0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x50,
+	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66,
+	0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02, 0x06, 0x50,
+	0x6f, 0x6c, 0x69, 0x63, 0x79, 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xe2, 0x02,
+	0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0xea, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -3114,7 +3256,7 @@ func file_policy_objects_proto_rawDescGZIP() []byte {
 }
 
 var file_policy_objects_proto_enumTypes = make([]protoimpl.EnumInfo, 9)
-var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 26)
+var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 28)
 var file_policy_objects_proto_goTypes = []interface{}{
 	(AttributeRuleTypeEnum)(0),      // 0: policy.AttributeRuleTypeEnum
 	(SubjectMappingOperatorEnum)(0), // 1: policy.SubjectMappingOperatorEnum
@@ -3125,108 +3267,112 @@ var file_policy_objects_proto_goTypes = []interface{}{
 	(KeyStatus)(0),                  // 6: policy.KeyStatus
 	(KeyMode)(0),                    // 7: policy.KeyMode
 	(Action_StandardAction)(0),      // 8: policy.Action.StandardAction
-	(*KeyProviderConfig)(nil),       // 9: policy.KeyProviderConfig
-	(*Namespace)(nil),               // 10: policy.Namespace
-	(*Attribute)(nil),               // 11: policy.Attribute
-	(*Value)(nil),                   // 12: policy.Value
-	(*Action)(nil),                  // 13: policy.Action
-	(*SubjectMapping)(nil),          // 14: policy.SubjectMapping
-	(*Condition)(nil),               // 15: policy.Condition
-	(*ConditionGroup)(nil),          // 16: policy.ConditionGroup
-	(*SubjectSet)(nil),              // 17: policy.SubjectSet
-	(*SubjectConditionSet)(nil),     // 18: policy.SubjectConditionSet
-	(*SubjectProperty)(nil),         // 19: policy.SubjectProperty
-	(*ResourceMappingGroup)(nil),    // 20: policy.ResourceMappingGroup
-	(*ResourceMapping)(nil),         // 21: policy.ResourceMapping
-	(*KeyAccessServer)(nil),         // 22: policy.KeyAccessServer
-	(*Key)(nil),                     // 23: policy.Key
-	(*KasPublicKey)(nil),            // 24: policy.KasPublicKey
-	(*KasPublicKeySet)(nil),         // 25: policy.KasPublicKeySet
-	(*PublicKey)(nil),               // 26: policy.PublicKey
-	(*RegisteredResource)(nil),      // 27: policy.RegisteredResource
-	(*RegisteredResourceValue)(nil), // 28: policy.RegisteredResourceValue
-	(*KasKey)(nil),                  // 29: policy.KasKey
-	(*PublicKeyCtx)(nil),            // 30: policy.PublicKeyCtx
-	(*PrivateKeyCtx)(nil),           // 31: policy.PrivateKeyCtx
-	(*AsymmetricKey)(nil),           // 32: policy.AsymmetricKey
-	(*SymmetricKey)(nil),            // 33: policy.SymmetricKey
-	(*RegisteredResourceValue_ActionAttributeValue)(nil), // 34: policy.RegisteredResourceValue.ActionAttributeValue
-	(*common.Metadata)(nil),                              // 35: common.Metadata
-	(*wrapperspb.BoolValue)(nil),                         // 36: google.protobuf.BoolValue
+	(*SimpleKasPublicKey)(nil),      // 9: policy.SimpleKasPublicKey
+	(*SimpleKasKey)(nil),            // 10: policy.SimpleKasKey
+	(*KeyProviderConfig)(nil),       // 11: policy.KeyProviderConfig
+	(*Namespace)(nil),               // 12: policy.Namespace
+	(*Attribute)(nil),               // 13: policy.Attribute
+	(*Value)(nil),                   // 14: policy.Value
+	(*Action)(nil),                  // 15: policy.Action
+	(*SubjectMapping)(nil),          // 16: policy.SubjectMapping
+	(*Condition)(nil),               // 17: policy.Condition
+	(*ConditionGroup)(nil),          // 18: policy.ConditionGroup
+	(*SubjectSet)(nil),              // 19: policy.SubjectSet
+	(*SubjectConditionSet)(nil),     // 20: policy.SubjectConditionSet
+	(*SubjectProperty)(nil),         // 21: policy.SubjectProperty
+	(*ResourceMappingGroup)(nil),    // 22: policy.ResourceMappingGroup
+	(*ResourceMapping)(nil),         // 23: policy.ResourceMapping
+	(*KeyAccessServer)(nil),         // 24: policy.KeyAccessServer
+	(*Key)(nil),                     // 25: policy.Key
+	(*KasPublicKey)(nil),            // 26: policy.KasPublicKey
+	(*KasPublicKeySet)(nil),         // 27: policy.KasPublicKeySet
+	(*PublicKey)(nil),               // 28: policy.PublicKey
+	(*RegisteredResource)(nil),      // 29: policy.RegisteredResource
+	(*RegisteredResourceValue)(nil), // 30: policy.RegisteredResourceValue
+	(*KasKey)(nil),                  // 31: policy.KasKey
+	(*PublicKeyCtx)(nil),            // 32: policy.PublicKeyCtx
+	(*PrivateKeyCtx)(nil),           // 33: policy.PrivateKeyCtx
+	(*AsymmetricKey)(nil),           // 34: policy.AsymmetricKey
+	(*SymmetricKey)(nil),            // 35: policy.SymmetricKey
+	(*RegisteredResourceValue_ActionAttributeValue)(nil), // 36: policy.RegisteredResourceValue.ActionAttributeValue
+	(*common.Metadata)(nil),                              // 37: common.Metadata
+	(*wrapperspb.BoolValue)(nil),                         // 38: google.protobuf.BoolValue
 }
 var file_policy_objects_proto_depIdxs = []int32{
-	35, // 0: policy.KeyProviderConfig.metadata:type_name -> common.Metadata
-	36, // 1: policy.Namespace.active:type_name -> google.protobuf.BoolValue
-	35, // 2: policy.Namespace.metadata:type_name -> common.Metadata
-	22, // 3: policy.Namespace.grants:type_name -> policy.KeyAccessServer
-	29, // 4: policy.Namespace.kas_keys:type_name -> policy.KasKey
-	10, // 5: policy.Attribute.namespace:type_name -> policy.Namespace
-	0,  // 6: policy.Attribute.rule:type_name -> policy.AttributeRuleTypeEnum
-	12, // 7: policy.Attribute.values:type_name -> policy.Value
-	22, // 8: policy.Attribute.grants:type_name -> policy.KeyAccessServer
-	36, // 9: policy.Attribute.active:type_name -> google.protobuf.BoolValue
-	29, // 10: policy.Attribute.kas_keys:type_name -> policy.KasKey
-	35, // 11: policy.Attribute.metadata:type_name -> common.Metadata
-	11, // 12: policy.Value.attribute:type_name -> policy.Attribute
-	22, // 13: policy.Value.grants:type_name -> policy.KeyAccessServer
-	36, // 14: policy.Value.active:type_name -> google.protobuf.BoolValue
-	14, // 15: policy.Value.subject_mappings:type_name -> policy.SubjectMapping
-	29, // 16: policy.Value.kas_keys:type_name -> policy.KasKey
-	21, // 17: policy.Value.resource_mappings:type_name -> policy.ResourceMapping
-	35, // 18: policy.Value.metadata:type_name -> common.Metadata
-	8,  // 19: policy.Action.standard:type_name -> policy.Action.StandardAction
-	35, // 20: policy.Action.metadata:type_name -> common.Metadata
-	12, // 21: policy.SubjectMapping.attribute_value:type_name -> policy.Value
-	18, // 22: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet
-	13, // 23: policy.SubjectMapping.actions:type_name -> policy.Action
-	35, // 24: policy.SubjectMapping.metadata:type_name -> common.Metadata
-	1,  // 25: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum
-	15, // 26: policy.ConditionGroup.conditions:type_name -> policy.Condition
-	2,  // 27: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum
-	16, // 28: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup
-	17, // 29: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet
-	35, // 30: policy.SubjectConditionSet.metadata:type_name -> common.Metadata
-	35, // 31: policy.ResourceMappingGroup.metadata:type_name -> common.Metadata
-	35, // 32: policy.ResourceMapping.metadata:type_name -> common.Metadata
-	12, // 33: policy.ResourceMapping.attribute_value:type_name -> policy.Value
-	20, // 34: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup
-	26, // 35: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey
-	3,  // 36: policy.KeyAccessServer.source_type:type_name -> policy.SourceType
-	29, // 37: policy.KeyAccessServer.kas_keys:type_name -> policy.KasKey
-	35, // 38: policy.KeyAccessServer.metadata:type_name -> common.Metadata
-	36, // 39: policy.Key.is_active:type_name -> google.protobuf.BoolValue
-	36, // 40: policy.Key.was_mapped:type_name -> google.protobuf.BoolValue
-	24, // 41: policy.Key.public_key:type_name -> policy.KasPublicKey
-	22, // 42: policy.Key.kas:type_name -> policy.KeyAccessServer
-	35, // 43: policy.Key.metadata:type_name -> common.Metadata
-	4,  // 44: policy.KasPublicKey.alg:type_name -> policy.KasPublicKeyAlgEnum
-	24, // 45: policy.KasPublicKeySet.keys:type_name -> policy.KasPublicKey
-	25, // 46: policy.PublicKey.cached:type_name -> policy.KasPublicKeySet
-	28, // 47: policy.RegisteredResource.values:type_name -> policy.RegisteredResourceValue
-	35, // 48: policy.RegisteredResource.metadata:type_name -> common.Metadata
-	27, // 49: policy.RegisteredResourceValue.resource:type_name -> policy.RegisteredResource
-	34, // 50: policy.RegisteredResourceValue.action_attribute_values:type_name -> policy.RegisteredResourceValue.ActionAttributeValue
-	35, // 51: policy.RegisteredResourceValue.metadata:type_name -> common.Metadata
-	32, // 52: policy.KasKey.key:type_name -> policy.AsymmetricKey
-	5,  // 53: policy.AsymmetricKey.key_algorithm:type_name -> policy.Algorithm
-	6,  // 54: policy.AsymmetricKey.key_status:type_name -> policy.KeyStatus
-	7,  // 55: policy.AsymmetricKey.key_mode:type_name -> policy.KeyMode
-	30, // 56: policy.AsymmetricKey.public_key_ctx:type_name -> policy.PublicKeyCtx
-	31, // 57: policy.AsymmetricKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
-	9,  // 58: policy.AsymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
-	35, // 59: policy.AsymmetricKey.metadata:type_name -> common.Metadata
-	6,  // 60: policy.SymmetricKey.key_status:type_name -> policy.KeyStatus
-	7,  // 61: policy.SymmetricKey.key_mode:type_name -> policy.KeyMode
-	9,  // 62: policy.SymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
-	35, // 63: policy.SymmetricKey.metadata:type_name -> common.Metadata
-	13, // 64: policy.RegisteredResourceValue.ActionAttributeValue.action:type_name -> policy.Action
-	12, // 65: policy.RegisteredResourceValue.ActionAttributeValue.attribute_value:type_name -> policy.Value
-	35, // 66: policy.RegisteredResourceValue.ActionAttributeValue.metadata:type_name -> common.Metadata
-	67, // [67:67] is the sub-list for method output_type
-	67, // [67:67] is the sub-list for method input_type
-	67, // [67:67] is the sub-list for extension type_name
-	67, // [67:67] is the sub-list for extension extendee
-	0,  // [0:67] is the sub-list for field type_name
+	5,  // 0: policy.SimpleKasPublicKey.algorithm:type_name -> policy.Algorithm
+	9,  // 1: policy.SimpleKasKey.public_key:type_name -> policy.SimpleKasPublicKey
+	37, // 2: policy.KeyProviderConfig.metadata:type_name -> common.Metadata
+	38, // 3: policy.Namespace.active:type_name -> google.protobuf.BoolValue
+	37, // 4: policy.Namespace.metadata:type_name -> common.Metadata
+	24, // 5: policy.Namespace.grants:type_name -> policy.KeyAccessServer
+	10, // 6: policy.Namespace.kas_keys:type_name -> policy.SimpleKasKey
+	12, // 7: policy.Attribute.namespace:type_name -> policy.Namespace
+	0,  // 8: policy.Attribute.rule:type_name -> policy.AttributeRuleTypeEnum
+	14, // 9: policy.Attribute.values:type_name -> policy.Value
+	24, // 10: policy.Attribute.grants:type_name -> policy.KeyAccessServer
+	38, // 11: policy.Attribute.active:type_name -> google.protobuf.BoolValue
+	10, // 12: policy.Attribute.kas_keys:type_name -> policy.SimpleKasKey
+	37, // 13: policy.Attribute.metadata:type_name -> common.Metadata
+	13, // 14: policy.Value.attribute:type_name -> policy.Attribute
+	24, // 15: policy.Value.grants:type_name -> policy.KeyAccessServer
+	38, // 16: policy.Value.active:type_name -> google.protobuf.BoolValue
+	16, // 17: policy.Value.subject_mappings:type_name -> policy.SubjectMapping
+	10, // 18: policy.Value.kas_keys:type_name -> policy.SimpleKasKey
+	23, // 19: policy.Value.resource_mappings:type_name -> policy.ResourceMapping
+	37, // 20: policy.Value.metadata:type_name -> common.Metadata
+	8,  // 21: policy.Action.standard:type_name -> policy.Action.StandardAction
+	37, // 22: policy.Action.metadata:type_name -> common.Metadata
+	14, // 23: policy.SubjectMapping.attribute_value:type_name -> policy.Value
+	20, // 24: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet
+	15, // 25: policy.SubjectMapping.actions:type_name -> policy.Action
+	37, // 26: policy.SubjectMapping.metadata:type_name -> common.Metadata
+	1,  // 27: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum
+	17, // 28: policy.ConditionGroup.conditions:type_name -> policy.Condition
+	2,  // 29: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum
+	18, // 30: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup
+	19, // 31: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet
+	37, // 32: policy.SubjectConditionSet.metadata:type_name -> common.Metadata
+	37, // 33: policy.ResourceMappingGroup.metadata:type_name -> common.Metadata
+	37, // 34: policy.ResourceMapping.metadata:type_name -> common.Metadata
+	14, // 35: policy.ResourceMapping.attribute_value:type_name -> policy.Value
+	22, // 36: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup
+	28, // 37: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey
+	3,  // 38: policy.KeyAccessServer.source_type:type_name -> policy.SourceType
+	10, // 39: policy.KeyAccessServer.kas_keys:type_name -> policy.SimpleKasKey
+	37, // 40: policy.KeyAccessServer.metadata:type_name -> common.Metadata
+	38, // 41: policy.Key.is_active:type_name -> google.protobuf.BoolValue
+	38, // 42: policy.Key.was_mapped:type_name -> google.protobuf.BoolValue
+	26, // 43: policy.Key.public_key:type_name -> policy.KasPublicKey
+	24, // 44: policy.Key.kas:type_name -> policy.KeyAccessServer
+	37, // 45: policy.Key.metadata:type_name -> common.Metadata
+	4,  // 46: policy.KasPublicKey.alg:type_name -> policy.KasPublicKeyAlgEnum
+	26, // 47: policy.KasPublicKeySet.keys:type_name -> policy.KasPublicKey
+	27, // 48: policy.PublicKey.cached:type_name -> policy.KasPublicKeySet
+	30, // 49: policy.RegisteredResource.values:type_name -> policy.RegisteredResourceValue
+	37, // 50: policy.RegisteredResource.metadata:type_name -> common.Metadata
+	29, // 51: policy.RegisteredResourceValue.resource:type_name -> policy.RegisteredResource
+	36, // 52: policy.RegisteredResourceValue.action_attribute_values:type_name -> policy.RegisteredResourceValue.ActionAttributeValue
+	37, // 53: policy.RegisteredResourceValue.metadata:type_name -> common.Metadata
+	34, // 54: policy.KasKey.key:type_name -> policy.AsymmetricKey
+	5,  // 55: policy.AsymmetricKey.key_algorithm:type_name -> policy.Algorithm
+	6,  // 56: policy.AsymmetricKey.key_status:type_name -> policy.KeyStatus
+	7,  // 57: policy.AsymmetricKey.key_mode:type_name -> policy.KeyMode
+	32, // 58: policy.AsymmetricKey.public_key_ctx:type_name -> policy.PublicKeyCtx
+	33, // 59: policy.AsymmetricKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
+	11, // 60: policy.AsymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
+	37, // 61: policy.AsymmetricKey.metadata:type_name -> common.Metadata
+	6,  // 62: policy.SymmetricKey.key_status:type_name -> policy.KeyStatus
+	7,  // 63: policy.SymmetricKey.key_mode:type_name -> policy.KeyMode
+	11, // 64: policy.SymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
+	37, // 65: policy.SymmetricKey.metadata:type_name -> common.Metadata
+	15, // 66: policy.RegisteredResourceValue.ActionAttributeValue.action:type_name -> policy.Action
+	14, // 67: policy.RegisteredResourceValue.ActionAttributeValue.attribute_value:type_name -> policy.Value
+	37, // 68: policy.RegisteredResourceValue.ActionAttributeValue.metadata:type_name -> common.Metadata
+	69, // [69:69] is the sub-list for method output_type
+	69, // [69:69] is the sub-list for method input_type
+	69, // [69:69] is the sub-list for extension type_name
+	69, // [69:69] is the sub-list for extension extendee
+	0,  // [0:69] is the sub-list for field type_name
 }
 
 func init() { file_policy_objects_proto_init() }
@@ -3236,7 +3382,7 @@ func file_policy_objects_proto_init() {
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_policy_objects_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KeyProviderConfig); i {
+			switch v := v.(*SimpleKasPublicKey); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3248,7 +3394,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Namespace); i {
+			switch v := v.(*SimpleKasKey); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3260,7 +3406,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Attribute); i {
+			switch v := v.(*KeyProviderConfig); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3272,7 +3418,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Value); i {
+			switch v := v.(*Namespace); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3284,7 +3430,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Action); i {
+			switch v := v.(*Attribute); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3296,7 +3442,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SubjectMapping); i {
+			switch v := v.(*Value); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3308,7 +3454,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Condition); i {
+			switch v := v.(*Action); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3320,7 +3466,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ConditionGroup); i {
+			switch v := v.(*SubjectMapping); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3332,7 +3478,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SubjectSet); i {
+			switch v := v.(*Condition); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3344,7 +3490,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SubjectConditionSet); i {
+			switch v := v.(*ConditionGroup); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3356,7 +3502,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SubjectProperty); i {
+			switch v := v.(*SubjectSet); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3368,7 +3514,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ResourceMappingGroup); i {
+			switch v := v.(*SubjectConditionSet); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3380,7 +3526,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ResourceMapping); i {
+			switch v := v.(*SubjectProperty); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3392,7 +3538,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KeyAccessServer); i {
+			switch v := v.(*ResourceMappingGroup); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3404,7 +3550,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Key); i {
+			switch v := v.(*ResourceMapping); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3416,7 +3562,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KasPublicKey); i {
+			switch v := v.(*KeyAccessServer); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3428,7 +3574,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KasPublicKeySet); i {
+			switch v := v.(*Key); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3440,7 +3586,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[17].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKey); i {
+			switch v := v.(*KasPublicKey); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3452,7 +3598,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RegisteredResource); i {
+			switch v := v.(*KasPublicKeySet); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3464,7 +3610,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RegisteredResourceValue); i {
+			switch v := v.(*PublicKey); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3476,7 +3622,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[20].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KasKey); i {
+			switch v := v.(*RegisteredResource); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3488,7 +3634,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[21].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKeyCtx); i {
+			switch v := v.(*RegisteredResourceValue); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3500,7 +3646,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[22].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PrivateKeyCtx); i {
+			switch v := v.(*KasKey); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3512,7 +3658,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[23].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*AsymmetricKey); i {
+			switch v := v.(*PublicKeyCtx); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3524,7 +3670,7 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[24].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SymmetricKey); i {
+			switch v := v.(*PrivateKeyCtx); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -3536,6 +3682,30 @@ func file_policy_objects_proto_init() {
 			}
 		}
 		file_policy_objects_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*AsymmetricKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_policy_objects_proto_msgTypes[26].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SymmetricKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_policy_objects_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RegisteredResourceValue_ActionAttributeValue); i {
 			case 0:
 				return &v.state
@@ -3548,11 +3718,11 @@ func file_policy_objects_proto_init() {
 			}
 		}
 	}
-	file_policy_objects_proto_msgTypes[4].OneofWrappers = []interface{}{
+	file_policy_objects_proto_msgTypes[6].OneofWrappers = []interface{}{
 		(*Action_Standard)(nil),
 		(*Action_Custom)(nil),
 	}
-	file_policy_objects_proto_msgTypes[17].OneofWrappers = []interface{}{
+	file_policy_objects_proto_msgTypes[19].OneofWrappers = []interface{}{
 		(*PublicKey_Remote)(nil),
 		(*PublicKey_Cached)(nil),
 	}
@@ -3562,7 +3732,7 @@ func file_policy_objects_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_policy_objects_proto_rawDesc,
 			NumEnums:      9,
-			NumMessages:   26,
+			NumMessages:   28,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/service/integration/attribute_fqns_test.go b/service/integration/attribute_fqns_test.go
index f241d10941..8ac32ae088 100644
--- a/service/integration/attribute_fqns_test.go
+++ b/service/integration/attribute_fqns_test.go
@@ -2,6 +2,7 @@ package integration
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"log/slog"
 	"strings"
@@ -233,7 +234,11 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeDefKeysAssociated
 	s.NotNil(attr)
 
 	fullFqn := fqnBuilder(namespace, attributeName, "")
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKeyFixture := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: kasKeyFixture.ID,
+	})
+	s.Require().NoError(err)
 
 	attr, err = s.db.PolicyClient.GetAttributeByFqn(s.ctx, fullFqn)
 	s.Require().NoError(err)
@@ -241,7 +246,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeDefKeysAssociated
 
 	keyResp, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: attr.GetId(),
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(keyResp)
@@ -251,16 +256,13 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeDefKeysAssociated
 
 	// Key checks
 	s.Len(attr.GetKasKeys(), 1)
-	s.Equal(kasKey.KeyAccessServerID, attr.GetKasKeys()[0].GetKasId())
-	s.Equal(kasKey.ID, attr.GetKasKeys()[0].GetKey().GetId())
-	validatePublicKeyCtx(&s.Suite, []byte(kasKey.PublicKeyCtx), attr.GetKasKeys()[0])
-	s.Empty(attr.GetKasKeys()[0].GetKey().GetProviderConfig())
-	s.Empty(attr.GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
+	s.Equal(kasKey.GetKey().GetKeyId(), attr.GetKasKeys()[0].GetPublicKey().GetKid())
+	validateSimpleKasKey(&s.Suite, kasKey, attr.GetKasKeys()[0])
 
 	// Remove association
 	_, err = s.db.PolicyClient.RemovePublicKeyFromAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: attr.GetId(),
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 
@@ -275,7 +277,13 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeDefKeysAssociated
 
 func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeValueKeysAssociated() {
 	fqnFixtureKey := "example.net/attr/attr1"
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKeyFixture := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: kasKeyFixture.ID,
+	})
+	s.Require().NoError(err)
+	s.NotNil(kasKey)
+
 	fullFqn := "https://" + fqnFixtureKey
 
 	attr, err := s.db.PolicyClient.GetAttributeByFqn(s.ctx, fullFqn)
@@ -291,7 +299,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeValueKeysAssociat
 	// Associate key with attribute.
 	keyResp, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		ValueId: attr.GetValues()[0].GetId(),
-		KeyId:   kasKey.ID,
+		KeyId:   kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(keyResp)
@@ -299,7 +307,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeValueKeysAssociat
 	// Associate value 2 with the same key
 	keyResp, err = s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		ValueId: attr.GetValues()[1].GetId(),
-		KeyId:   kasKey.ID,
+		KeyId:   kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(keyResp)
@@ -314,15 +322,11 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeValueKeysAssociat
 	s.Empty(attr.GetKasKeys())
 	for _, v := range attr.GetValues() {
 		s.Len(v.GetKasKeys(), 1)
-		s.Equal(kasKey.KeyAccessServerID, v.GetKasKeys()[0].GetKasId())
-		s.Equal(kasKey.ID, v.GetKasKeys()[0].GetKey().GetId())
-		validatePublicKeyCtx(&s.Suite, []byte(kasKey.PublicKeyCtx), v.GetKasKeys()[0])
-		s.Empty(v.GetKasKeys()[0].GetKey().GetProviderConfig())
-		s.Empty(v.GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
+		validateSimpleKasKey(&s.Suite, kasKey, v.GetKasKeys()[0])
 
 		_, err = s.db.PolicyClient.RemovePublicKeyFromValue(s.ctx, &attributes.ValueKey{
 			ValueId: v.GetId(),
-			KeyId:   kasKey.ID,
+			KeyId:   kasKey.GetKey().GetId(),
 		})
 		s.Require().NoError(err)
 	}
@@ -330,7 +334,11 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeValueKeysAssociat
 
 func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedWithNamespace() {
 	fqnFixtureKey := "example.net/attr/attr1"
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKeyFixture := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: kasKeyFixture.ID,
+	})
+	s.Require().NoError(err)
 	fullFqn := "https://" + fqnFixtureKey
 
 	attr, err := s.db.PolicyClient.GetAttributeByFqn(s.ctx, fullFqn)
@@ -343,7 +351,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedWithNamespac
 	// Associate key with attribute.
 	keyResp, err := s.db.PolicyClient.AssignPublicKeyToNamespace(s.ctx, &namespaces.NamespaceKey{
 		NamespaceId: attr.GetNamespace().GetId(),
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(keyResp)
@@ -357,15 +365,11 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedWithNamespac
 	// Key checks
 	s.Empty(attr.GetKasKeys())
 	s.Len(attr.GetNamespace().GetKasKeys(), 1)
-	s.Equal(kasKey.KeyAccessServerID, attr.GetNamespace().GetKasKeys()[0].GetKasId())
-	s.Equal(kasKey.ID, attr.GetNamespace().GetKasKeys()[0].GetKey().GetId())
-	validatePublicKeyCtx(&s.Suite, []byte(kasKey.PublicKeyCtx), attr.GetNamespace().GetKasKeys()[0])
-	s.Empty(attr.GetNamespace().GetKasKeys()[0].GetKey().GetProviderConfig())
-	s.Empty(attr.GetNamespace().GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
+	validateSimpleKasKey(&s.Suite, kasKey, attr.GetNamespace().GetKasKeys()[0])
 
 	_, err = s.db.PolicyClient.RemovePublicKeyFromNamespace(s.ctx, &namespaces.NamespaceKey{
 		NamespaceId: attr.GetNamespace().GetId(),
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 }
@@ -373,11 +377,21 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedWithNamespac
 func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedAttributes_MultipleAttributes() {
 	fqnFixtureKey := "example.net/attr/attr1"
 	fqnFixtureKeyTwo := "example.net/attr/attr2"
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
-	kasKey2 := s.f.GetKasRegistryServerKeys("kas_key_2")
 	fullFqn := "https://" + fqnFixtureKey
 	fullFqn2 := "https://" + fqnFixtureKeyTwo
 
+	kasKeyFixture1 := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: kasKeyFixture1.ID,
+	})
+	s.Require().NoError(err)
+
+	kasKeyFixture2 := s.f.GetKasRegistryServerKeys("kas_key_2")
+	kasKey2, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: kasKeyFixture2.ID,
+	})
+	s.Require().NoError(err)
+
 	attr, err := s.db.PolicyClient.GetAttributeByFqn(s.ctx, fullFqn)
 	s.Require().NoError(err)
 	s.Len(attr.GetValues(), 2)
@@ -386,7 +400,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedAttributes_M
 	// Associate key with attribute.
 	keyResp, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: attr.GetId(),
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(keyResp)
@@ -399,7 +413,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedAttributes_M
 	// Associate key with attribute.
 	keyResp, err = s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: attr.GetId(),
-		KeyId:       kasKey2.ID,
+		KeyId:       kasKey2.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(keyResp)
@@ -409,32 +423,24 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeysAssociatedAttributes_M
 	attrOneID := attr.GetId()
 	s.Require().NoError(err)
 	s.Len(attr.GetKasKeys(), 1)
-	s.Equal(kasKey.KeyAccessServerID, attr.GetKasKeys()[0].GetKasId())
-	s.Equal(kasKey.ID, attr.GetKasKeys()[0].GetKey().GetId())
-	validatePublicKeyCtx(&s.Suite, []byte(kasKey.PublicKeyCtx), attr.GetKasKeys()[0])
-	s.Empty(attr.GetKasKeys()[0].GetKey().GetProviderConfig())
-	s.Empty(attr.GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
+	validateSimpleKasKey(&s.Suite, kasKey, attr.GetKasKeys()[0])
 
 	// Get attribute 2
 	attr, err = s.db.PolicyClient.GetAttributeByFqn(s.ctx, fullFqn2)
 	attrTwoID := attr.GetId()
 	s.Require().NoError(err)
 	s.Len(attr.GetKasKeys(), 1)
-	s.Equal(kasKey2.KeyAccessServerID, attr.GetKasKeys()[0].GetKasId())
-	s.Equal(kasKey2.ID, attr.GetKasKeys()[0].GetKey().GetId())
-	validatePublicKeyCtx(&s.Suite, []byte(kasKey2.PublicKeyCtx), attr.GetKasKeys()[0])
-	s.Empty(attr.GetKasKeys()[0].GetKey().GetProviderConfig())
-	s.Empty(attr.GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
+	validateSimpleKasKey(&s.Suite, kasKey2, attr.GetKasKeys()[0])
 
 	_, err = s.db.PolicyClient.RemovePublicKeyFromAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: attrOneID,
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 
 	_, err = s.db.PolicyClient.RemovePublicKeyFromAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: attrTwoID,
-		KeyId:       kasKey2.ID,
+		KeyId:       kasKey2.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 }
@@ -1670,12 +1676,10 @@ func (s *AttributeFqnSuite) TestGetAttributesByValueFqns_Fails_WithNonValueFqns(
 }
 
 func (s *AttributeFqnSuite) TestGetAttributeByValueFqns_KAS_Keys_Returned() {
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
-	fqn := "https://keys.com/attr/kas-key/value/key1"
-
-	kasReg, err := s.db.PolicyClient.GetKeyAccessServer(s.ctx, kasKey.KeyAccessServerID)
+	kasKeyFixture := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{Id: kasKeyFixture.ID})
 	s.Require().NoError(err)
-	s.NotNil(kasReg)
+	fqn := "https://keys.com/attr/kas-key/value/key1"
 
 	// Create New Namespace
 	ns, err := s.db.PolicyClient.CreateNamespace(s.ctx, &namespaces.CreateNamespaceRequest{Name: "keys.com"})
@@ -1695,7 +1699,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByValueFqns_KAS_Keys_Returned() {
 	// Assign Kas Key to namespace
 	nsKey, err := s.db.PolicyClient.AssignPublicKeyToNamespace(s.ctx, &namespaces.NamespaceKey{
 		NamespaceId: ns.GetId(),
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(nsKey)
@@ -1712,14 +1716,13 @@ func (s *AttributeFqnSuite) TestGetAttributeByValueFqns_KAS_Keys_Returned() {
 		s.Len(attr.GetAttribute().GetNamespace().GetKasKeys(), 1)
 		s.Empty(attr.GetAttribute().GetKasKeys())
 		s.Empty(attr.GetValue().GetKasKeys())
-		s.Equal(kasKey.KeyAccessServerID, attr.GetAttribute().GetNamespace().GetKasKeys()[0].GetKasId())
-		s.Equal(kasReg.GetUri(), attr.GetAttribute().GetNamespace().GetKasKeys()[0].GetKasUri())
+		validateSimpleKasKey(&s.Suite, kasKey, attr.GetAttribute().GetNamespace().GetKasKeys()[0])
 	}
 
 	// Assign Kas Key to Attribute
 	attrKey, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: attr.GetId(),
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(attrKey)
@@ -1736,16 +1739,14 @@ func (s *AttributeFqnSuite) TestGetAttributeByValueFqns_KAS_Keys_Returned() {
 		s.Len(attr.GetAttribute().GetNamespace().GetKasKeys(), 1)
 		s.Len(attr.GetAttribute().GetKasKeys(), 1)
 		s.Empty(attr.GetValue().GetKasKeys())
-		s.Equal(kasKey.KeyAccessServerID, attr.GetAttribute().GetNamespace().GetKasKeys()[0].GetKasId())
-		s.Equal(kasReg.GetUri(), attr.GetAttribute().GetNamespace().GetKasKeys()[0].GetKasUri())
-		s.Equal(kasKey.KeyAccessServerID, attr.GetAttribute().GetKasKeys()[0].GetKasId())
-		s.Equal(kasReg.GetUri(), attr.GetAttribute().GetKasKeys()[0].GetKasUri())
+		validateSimpleKasKey(&s.Suite, kasKey, attr.GetAttribute().GetNamespace().GetKasKeys()[0])
+		validateSimpleKasKey(&s.Suite, kasKey, attr.GetAttribute().GetKasKeys()[0])
 	}
 
 	// Assign Kas Key to Value
 	valueKey, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		ValueId: attr.GetValues()[0].GetId(),
-		KeyId:   kasKey.ID,
+		KeyId:   kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(valueKey)
@@ -1762,15 +1763,22 @@ func (s *AttributeFqnSuite) TestGetAttributeByValueFqns_KAS_Keys_Returned() {
 		s.Len(attr.GetAttribute().GetNamespace().GetKasKeys(), 1)
 		s.Len(attr.GetAttribute().GetKasKeys(), 1)
 		s.Len(attr.GetValue().GetKasKeys(), 1)
-		s.Equal(kasKey.KeyAccessServerID, attr.GetAttribute().GetNamespace().GetKasKeys()[0].GetKasId())
-		s.Equal(kasReg.GetUri(), attr.GetAttribute().GetNamespace().GetKasKeys()[0].GetKasUri())
-		s.Equal(kasKey.KeyAccessServerID, attr.GetAttribute().GetKasKeys()[0].GetKasId())
-		s.Equal(kasReg.GetUri(), attr.GetAttribute().GetKasKeys()[0].GetKasUri())
-		s.Equal(kasKey.KeyAccessServerID, attr.GetValue().GetKasKeys()[0].GetKasId())
-		s.Equal(kasReg.GetUri(), attr.GetValue().GetKasKeys()[0].GetKasUri())
+		validateSimpleKasKey(&s.Suite, kasKey, attr.GetAttribute().GetNamespace().GetKasKeys()[0])
+		validateSimpleKasKey(&s.Suite, kasKey, attr.GetAttribute().GetKasKeys()[0])
+		validateSimpleKasKey(&s.Suite, kasKey, attr.GetValue().GetKasKeys()[0])
 	}
 }
 
+func validateSimpleKasKey(s *suite.Suite, expected *policy.KasKey, actual *policy.SimpleKasKey) {
+	s.Equal(expected.GetKey().GetKeyId(), actual.GetPublicKey().GetKid())
+	s.Equal(expected.GetKasUri(), actual.GetKasUri())
+	s.Equal(expected.GetKey().GetKeyAlgorithm(), actual.GetPublicKey().GetAlgorithm())
+	s.Equal(expected.GetKasId(), actual.GetKasId())
+	unbase64EncodedPem, err := base64.StdEncoding.DecodeString(expected.GetKey().GetPublicKeyCtx().GetPem())
+	s.Require().NoError(err)
+	s.Equal(string(unbase64EncodedPem), actual.GetPublicKey().GetPem())
+}
+
 func (s *AttributeFqnSuite) bigTestSetup(namespaceName string) bigSetup {
 	// create a new namespace
 	ns, err := s.db.PolicyClient.CreateNamespace(s.ctx, &namespaces.CreateNamespaceRequest{
diff --git a/service/integration/attribute_values_test.go b/service/integration/attribute_values_test.go
index 513bc8e798..d9a7e55894 100644
--- a/service/integration/attribute_values_test.go
+++ b/service/integration/attribute_values_test.go
@@ -1078,10 +1078,12 @@ func (s *AttributeValuesSuite) Test_AssignPublicKeyToAttributeValue_Succeeds() {
 	s.NotNil(gotAttrValue)
 	s.Empty(gotAttrValue.GetKasKeys())
 
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKeyFixture := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{Id: kasKeyFixture.ID})
+	s.Require().NoError(err)
 	resp, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		ValueId: gotAttrValue.GetId(),
-		KeyId:   kasKey.ID,
+		KeyId:   kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(resp)
@@ -1092,22 +1094,11 @@ func (s *AttributeValuesSuite) Test_AssignPublicKeyToAttributeValue_Succeeds() {
 	s.Require().NoError(err)
 	s.NotNil(gotAttrValue)
 	s.Len(gotAttrValue.GetKasKeys(), 1)
-	s.Equal(kasKey.KeyAccessServerID, gotAttrValue.GetKasKeys()[0].GetKasId())
-	s.Equal(kasKey.ID, gotAttrValue.GetKasKeys()[0].GetKey().GetId())
-	validatePublicKeyCtx(&s.Suite, []byte(kasKey.PublicKeyCtx), gotAttrValue.GetKasKeys()[0])
-	s.Empty(gotAttrValue.GetKasKeys()[0].GetKey().GetProviderConfig())
-	s.Empty(gotAttrValue.GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
-
-	// Get the kas server information associated with the key
-	kasReg, err := s.db.PolicyClient.GetKeyAccessServer(s.ctx, kasKey.KeyAccessServerID)
-	s.Require().NoError(err)
-	s.NotNil(kasReg)
-
-	s.Equal(kasReg.GetUri(), gotAttrValue.GetKasKeys()[0].GetKasUri())
+	validateSimpleKasKey(&s.Suite, kasKey, gotAttrValue.GetKasKeys()[0])
 
 	resp, err = s.db.PolicyClient.RemovePublicKeyFromValue(s.ctx, &attributes.ValueKey{
 		ValueId: gotAttrValue.GetId(),
-		KeyId:   gotAttrValue.GetKasKeys()[0].GetKey().GetId(),
+		KeyId:   kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(resp)
diff --git a/service/integration/attributes_test.go b/service/integration/attributes_test.go
index f8bf357a26..b3618a40d3 100644
--- a/service/integration/attributes_test.go
+++ b/service/integration/attributes_test.go
@@ -1413,10 +1413,14 @@ func (s *AttributesSuite) Test_AssociatePublicKeyToAttribute_Succeeds() {
 	s.Require().NoError(err)
 	s.NotNil(gotAttr)
 	s.Empty(gotAttr.GetKasKeys())
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKeyFixture := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: kasKeyFixture.ID,
+	})
+	s.Require().NoError(err)
 	resp, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: s.f.GetAttributeKey("example.com/attr/attr1").ID,
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(resp)
@@ -1426,18 +1430,7 @@ func (s *AttributesSuite) Test_AssociatePublicKeyToAttribute_Succeeds() {
 	s.NotNil(gotAttr)
 
 	s.Len(gotAttr.GetKasKeys(), 1)
-	s.Equal(kasKey.KeyAccessServerID, gotAttr.GetKasKeys()[0].GetKasId())
-	s.Equal(kasKey.ID, gotAttr.GetKasKeys()[0].GetKey().GetId())
-	validatePublicKeyCtx(&s.Suite, []byte(kasKey.PublicKeyCtx), gotAttr.GetKasKeys()[0])
-	s.Empty(gotAttr.GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
-	s.Empty(gotAttr.GetKasKeys()[0].GetKey().GetProviderConfig())
-
-	// Get the kas server information associated with the key
-	kasReg, err := s.db.PolicyClient.GetKeyAccessServer(s.ctx, kasKey.KeyAccessServerID)
-	s.Require().NoError(err)
-	s.NotNil(kasReg)
-
-	s.Equal(kasReg.GetUri(), gotAttr.GetKasKeys()[0].GetKasUri())
+	validateSimpleKasKey(&s.Suite, kasKey, gotAttr.GetKasKeys()[0])
 
 	resp, err = s.db.PolicyClient.RemovePublicKeyFromAttribute(s.ctx, &attributes.AttributeKey{
 		AttributeId: resp.GetAttributeId(),
diff --git a/service/integration/kas_registry_key_test.go b/service/integration/kas_registry_key_test.go
index 3203e5f8e7..89f1ebf706 100644
--- a/service/integration/kas_registry_key_test.go
+++ b/service/integration/kas_registry_key_test.go
@@ -469,13 +469,15 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac
 	updatedNs, err := s.db.PolicyClient.GetNamespace(s.ctx, namespaceMap[rotateKey][0].GetId())
 	s.Require().NoError(err)
 	s.Len(updatedNs.GetKasKeys(), 1)
-	s.Equal(rotatedInKey.GetKasKey().GetKey().GetId(), updatedNs.GetKasKeys()[0].GetKey().GetId())
+	s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), updatedNs.GetKasKeys()[0].GetPublicKey().GetKid())
+	s.Equal(rotatedInKey.GetKasKey().GetKasUri(), updatedNs.GetKasKeys()[0].GetKasUri())
 
 	// Verify that namespace which was assigned a key that was not rotated is still intact
 	nonUpdatedNs, err := s.db.PolicyClient.GetNamespace(s.ctx, namespaceMap[nonRotateKey][0].GetId())
 	s.Require().NoError(err)
 	s.Len(nonUpdatedNs.GetKasKeys(), 1)
-	s.Equal(keyMap[nonRotateKey].GetKey().GetId(), nonUpdatedNs.GetKasKeys()[0].GetKey().GetId())
+	s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), nonUpdatedNs.GetKasKeys()[0].GetPublicKey().GetKid())
+	s.Equal(keyMap[nonRotateKey].GetKasUri(), nonUpdatedNs.GetKasKeys()[0].GetKasUri())
 
 	// Verify that attribute has the new key
 	updatedAttr, err := s.db.PolicyClient.GetAttribute(s.ctx, &attributes.GetAttributeRequest_AttributeId{
@@ -483,7 +485,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac
 	})
 	s.Require().NoError(err)
 	s.Len(updatedAttr.GetKasKeys(), 1)
-	s.Equal(rotatedInKey.GetKasKey().GetKey().GetId(), updatedAttr.GetKasKeys()[0].GetKey().GetId())
+	s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), updatedAttr.GetKasKeys()[0].GetPublicKey().GetKid())
+	s.Equal(rotatedInKey.GetKasKey().GetKasUri(), updatedAttr.GetKasKeys()[0].GetKasUri())
 
 	// Verify that attribute definition which was assigned a key that was not rotated is still intact
 	nonUpdatedAttr, err := s.db.PolicyClient.GetAttribute(s.ctx, &attributes.GetAttributeRequest_AttributeId{
@@ -491,7 +494,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac
 	})
 	s.Require().NoError(err)
 	s.Len(nonUpdatedAttr.GetKasKeys(), 1)
-	s.Equal(keyMap[nonRotateKey].GetKey().GetId(), nonUpdatedAttr.GetKasKeys()[0].GetKey().GetId())
+	s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), nonUpdatedAttr.GetKasKeys()[0].GetPublicKey().GetKid())
+	s.Equal(keyMap[nonRotateKey].GetKasUri(), nonUpdatedAttr.GetKasKeys()[0].GetKasUri())
 
 	// Verify that attribute value has the new key
 	attrValue, err := s.db.PolicyClient.GetAttributeValue(s.ctx, &attributes.GetAttributeValueRequest_ValueId{
@@ -499,7 +503,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac
 	})
 	s.Require().NoError(err)
 	s.Len(attrValue.GetKasKeys(), 1)
-	s.Equal(rotatedInKey.GetKasKey().GetKey().GetId(), attrValue.GetKasKeys()[0].GetKey().GetId())
+	s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), attrValue.GetKasKeys()[0].GetPublicKey().GetKid())
+	s.Equal(rotatedInKey.GetKasKey().GetKasUri(), attrValue.GetKasKeys()[0].GetKasUri())
 
 	// Verify that attribute value which was assigned a key that was not rotated is still intact
 	nonUpdatedAttrValue, err := s.db.PolicyClient.GetAttributeValue(s.ctx, &attributes.GetAttributeValueRequest_ValueId{
@@ -507,7 +512,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac
 	})
 	s.Require().NoError(err)
 	s.Len(nonUpdatedAttrValue.GetKasKeys(), 1)
-	s.Equal(keyMap[nonRotateKey].GetKey().GetId(), nonUpdatedAttrValue.GetKasKeys()[0].GetKey().GetId())
+	s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), nonUpdatedAttrValue.GetKasKeys()[0].GetPublicKey().GetKid())
+	s.Equal(keyMap[nonRotateKey].GetKasUri(), nonUpdatedAttrValue.GetKasKeys()[0].GetKasUri())
 }
 
 func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_AttributeValue_Success() {
@@ -604,7 +610,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri
 		updatedNs, err := s.db.PolicyClient.GetNamespace(s.ctx, ns.GetId())
 		s.Require().NoError(err)
 		s.Len(updatedNs.GetKasKeys(), 1)
-		s.Equal(rotatedInKey.GetKasKey().GetKey().GetId(), updatedNs.GetKasKeys()[0].GetKey().GetId())
+		s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), updatedNs.GetKasKeys()[0].GetPublicKey().GetKid())
+		s.Equal(rotatedInKey.GetKasKey().GetKasUri(), updatedNs.GetKasKeys()[0].GetKasUri())
 	}
 
 	// Verify that namespace which was assigned a key that was not rotated is still intact
@@ -612,7 +619,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri
 		nonUpdatedNs, err := s.db.PolicyClient.GetNamespace(s.ctx, ns.GetId())
 		s.Require().NoError(err)
 		s.Len(nonUpdatedNs.GetKasKeys(), 1)
-		s.Equal(keyMap[nonRotateKey].GetKey().GetId(), nonUpdatedNs.GetKasKeys()[0].GetKey().GetId())
+		s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), nonUpdatedNs.GetKasKeys()[0].GetPublicKey().GetKid())
+		s.Equal(keyMap[nonRotateKey].GetKasUri(), nonUpdatedNs.GetKasKeys()[0].GetKasUri())
 	}
 
 	// Verify that attribute has the new key
@@ -622,7 +630,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri
 		})
 		s.Require().NoError(err)
 		s.Len(updatedAttr.GetKasKeys(), 1)
-		s.Equal(rotatedInKey.GetKasKey().GetKey().GetId(), updatedAttr.GetKasKeys()[0].GetKey().GetId())
+		s.Equal(rotatedInKey.GetKasKey().GetKey().GetKeyId(), updatedAttr.GetKasKeys()[0].GetPublicKey().GetKid())
+		s.Equal(rotatedInKey.GetKasKey().GetKasUri(), updatedAttr.GetKasKeys()[0].GetKasUri())
 	}
 
 	// Verify that attribute definition which was assigned a key that was not rotated is still intact
@@ -632,7 +641,8 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri
 		})
 		s.Require().NoError(err)
 		s.Len(nonUpdatedAttr.GetKasKeys(), 1)
-		s.Equal(keyMap[nonRotateKey].GetKey().GetId(), nonUpdatedAttr.GetKasKeys()[0].GetKey().GetId())
+		s.Equal(keyMap[nonRotateKey].GetKey().GetKeyId(), nonUpdatedAttr.GetKasKeys()[0].GetPublicKey().GetKid())
+		s.Equal(keyMap[nonRotateKey].GetKasUri(), nonUpdatedAttr.GetKasKeys()[0].GetKasUri())
 	}
 }
 
@@ -1347,14 +1357,14 @@ func (s *KasRegistryKeySuite) validateListKeysResponse(resp *kasregistry.ListKey
 	}
 }
 
-func validatePublicKeyCtx(s *suite.Suite, expectedPubCtx []byte, actual *policy.KasKey) {
+func validatePublicKeyCtx(s *suite.Suite, expectedPubCtx []byte, actual *policy.SimpleKasKey) {
 	decodedExpectedPubCtx, err := base64.StdEncoding.DecodeString(string(expectedPubCtx))
 	s.Require().NoError(err)
 
 	var expectedPub policy.PublicKeyCtx
 	err = protojson.Unmarshal(decodedExpectedPubCtx, &expectedPub)
 	s.Require().NoError(err)
-	s.Equal(expectedPub.GetPem(), actual.GetKey().GetPublicKeyCtx().GetPem())
+	s.Equal(expectedPub.GetPem(), actual.GetPublicKey().GetPem())
 }
 
 func validatePrivatePublicCtx(s *suite.Suite, expectedPrivCtx, expectedPubCtx []byte, actual *policy.KasKey) {
@@ -1367,5 +1377,10 @@ func validatePrivatePublicCtx(s *suite.Suite, expectedPrivCtx, expectedPubCtx []
 
 	s.Equal(expectedPriv.GetKeyId(), actual.GetKey().GetPrivateKeyCtx().GetKeyId())
 	s.Equal(expectedPriv.GetWrappedKey(), actual.GetKey().GetPrivateKeyCtx().GetWrappedKey())
-	validatePublicKeyCtx(s, expectedPubCtx, actual)
+	validatePublicKeyCtx(s, expectedPubCtx, &policy.SimpleKasKey{
+		KasUri: actual.GetKasUri(),
+		PublicKey: &policy.SimpleKasPublicKey{
+			Pem: actual.GetKey().GetPublicKeyCtx().GetPem(),
+		},
+	})
 }
diff --git a/service/integration/kas_registry_test.go b/service/integration/kas_registry_test.go
index 1842721a8b..a321c71c2d 100644
--- a/service/integration/kas_registry_test.go
+++ b/service/integration/kas_registry_test.go
@@ -1257,14 +1257,16 @@ func (s *KasRegistrySuite) getKasRegistryServerKeysFixtures() []fixtures.Fixture
 	}
 }
 
-func (s *KasRegistrySuite) getKasToKeysFixtureMap() map[string][]fixtures.FixtureDataKasRegistryKey {
+func (s *KasRegistrySuite) getKasToKeysFixtureMap() map[string][]*policy.KasKey {
 	// map kas id to keys
-	kasToKeys := make(map[string][]fixtures.FixtureDataKasRegistryKey)
+	kasToKeys := make(map[string][]*policy.KasKey)
 	for _, k := range s.getKasRegistryServerKeysFixtures() {
 		if kasToKeys[k.KeyAccessServerID] == nil {
-			kasToKeys[k.KeyAccessServerID] = make([]fixtures.FixtureDataKasRegistryKey, 0)
+			kasToKeys[k.KeyAccessServerID] = make([]*policy.KasKey, 0)
 		}
-		kasToKeys[k.KeyAccessServerID] = append(kasToKeys[k.KeyAccessServerID], k)
+		key, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{Id: k.ID})
+		s.Require().NoError(err)
+		kasToKeys[k.KeyAccessServerID] = append(kasToKeys[k.KeyAccessServerID], key)
 	}
 	return kasToKeys
 }
@@ -1272,22 +1274,19 @@ func (s *KasRegistrySuite) getKasToKeysFixtureMap() map[string][]fixtures.Fixtur
 func (s *KasRegistrySuite) validateKasRegistryKeys(kasr *policy.KeyAccessServer) {
 	kasToKeysFixtures := s.getKasToKeysFixtureMap()
 	// Check that key is present.
-	keysFixtureArr := kasToKeysFixtures[kasr.GetId()]
-	s.GreaterOrEqual(len(kasr.GetKasKeys()), len(keysFixtureArr))
+	expectedKasKeys := kasToKeysFixtures[kasr.GetId()]
+	s.GreaterOrEqual(len(kasr.GetKasKeys()), len(expectedKasKeys))
 	// Check for expected key ids.
 	matchingKeysCount := 0
 	for _, kasKey := range kasr.GetKasKeys() {
-		for _, f := range keysFixtureArr {
-			if kasKey.GetKey().GetId() == f.ID {
-				s.Equal(f.KeyAccessServerID, kasKey.GetKasId())
-				validatePublicKeyCtx(&s.Suite, []byte(f.PublicKeyCtx), kasKey)
-				s.Empty(kasKey.GetKey().GetPrivateKeyCtx())
-				s.Empty(kasKey.GetKey().GetProviderConfig())
+		for _, f := range expectedKasKeys {
+			if kasKey.GetPublicKey().GetKid() == f.GetKey().GetKeyId() {
+				validateSimpleKasKey(&s.Suite, f, kasKey)
 				matchingKeysCount++
 			}
 		}
 	}
-	s.Len(keysFixtureArr, matchingKeysCount)
+	s.Len(expectedKasKeys, matchingKeysCount)
 }
 
 func TestKasRegistrySuite(t *testing.T) {
diff --git a/service/integration/namespaces_test.go b/service/integration/namespaces_test.go
index 9c37ddc8d6..3b31d5b5a1 100644
--- a/service/integration/namespaces_test.go
+++ b/service/integration/namespaces_test.go
@@ -1263,10 +1263,14 @@ func (s *NamespacesSuite) Test_AssociatePublicKeyToNamespace_Succeeds() {
 	s.NotNil(gotNS)
 	s.Empty(gotNS.GetKasKeys())
 
-	kasKey := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKeyFixture := s.f.GetKasRegistryServerKeys("kas_key_1")
+	kasKey, err := s.db.PolicyClient.GetKey(s.ctx, &kasregistry.GetKeyRequest_Id{
+		Id: kasKeyFixture.ID,
+	})
+	s.Require().NoError(err)
 	resp, err := s.db.PolicyClient.AssignPublicKeyToNamespace(s.ctx, &namespaces.NamespaceKey{
 		NamespaceId: namespaceFix.ID,
-		KeyId:       kasKey.ID,
+		KeyId:       kasKey.GetKey().GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(resp)
@@ -1277,11 +1281,7 @@ func (s *NamespacesSuite) Test_AssociatePublicKeyToNamespace_Succeeds() {
 	s.Require().NoError(err)
 	s.NotNil(gotNS)
 	s.Len(gotNS.GetKasKeys(), 1)
-	s.Equal(kasKey.KeyAccessServerID, gotNS.GetKasKeys()[0].GetKasId())
-	s.Equal(kasKey.ID, gotNS.GetKasKeys()[0].GetKey().GetId())
-	validatePublicKeyCtx(&s.Suite, []byte(kasKey.PublicKeyCtx), gotNS.GetKasKeys()[0])
-	s.Empty(gotNS.GetKasKeys()[0].GetKey().GetPrivateKeyCtx())
-	s.Empty(gotNS.GetKasKeys()[0].GetKey().GetProviderConfig())
+	validateSimpleKasKey(&s.Suite, kasKey, gotNS.GetKasKeys()[0])
 
 	resp, err = s.db.PolicyClient.RemovePublicKeyFromNamespace(s.ctx, &namespaces.NamespaceKey{
 		NamespaceId: resp.GetNamespaceId(),
diff --git a/service/pkg/db/marshalHelpers.go b/service/pkg/db/marshalHelpers.go
index 5375f9b42b..7c878c9c67 100644
--- a/service/pkg/db/marshalHelpers.go
+++ b/service/pkg/db/marshalHelpers.go
@@ -142,10 +142,30 @@ func FormatAlg(alg policy.Algorithm) (string, error) {
 	}
 }
 
-func UnmarshalSimpleKasKey(keysJSON []byte) (*kasregistry.SimpleKasKey, error) {
-	var key *kasregistry.SimpleKasKey
+func SimpleKasKeysProtoJSON(keysJSON []byte) ([]*policy.SimpleKasKey, error) {
+	var (
+		keys []*policy.SimpleKasKey
+		raw  []json.RawMessage
+	)
+	if err := json.Unmarshal(keysJSON, &raw); err != nil {
+		return nil, err
+	}
+	for _, r := range raw {
+		k, err := UnmarshalSimpleKasKey([]byte(r))
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal simple kas key: %w", err)
+		}
+		if k != nil {
+			keys = append(keys, k)
+		}
+	}
+	return keys, nil
+}
+
+func UnmarshalSimpleKasKey(keysJSON []byte) (*policy.SimpleKasKey, error) {
+	var key *policy.SimpleKasKey
 	if keysJSON != nil {
-		key = &kasregistry.SimpleKasKey{}
+		key = &policy.SimpleKasKey{}
 		if err := protojson.Unmarshal(keysJSON, key); err != nil {
 			return nil, err
 		}
diff --git a/service/policy/db/attribute_values.go b/service/policy/db/attribute_values.go
index d4bb8fe492..931377a9b8 100644
--- a/service/policy/db/attribute_values.go
+++ b/service/policy/db/attribute_values.go
@@ -92,9 +92,9 @@ func (c PolicyDBClient) GetAttributeValue(ctx context.Context, identifier any) (
 		}
 	}
 
-	var keys []*policy.KasKey
+	var keys []*policy.SimpleKasKey
 	if av.Keys != nil {
-		keys, err = db.KasKeysProtoJSON(av.Keys)
+		keys, err = db.SimpleKasKeysProtoJSON(av.Keys)
 		if err != nil {
 			c.logger.ErrorContext(ctx, "could not unmarshal keys", slog.String("error", err.Error()))
 			return nil, err
diff --git a/service/policy/db/attributes.go b/service/policy/db/attributes.go
index d778df7207..6e95341044 100644
--- a/service/policy/db/attributes.go
+++ b/service/policy/db/attributes.go
@@ -43,6 +43,7 @@ func attributesValuesProtojson(valuesJSON []byte) ([]*policy.Value, error) {
 		for _, r := range raw {
 			value := &policy.Value{}
 			err := protojson.Unmarshal(r, value)
+			// Need to format keys
 			if err != nil {
 				return nil, fmt.Errorf("error unmarshaling a value: %w", err)
 			}
@@ -271,9 +272,9 @@ func (c PolicyDBClient) GetAttribute(ctx context.Context, identifier any) (*poli
 		return nil, err
 	}
 
-	var keys []*policy.KasKey
+	var keys []*policy.SimpleKasKey
 	if len(attr.Keys) > 0 {
-		keys, err = db.KasKeysProtoJSON(attr.Keys)
+		keys, err = db.SimpleKasKeysProtoJSON(attr.Keys)
 		if err != nil {
 			return nil, fmt.Errorf("failed to unmarshal keys [%s]: %w", string(attr.Keys), err)
 		}
@@ -310,9 +311,9 @@ func (c PolicyDBClient) ListAttributesByFqns(ctx context.Context, fqns []string)
 			}
 		}
 
-		var keys []*policy.KasKey
+		var keys []*policy.SimpleKasKey
 		if len(attr.Keys) > 0 {
-			keys, err = db.KasKeysProtoJSON(attr.Keys)
+			keys, err = db.SimpleKasKeysProtoJSON(attr.Keys)
 			if err != nil {
 				return nil, fmt.Errorf("failed to unmarshal keys [%s]: %w", string(attr.Keys), err)
 			}
diff --git a/service/policy/db/grant_mappings.go b/service/policy/db/grant_mappings.go
index f887457e1a..5e61859b1b 100644
--- a/service/policy/db/grant_mappings.go
+++ b/service/policy/db/grant_mappings.go
@@ -1,33 +1,34 @@
 package db
 
 import (
-	"encoding/base64"
 	"fmt"
 
 	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/service/logger"
 )
 
+var (
+	errKasInfoIncomplete = fmt.Errorf("kas information is incomplete")
+)
+
 func mapAlgorithmToKasPublicKeyAlg(alg policy.Algorithm) policy.KasPublicKeyAlgEnum {
 	switch alg {
 	case policy.Algorithm_ALGORITHM_RSA_2048:
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
 	case policy.Algorithm_ALGORITHM_RSA_4096:
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
-	case policy.Algorithm_ALGORITHM_EC_P256: // ALGORITHM_EC_P256 is an alias
+	case policy.Algorithm_ALGORITHM_EC_P256:
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
 	case policy.Algorithm_ALGORITHM_EC_P384: // ALGORITHM_EC_P384 is an alias
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
 	case policy.Algorithm_ALGORITHM_EC_P521: // ALGORITHM_EC_P521 is an alias
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
-	case policy.Algorithm_ALGORITHM_UNSPECIFIED:
-		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
 	default:
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
 	}
 }
 
-func mapKasKeysToGrants(keys []*policy.KasKey, existingGrants []*policy.KeyAccessServer, l *logger.Logger) ([]*policy.KeyAccessServer, error) {
+func mapKasKeysToGrants(keys []*policy.SimpleKasKey, existingGrants []*policy.KeyAccessServer, l *logger.Logger) ([]*policy.KeyAccessServer, error) {
 	kasMap := make(map[string]*policy.KeyAccessServer)
 
 	// Populate the map with existing grants
@@ -41,33 +42,25 @@ func mapKasKeysToGrants(keys []*policy.KasKey, existingGrants []*policy.KeyAcces
 		if key == nil {
 			continue
 		}
-		kasURI := key.GetKasUri()
-		if kasURI == "" {
-			// Skip keys without a URI, as it's essential for mapping
-			l.Debug("skipping key without URI", "kid", key.GetKey().GetKeyId())
-			continue
+		if key.GetKasUri() == "" || key.GetKasId() == "" {
+			return nil, errKasInfoIncomplete
 		}
 
-		kasKeyInfo := key.GetKey()
+		kasKeyInfo := key.GetPublicKey()
 		if kasKeyInfo == nil {
-			continue
+			return nil, fmt.Errorf("kas key info is nil for a key with kas uri %s", key.GetKasUri())
 		}
-
-		newKasPublicKey := &policy.KasPublicKey{
-			Kid: kasKeyInfo.GetKeyId(),
-			Alg: mapAlgorithmToKasPublicKeyAlg(kasKeyInfo.GetKeyAlgorithm()),
+		if kasKeyInfo.GetPem() == "" {
+			return nil, fmt.Errorf("kas key PEM is empty, kid %s", kasKeyInfo.GetKid())
 		}
 
-		if pubKeyCtx := kasKeyInfo.GetPublicKeyCtx(); pubKeyCtx != nil {
-			// PEM content in PublicKeyCtx is base64 encoded; decode it for KasPublicKey.Pem.
-			pem, err := base64.StdEncoding.DecodeString(pubKeyCtx.GetPem())
-			if err != nil {
-				return nil, fmt.Errorf("failed to decode PEM for key %s: %w", newKasPublicKey.GetKid(), err)
-			}
-			newKasPublicKey.Pem = string(pem)
+		newKasPublicKey := &policy.KasPublicKey{
+			Kid: kasKeyInfo.GetKid(),
+			Alg: mapAlgorithmToKasPublicKeyAlg(kasKeyInfo.GetAlgorithm()),
+			Pem: kasKeyInfo.GetPem(),
 		}
 
-		existingKas, found := kasMap[kasURI]
+		existingKas, found := kasMap[key.GetKasUri()]
 		if found {
 			// KAS URI already exists, merge/add the public key
 			if existingKas.GetPublicKey().GetCached() == nil {
@@ -92,7 +85,7 @@ func mapKasKeysToGrants(keys []*policy.KasKey, existingGrants []*policy.KeyAcces
 		} else {
 			// New KAS URI, create a new grant
 			grant := &policy.KeyAccessServer{
-				Uri: kasURI,
+				Uri: key.GetKasUri(),
 				Id:  key.GetKasId(),
 				PublicKey: &policy.PublicKey{
 					PublicKey: &policy.PublicKey_Cached{
@@ -100,7 +93,7 @@ func mapKasKeysToGrants(keys []*policy.KasKey, existingGrants []*policy.KeyAcces
 					},
 				},
 			}
-			kasMap[kasURI] = grant
+			kasMap[key.GetKasUri()] = grant
 		}
 	}
 
diff --git a/service/policy/db/grant_mappings_test.go b/service/policy/db/grant_mappings_test.go
index 503b06cdc7..26e52dec4d 100644
--- a/service/policy/db/grant_mappings_test.go
+++ b/service/policy/db/grant_mappings_test.go
@@ -1,7 +1,6 @@
 package db
 
 import (
-	"encoding/base64"
 	"sort"
 	"testing"
 
@@ -13,11 +12,10 @@ import (
 
 func TestMapKasKeysToGrants(t *testing.T) {
 	validPem := "VALID_PEM_CONTENT"
-	validPemB64 := base64.StdEncoding.EncodeToString([]byte(validPem))
 
 	tests := []struct {
 		name           string
-		keys           []*policy.KasKey
+		keys           []*policy.SimpleKasKey
 		existingGrants []*policy.KeyAccessServer
 		expectedGrants []*policy.KeyAccessServer
 		wantErr        bool
@@ -25,16 +23,16 @@ func TestMapKasKeysToGrants(t *testing.T) {
 	}{
 		{
 			name:           "empty keys and empty existing grants",
-			keys:           []*policy.KasKey{},
+			keys:           []*policy.SimpleKasKey{},
 			existingGrants: []*policy.KeyAccessServer{},
 			expectedGrants: []*policy.KeyAccessServer{},
 			wantErr:        false,
 		},
 		{
 			name: "new keys only, no existing grants",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
-				{KasId: "kas2", KasUri: "http://kas2.example.com", Key: &policy.AsymmetricKey{KeyId: "kid2", KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}},
+				{KasId: "kas2", KasUri: "http://kas2.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid2", Algorithm: policy.Algorithm_ALGORITHM_EC_P256, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{},
 			expectedGrants: []*policy.KeyAccessServer{
@@ -45,7 +43,7 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "existing grants only, no new keys",
-			keys: []*policy.KasKey{},
+			keys: []*policy.SimpleKasKey{},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid_existing", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: "existing_pem"}}}}}},
 			},
@@ -56,8 +54,8 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "add new public key to existing grant",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_new", KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_new", Algorithm: policy.Algorithm_ALGORITHM_EC_P256, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid_existing", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: "existing_pem"}}}}}},
@@ -72,9 +70,9 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "add new grant and new public key to existing grant",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_new_for_kas1", KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
-				{KasId: "kas2", KasUri: "http://kas2.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_for_kas2", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_new_for_kas1", Algorithm: policy.Algorithm_ALGORITHM_EC_P256, Pem: validPem}},
+				{KasId: "kas2", KasUri: "http://kas2.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_for_kas2", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid_existing_for_kas1", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: "existing_pem"}}}}}},
@@ -90,8 +88,8 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "deduplicate public key by KID",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_existing", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}}, // Same KID as existing
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_existing", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}}, // Same KID as existing
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid_existing", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: "existing_pem"}}}}}},
@@ -104,19 +102,19 @@ func TestMapKasKeysToGrants(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "invalid base64 PEM",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: "invalid-b64"}}},
+			name: "empty pem",
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: ""}}, // Empty PEM
 			},
 			existingGrants: []*policy.KeyAccessServer{},
 			wantErr:        true,
-			errContains:    "failed to decode PEM for key kid1",
+			errContains:    "kas key PEM is empty, kid kid1",
 		},
 		{
 			name: "nil key in keys slice",
-			keys: []*policy.KasKey{
+			keys: []*policy.SimpleKasKey{
 				nil,
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{},
 			expectedGrants: []*policy.KeyAccessServer{
@@ -125,38 +123,51 @@ func TestMapKasKeysToGrants(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "key with nil KasKeyInfo",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: nil},
+			name: "key with nil kas uri",
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}}, // Nil URI
 			},
 			existingGrants: []*policy.KeyAccessServer{},
 			expectedGrants: []*policy.KeyAccessServer{},
-			wantErr:        false,
+			wantErr:        true,
+			errContains:    errKasInfoIncomplete.Error(),
 		},
 		{
-			name: "key with nil PublicKeyCtx",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: nil}},
+			name: "key with nil kas id",
+			keys: []*policy.SimpleKasKey{
+				{KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{},
-			expectedGrants: []*policy.KeyAccessServer{
-				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid1", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: ""}}}}}},
-			},
-			wantErr: false,
+			expectedGrants: []*policy.KeyAccessServer{},
+			wantErr:        true,
+			errContains:    errKasInfoIncomplete.Error(),
 		},
 		{
-			name: "key with empty KasUri",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "", Key: &policy.AsymmetricKey{KeyId: "kid1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			name: "key with nil public key",
+			keys: []*policy.SimpleKasKey{
+				{KasUri: "http://kas1.example.com", KasId: "kas1"},
 			},
 			existingGrants: []*policy.KeyAccessServer{},
 			expectedGrants: []*policy.KeyAccessServer{},
-			wantErr:        false,
+			wantErr:        true,
+			errContains:    "kas key info is nil for a key with kas uri http://kas1.example.com",
+		},
+		{
+			name: "key with nil pem",
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048}}, // No PEM
+			},
+			existingGrants: []*policy.KeyAccessServer{},
+			expectedGrants: []*policy.KeyAccessServer{
+				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid1", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: ""}}}}}},
+			},
+			wantErr:     true,
+			errContains: "kas key PEM is empty, kid kid1",
 		},
 		{
 			name: "existing grant with nil PublicKey",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_new", KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_new", Algorithm: policy.Algorithm_ALGORITHM_EC_P256, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: nil},
@@ -170,8 +181,8 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "existing grant with PublicKey but nil Cached part",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_new", KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_new", Algorithm: policy.Algorithm_ALGORITHM_EC_P256, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: nil}}, // Simulates PublicKey_Cached being nil
@@ -185,8 +196,8 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "nil grant in existingGrants slice",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				nil,
@@ -200,8 +211,8 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "existing grant with empty URI",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas_empty_uri", Uri: "", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid_empty", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: "empty_pem"}}}}}},
@@ -213,9 +224,9 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "multiple keys for the same new KAS URI",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid1_kas1", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid2_kas1", KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1_kas1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}},
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid2_kas1", Algorithm: policy.Algorithm_ALGORITHM_EC_P256, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{},
 			expectedGrants: []*policy.KeyAccessServer{
@@ -228,9 +239,9 @@ func TestMapKasKeysToGrants(t *testing.T) {
 		},
 		{
 			name: "multiple keys for the same existing KAS URI, one new, one duplicate KID",
-			keys: []*policy.KasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_existing", KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}}, // Duplicate KID
-				{KasId: "kas1", KasUri: "http://kas1.example.com", Key: &policy.AsymmetricKey{KeyId: "kid_new_for_existing", KeyAlgorithm: policy.Algorithm_ALGORITHM_EC_P256, PublicKeyCtx: &policy.PublicKeyCtx{Pem: validPemB64}}},
+			keys: []*policy.SimpleKasKey{
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_existing", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: validPem}}, // Duplicate KID
+				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid_new_for_existing", Algorithm: policy.Algorithm_ALGORITHM_EC_P256, Pem: validPem}},
 			},
 			existingGrants: []*policy.KeyAccessServer{
 				{Id: "kas1", Uri: "http://kas1.example.com", PublicKey: &policy.PublicKey{PublicKey: &policy.PublicKey_Cached{Cached: &policy.KasPublicKeySet{Keys: []*policy.KasPublicKey{{Kid: "kid_existing", Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, Pem: "existing_pem"}}}}}},
diff --git a/service/policy/db/key_access_server_registry.go b/service/policy/db/key_access_server_registry.go
index de94d12aab..9b289d75b6 100644
--- a/service/policy/db/key_access_server_registry.go
+++ b/service/policy/db/key_access_server_registry.go
@@ -57,9 +57,9 @@ func (c PolicyDBClient) ListKeyAccessServers(ctx context.Context, r *kasregistry
 			return nil, err
 		}
 
-		var keys []*policy.KasKey
+		var keys []*policy.SimpleKasKey
 		if len(kas.Keys) > 0 {
-			keys, err = db.KasKeysProtoJSON(kas.Keys)
+			keys, err = db.SimpleKasKeysProtoJSON(kas.Keys)
 			if err != nil {
 				return nil, errors.New("failed to unmarshal keys")
 			}
@@ -147,9 +147,9 @@ func (c PolicyDBClient) GetKeyAccessServer(ctx context.Context, identifier any)
 		return nil, err
 	}
 
-	var keys []*policy.KasKey
+	var keys []*policy.SimpleKasKey
 	if len(kas.Keys) > 0 {
-		keys, err = db.KasKeysProtoJSON(kas.Keys)
+		keys, err = db.SimpleKasKeysProtoJSON(kas.Keys)
 		if err != nil {
 			return nil, errors.New("failed to unmarshal keys")
 		}
@@ -698,7 +698,7 @@ func (c PolicyDBClient) RotateKey(ctx context.Context, activeKey *policy.KasKey,
 	return rotateKeyResp, nil
 }
 
-func (c PolicyDBClient) GetBaseKey(ctx context.Context) (*kasregistry.SimpleKasKey, error) {
+func (c PolicyDBClient) GetBaseKey(ctx context.Context) (*policy.SimpleKasKey, error) {
 	key, err := c.Queries.getBaseKey(ctx)
 	if err != nil && !errors.Is(db.WrapIfKnownInvalidQueryErr(err), db.ErrNotFound) {
 		return nil, db.WrapIfKnownInvalidQueryErr(err)
diff --git a/service/policy/db/namespaces.go b/service/policy/db/namespaces.go
index d49e2511d7..2b3227c7ba 100644
--- a/service/policy/db/namespaces.go
+++ b/service/policy/db/namespaces.go
@@ -61,9 +61,9 @@ func (c PolicyDBClient) GetNamespace(ctx context.Context, identifier any) (*poli
 		}
 	}
 
-	var keys []*policy.KasKey
+	var keys []*policy.SimpleKasKey
 	if len(ns.Keys) > 0 {
-		keys, err = db.KasKeysProtoJSON(ns.Keys)
+		keys, err = db.SimpleKasKeysProtoJSON(ns.Keys)
 		if err != nil {
 			c.logger.Error("could not unmarshal keys", slog.String("error", err.Error()))
 			return nil, err
diff --git a/service/policy/db/query.sql b/service/policy/db/query.sql
index ac96d93a7d..338167488c 100644
--- a/service/policy/db/query.sql
+++ b/service/policy/db/query.sql
@@ -88,18 +88,17 @@ LEFT JOIN (
             kask.key_access_server_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_uri', kas.uri,
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
         FROM key_access_server_keys kask
+        INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
         GROUP BY kask.key_access_server_id
     ) kask_keys ON kas.id = kask_keys.key_access_server_id
 LIMIT @limit_ 
@@ -126,18 +125,17 @@ LEFT JOIN (
             kask.key_access_server_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_uri', kas.uri,
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
         FROM key_access_server_keys kask
+        INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
         GROUP BY kask.key_access_server_id
     ) kask_keys ON kas.id = kask_keys.key_access_server_id
 WHERE (sqlc.narg('id')::uuid IS NULL OR kas.id = sqlc.narg('id')::uuid)
@@ -488,15 +486,12 @@ WITH target_definition AS (
             k.definition_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
                     'kas_uri', kas.uri,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -537,15 +532,12 @@ namespaces AS (
             k.namespace_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
                     'kas_uri', kas.uri,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -657,15 +649,12 @@ values AS (
             k.value_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
                     'kas_uri', kas.uri,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -742,16 +731,13 @@ LEFT JOIN (
         k.definition_id,
         JSONB_AGG(
             DISTINCT JSONB_BUILD_OBJECT(
-                'key', JSONB_BUILD_OBJECT(
-                    'id', kask.id,
-                    'key_id', kask.key_id,
-                    'key_status', kask.key_status,
-                    'key_mode', kask.key_mode,
-                    'key_algorithm', kask.key_algorithm,
-                    'public_key_ctx', kask.public_key_ctx
-                ),
-                'kas_id', kask.key_access_server_id,
-                'kas_uri', kas.uri
+                'kas_uri', kas.uri,
+                'kas_id', kas.id,
+                'public_key', JSONB_BUILD_OBJECT(
+                     'algorithm', kask.key_algorithm::INTEGER,
+                     'kid', kask.key_id,
+                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
+                )
             )
         ) FILTER (WHERE kask.id IS NOT NULL) AS keys
     FROM attribute_definition_public_key_map k
@@ -858,15 +844,12 @@ LEFT JOIN (
         k.value_id,
         JSONB_AGG(
             DISTINCT JSONB_BUILD_OBJECT(
-                'kas_id', kask.key_access_server_id,
                 'kas_uri', kas.uri,
-                'key', JSONB_BUILD_OBJECT(
-                    'id', kask.id,
-                    'key_id', kask.key_id,
-                    'key_status', kask.key_status,
-                    'key_mode', kask.key_mode,
-                    'key_algorithm', kask.key_algorithm,
-                    'public_key_ctx', kask.public_key_ctx
+                'kas_id', kas.id,
+                'public_key', JSONB_BUILD_OBJECT(
+                     'algorithm', kask.key_algorithm::INTEGER,
+                     'kid', kask.key_id,
+                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                 )
             )
         ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -1098,15 +1081,12 @@ LEFT JOIN (
         k.namespace_id,
         JSONB_AGG(
             DISTINCT JSONB_BUILD_OBJECT(
-                'kas_id', kask.key_access_server_id,
                 'kas_uri', kas.uri,
-                'key', JSONB_BUILD_OBJECT(
-                    'id', kask.id,
-                    'key_id', kask.key_id,
-                    'key_status', kask.key_status,
-                    'key_mode', kask.key_mode,
-                    'key_algorithm', kask.key_algorithm,
-                    'public_key_ctx', kask.public_key_ctx
+                'kas_id', kas.id,
+                'public_key', JSONB_BUILD_OBJECT(
+                     'algorithm', kask.key_algorithm::INTEGER,
+                     'kid', kask.key_id,
+                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                 )
             )
         ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -1699,6 +1679,7 @@ WHERE id = $1;
 SELECT
     DISTINCT JSONB_BUILD_OBJECT(
        'kas_uri', kas.uri,
+       'kas_id', kas.id,
        'public_key', JSONB_BUILD_OBJECT(
             'algorithm', kask.key_algorithm::INTEGER,
             'kid', kask.key_id,
diff --git a/service/policy/db/query.sql.go b/service/policy/db/query.sql.go
index e44910c1f4..ef0237eea9 100644
--- a/service/policy/db/query.sql.go
+++ b/service/policy/db/query.sql.go
@@ -448,16 +448,13 @@ LEFT JOIN (
         k.definition_id,
         JSONB_AGG(
             DISTINCT JSONB_BUILD_OBJECT(
-                'key', JSONB_BUILD_OBJECT(
-                    'id', kask.id,
-                    'key_id', kask.key_id,
-                    'key_status', kask.key_status,
-                    'key_mode', kask.key_mode,
-                    'key_algorithm', kask.key_algorithm,
-                    'public_key_ctx', kask.public_key_ctx
-                ),
-                'kas_id', kask.key_access_server_id,
-                'kas_uri', kas.uri
+                'kas_uri', kas.uri,
+                'kas_id', kas.id,
+                'public_key', JSONB_BUILD_OBJECT(
+                     'algorithm', kask.key_algorithm::INTEGER,
+                     'kid', kask.key_id,
+                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
+                )
             )
         ) FILTER (WHERE kask.id IS NOT NULL) AS keys
     FROM attribute_definition_public_key_map k
@@ -539,16 +536,13 @@ type GetAttributeRow struct {
 //	        k.definition_id,
 //	        JSONB_AGG(
 //	            DISTINCT JSONB_BUILD_OBJECT(
-//	                'key', JSONB_BUILD_OBJECT(
-//	                    'id', kask.id,
-//	                    'key_id', kask.key_id,
-//	                    'key_status', kask.key_status,
-//	                    'key_mode', kask.key_mode,
-//	                    'key_algorithm', kask.key_algorithm,
-//	                    'public_key_ctx', kask.public_key_ctx
-//	                ),
-//	                'kas_id', kask.key_access_server_id,
-//	                'kas_uri', kas.uri
+//	                'kas_uri', kas.uri,
+//	                'kas_id', kas.id,
+//	                'public_key', JSONB_BUILD_OBJECT(
+//	                     'algorithm', kask.key_algorithm::INTEGER,
+//	                     'kid', kask.key_id,
+//	                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
+//	                )
 //	            )
 //	        ) FILTER (WHERE kask.id IS NOT NULL) AS keys
 //	    FROM attribute_definition_public_key_map k
@@ -604,15 +598,12 @@ LEFT JOIN (
         k.value_id,
         JSONB_AGG(
             DISTINCT JSONB_BUILD_OBJECT(
-                'kas_id', kask.key_access_server_id,
                 'kas_uri', kas.uri,
-                'key', JSONB_BUILD_OBJECT(
-                    'id', kask.id,
-                    'key_id', kask.key_id,
-                    'key_status', kask.key_status,
-                    'key_mode', kask.key_mode,
-                    'key_algorithm', kask.key_algorithm,
-                    'public_key_ctx', kask.public_key_ctx
+                'kas_id', kas.id,
+                'public_key', JSONB_BUILD_OBJECT(
+                     'algorithm', kask.key_algorithm::INTEGER,
+                     'kid', kask.key_id,
+                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                 )
             )
         ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -669,15 +660,12 @@ type GetAttributeValueRow struct {
 //	        k.value_id,
 //	        JSONB_AGG(
 //	            DISTINCT JSONB_BUILD_OBJECT(
-//	                'kas_id', kask.key_access_server_id,
 //	                'kas_uri', kas.uri,
-//	                'key', JSONB_BUILD_OBJECT(
-//	                    'id', kask.id,
-//	                    'key_id', kask.key_id,
-//	                    'key_status', kask.key_status,
-//	                    'key_mode', kask.key_mode,
-//	                    'key_algorithm', kask.key_algorithm,
-//	                    'public_key_ctx', kask.public_key_ctx
+//	                'kas_id', kas.id,
+//	                'public_key', JSONB_BUILD_OBJECT(
+//	                     'algorithm', kask.key_algorithm::INTEGER,
+//	                     'kid', kask.key_id,
+//	                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	                )
 //	            )
 //	        ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -726,18 +714,17 @@ LEFT JOIN (
             kask.key_access_server_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_uri', kas.uri,
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
         FROM key_access_server_keys kask
+        INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
         GROUP BY kask.key_access_server_id
     ) kask_keys ON kas.id = kask_keys.key_access_server_id
 WHERE ($1::uuid IS NULL OR kas.id = $1::uuid)
@@ -783,18 +770,17 @@ type GetKeyAccessServerRow struct {
 //	            kask.key_access_server_id,
 //	            JSONB_AGG(
 //	                DISTINCT JSONB_BUILD_OBJECT(
-//	                    'kas_id', kask.key_access_server_id,
-//	                    'key', JSONB_BUILD_OBJECT(
-//	                        'id', kask.id,
-//	                        'key_id', kask.key_id,
-//	                        'key_status', kask.key_status,
-//	                        'key_mode', kask.key_mode,
-//	                        'key_algorithm', kask.key_algorithm,
-//	                        'public_key_ctx', kask.public_key_ctx
+//	                    'kas_uri', kas.uri,
+//	                    'kas_id', kas.id,
+//	                    'public_key', JSONB_BUILD_OBJECT(
+//	                         'algorithm', kask.key_algorithm::INTEGER,
+//	                         'kid', kask.key_id,
+//	                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	                    )
 //	                )
 //	            ) FILTER (WHERE kask.id IS NOT NULL) AS keys
 //	        FROM key_access_server_keys kask
+//	        INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
 //	        GROUP BY kask.key_access_server_id
 //	    ) kask_keys ON kas.id = kask_keys.key_access_server_id
 //	WHERE ($1::uuid IS NULL OR kas.id = $1::uuid)
@@ -838,15 +824,12 @@ LEFT JOIN (
         k.namespace_id,
         JSONB_AGG(
             DISTINCT JSONB_BUILD_OBJECT(
-                'kas_id', kask.key_access_server_id,
                 'kas_uri', kas.uri,
-                'key', JSONB_BUILD_OBJECT(
-                    'id', kask.id,
-                    'key_id', kask.key_id,
-                    'key_status', kask.key_status,
-                    'key_mode', kask.key_mode,
-                    'key_algorithm', kask.key_algorithm,
-                    'public_key_ctx', kask.public_key_ctx
+                'kas_id', kas.id,
+                'public_key', JSONB_BUILD_OBJECT(
+                     'algorithm', kask.key_algorithm::INTEGER,
+                     'kid', kask.key_id,
+                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                 )
             )
         ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -900,15 +883,12 @@ type GetNamespaceRow struct {
 //	        k.namespace_id,
 //	        JSONB_AGG(
 //	            DISTINCT JSONB_BUILD_OBJECT(
-//	                'kas_id', kask.key_access_server_id,
 //	                'kas_uri', kas.uri,
-//	                'key', JSONB_BUILD_OBJECT(
-//	                    'id', kask.id,
-//	                    'key_id', kask.key_id,
-//	                    'key_status', kask.key_status,
-//	                    'key_mode', kask.key_mode,
-//	                    'key_algorithm', kask.key_algorithm,
-//	                    'public_key_ctx', kask.public_key_ctx
+//	                'kas_id', kas.id,
+//	                'public_key', JSONB_BUILD_OBJECT(
+//	                     'algorithm', kask.key_algorithm::INTEGER,
+//	                     'kid', kask.key_id,
+//	                     'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	                )
 //	            )
 //	        ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -1617,18 +1597,17 @@ LEFT JOIN (
             kask.key_access_server_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_uri', kas.uri,
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
         FROM key_access_server_keys kask
+        INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
         GROUP BY kask.key_access_server_id
     ) kask_keys ON kas.id = kask_keys.key_access_server_id
 LIMIT $2 
@@ -1672,18 +1651,17 @@ type ListKeyAccessServersRow struct {
 //	            kask.key_access_server_id,
 //	            JSONB_AGG(
 //	                DISTINCT JSONB_BUILD_OBJECT(
-//	                    'kas_id', kask.key_access_server_id,
-//	                    'key', JSONB_BUILD_OBJECT(
-//	                        'id', kask.id,
-//	                        'key_id', kask.key_id,
-//	                        'key_status', kask.key_status,
-//	                        'key_mode', kask.key_mode,
-//	                        'key_algorithm', kask.key_algorithm,
-//	                        'public_key_ctx', kask.public_key_ctx
+//	                    'kas_uri', kas.uri,
+//	                    'kas_id', kas.id,
+//	                    'public_key', JSONB_BUILD_OBJECT(
+//	                         'algorithm', kask.key_algorithm::INTEGER,
+//	                         'kid', kask.key_id,
+//	                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	                    )
 //	                )
 //	            ) FILTER (WHERE kask.id IS NOT NULL) AS keys
 //	        FROM key_access_server_keys kask
+//	        INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
 //	        GROUP BY kask.key_access_server_id
 //	    ) kask_keys ON kas.id = kask_keys.key_access_server_id
 //	LIMIT $2
@@ -3430,6 +3408,7 @@ const getBaseKey = `-- name: getBaseKey :one
 SELECT
     DISTINCT JSONB_BUILD_OBJECT(
        'kas_uri', kas.uri,
+       'kas_id', kas.id,
        'public_key', JSONB_BUILD_OBJECT(
             'algorithm', kask.key_algorithm::INTEGER,
             'kid', kask.key_id,
@@ -3448,6 +3427,7 @@ INNER JOIN key_access_servers kas ON kask.key_access_server_id = kas.id
 //	SELECT
 //	    DISTINCT JSONB_BUILD_OBJECT(
 //	       'kas_uri', kas.uri,
+//	       'kas_id', kas.id,
 //	       'public_key', JSONB_BUILD_OBJECT(
 //	            'algorithm', kask.key_algorithm::INTEGER,
 //	            'kid', kask.key_id,
@@ -3966,15 +3946,12 @@ WITH target_definition AS (
             k.definition_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
                     'kas_uri', kas.uri,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -4015,15 +3992,12 @@ namespaces AS (
             k.namespace_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
                     'kas_uri', kas.uri,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -4135,15 +4109,12 @@ values AS (
             k.value_id,
             JSONB_AGG(
                 DISTINCT JSONB_BUILD_OBJECT(
-                    'kas_id', kask.key_access_server_id,
                     'kas_uri', kas.uri,
-                    'key', JSONB_BUILD_OBJECT(
-                        'id', kask.id,
-                        'key_id', kask.key_id,
-                        'key_status', kask.key_status,
-                        'key_mode', kask.key_mode,
-                        'key_algorithm', kask.key_algorithm,
-                        'public_key_ctx', kask.public_key_ctx
+                    'kas_id', kas.id,
+                    'public_key', JSONB_BUILD_OBJECT(
+                         'algorithm', kask.key_algorithm::INTEGER,
+                         'kid', kask.key_id,
+                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
                     )
                 )
             ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -4212,15 +4183,12 @@ type listAttributesByDefOrValueFqnsRow struct {
 //	            k.definition_id,
 //	            JSONB_AGG(
 //	                DISTINCT JSONB_BUILD_OBJECT(
-//	                    'kas_id', kask.key_access_server_id,
 //	                    'kas_uri', kas.uri,
-//	                    'key', JSONB_BUILD_OBJECT(
-//	                        'id', kask.id,
-//	                        'key_id', kask.key_id,
-//	                        'key_status', kask.key_status,
-//	                        'key_mode', kask.key_mode,
-//	                        'key_algorithm', kask.key_algorithm,
-//	                        'public_key_ctx', kask.public_key_ctx
+//	                    'kas_id', kas.id,
+//	                    'public_key', JSONB_BUILD_OBJECT(
+//	                         'algorithm', kask.key_algorithm::INTEGER,
+//	                         'kid', kask.key_id,
+//	                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	                    )
 //	                )
 //	            ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -4261,15 +4229,12 @@ type listAttributesByDefOrValueFqnsRow struct {
 //	            k.namespace_id,
 //	            JSONB_AGG(
 //	                DISTINCT JSONB_BUILD_OBJECT(
-//	                    'kas_id', kask.key_access_server_id,
 //	                    'kas_uri', kas.uri,
-//	                    'key', JSONB_BUILD_OBJECT(
-//	                        'id', kask.id,
-//	                        'key_id', kask.key_id,
-//	                        'key_status', kask.key_status,
-//	                        'key_mode', kask.key_mode,
-//	                        'key_algorithm', kask.key_algorithm,
-//	                        'public_key_ctx', kask.public_key_ctx
+//	                    'kas_id', kas.id,
+//	                    'public_key', JSONB_BUILD_OBJECT(
+//	                         'algorithm', kask.key_algorithm::INTEGER,
+//	                         'kid', kask.key_id,
+//	                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	                    )
 //	                )
 //	            ) FILTER (WHERE kask.id IS NOT NULL) AS keys
@@ -4381,15 +4346,12 @@ type listAttributesByDefOrValueFqnsRow struct {
 //	            k.value_id,
 //	            JSONB_AGG(
 //	                DISTINCT JSONB_BUILD_OBJECT(
-//	                    'kas_id', kask.key_access_server_id,
 //	                    'kas_uri', kas.uri,
-//	                    'key', JSONB_BUILD_OBJECT(
-//	                        'id', kask.id,
-//	                        'key_id', kask.key_id,
-//	                        'key_status', kask.key_status,
-//	                        'key_mode', kask.key_mode,
-//	                        'key_algorithm', kask.key_algorithm,
-//	                        'public_key_ctx', kask.public_key_ctx
+//	                    'kas_id', kas.id,
+//	                    'public_key', JSONB_BUILD_OBJECT(
+//	                         'algorithm', kask.key_algorithm::INTEGER,
+//	                         'kid', kask.key_id,
+//	                         'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
 //	                    )
 //	                )
 //	            ) FILTER (WHERE kask.id IS NOT NULL) AS keys
diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto
index 23b39677d9..3e662f5cdc 100644
--- a/service/policy/kasregistry/key_access_server_registry.proto
+++ b/service/policy/kasregistry/key_access_server_registry.proto
@@ -604,17 +604,6 @@ message SetBaseKeyRequest {
   }
 }
 
-message SimpleKasPublicKey {
-  Algorithm algorithm = 1;
-  string kid = 2;
-  string pem = 3;
-}
-
-message SimpleKasKey {
-    string kas_uri = 1; // The URL of the Key Access Server
-    SimpleKasPublicKey public_key = 2; // The public key of the Key that belongs to the KAS
-};
-
 message GetBaseKeyRequest {}
 message GetBaseKeyResponse {
   SimpleKasKey base_key = 1; // The current base key
diff --git a/service/policy/objects.proto b/service/policy/objects.proto
index 6a94e02506..6d046b8e51 100644
--- a/service/policy/objects.proto
+++ b/service/policy/objects.proto
@@ -6,6 +6,18 @@ import "buf/validate/validate.proto";
 import "common/common.proto";
 import "google/protobuf/wrappers.proto";
 
+message SimpleKasPublicKey {
+  Algorithm algorithm = 1;
+  string kid = 2;
+  string pem = 3;
+}
+
+message SimpleKasKey {
+    string kas_uri = 1; // The URL of the Key Access Server
+    SimpleKasPublicKey public_key = 2; // The public key of the Key that belongs to the KAS
+    string kas_id = 3; // The ID of the Key Access Server
+};
+
 message KeyProviderConfig {
   string id = 1;
   string name = 2;
@@ -33,7 +45,7 @@ message Namespace {
   repeated KeyAccessServer grants = 6;
 
   // Keys for the namespace
-  repeated KasKey kas_keys = 7;
+  repeated SimpleKasKey kas_keys = 7;
 }
 
 message Attribute {
@@ -62,7 +74,7 @@ message Attribute {
   google.protobuf.BoolValue active = 8;
 
   //Keys associated with the attribute
-  repeated KasKey kas_keys = 9;
+  repeated SimpleKasKey kas_keys = 9;
 
   // Common metadata
   common.Metadata metadata = 100;
@@ -99,7 +111,7 @@ message Value {
   // subject mapping
   repeated SubjectMapping subject_mappings = 8;
 
-  repeated KasKey kas_keys = 9;
+  repeated SimpleKasKey kas_keys = 9;
 
   repeated ResourceMapping resource_mappings = 10;
 
@@ -322,7 +334,7 @@ message KeyAccessServer {
   // The source of the KAS: (INTERNAL, EXTERNAL)
   SourceType source_type = 4;
   // Kas keys associated with this KAS
-  repeated KasKey kas_keys = 5;
+  repeated SimpleKasKey kas_keys = 5;
 
   // Optional
   // Unique name of the KAS instance

From 8ac499889ce88dcb09b5eece236e8a406e765e9a Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Wed, 4 Jun 2025 15:48:01 -0500
Subject: [PATCH 05/10] gen open api.

---
 .../authorization/authorization.openapi.yaml  |  835 +++++++
 .../authorization/authorization.swagger.json  |  476 ++++
 .../v2/authorization.openapi.yaml             |  754 ++++++
 .../v2/authorization.swagger.json             |  341 +++
 docs/openapi/common/common.openapi.yaml       |  171 ++
 docs/openapi/common/common.swagger.json       |   46 +
 docs/openapi/entity/entity.openapi.yaml       |  100 +
 docs/openapi/entity/entity.swagger.json       |   46 +
 .../entity_resolution.openapi.yaml            |  424 ++++
 .../entity_resolution.swagger.json            |  276 +++
 .../v2/entity_resolution.openapi.yaml         |  360 +++
 .../v2/entity_resolution.swagger.json         |  163 ++
 docs/openapi/kas/kas.openapi.yaml             |  495 ++++
 docs/openapi/kas/kas.swagger.json             |  255 ++
 .../policy/actions/actions.openapi.yaml       | 1151 +++++++++
 .../policy/actions/actions.swagger.json       |  698 ++++++
 .../policy/attributes/attributes.openapi.yaml | 2174 +++++++++++++++++
 .../policy/attributes/attributes.swagger.json |  975 ++++++++
 .../key_access_server_registry.openapi.yaml   | 2091 ++++++++++++++++
 .../key_access_server_registry.swagger.json   |  730 ++++++
 .../keymanagement/key_management.openapi.yaml |  600 +++++
 .../keymanagement/key_management.swagger.json |  197 ++
 .../policy/namespaces/namespaces.openapi.yaml | 1063 ++++++++
 .../policy/namespaces/namespaces.swagger.json |  429 ++++
 docs/openapi/policy/objects.openapi.yaml      |  943 +++++++
 docs/openapi/policy/objects.swagger.json      |   46 +
 .../registered_resources.openapi.yaml         | 1675 +++++++++++++
 .../registered_resources.swagger.json         |  823 +++++++
 .../resource_mapping.openapi.yaml             | 1559 ++++++++++++
 .../resource_mapping.swagger.json             |  756 ++++++
 docs/openapi/policy/selectors.openapi.yaml    |  146 ++
 docs/openapi/policy/selectors.swagger.json    |   46 +
 .../subject_mapping.openapi.yaml              | 1599 ++++++++++++
 .../subject_mapping.swagger.json              |  796 ++++++
 .../openapi/policy/unsafe/unsafe.openapi.yaml | 1439 +++++++++++
 .../openapi/policy/unsafe/unsafe.swagger.json |  684 ++++++
 .../wellknown_configuration.openapi.yaml      |  184 ++
 .../wellknown_configuration.swagger.json      |   90 +
 38 files changed, 25636 insertions(+)
 create mode 100644 docs/openapi/authorization/authorization.openapi.yaml
 create mode 100644 docs/openapi/authorization/authorization.swagger.json
 create mode 100644 docs/openapi/authorization/v2/authorization.openapi.yaml
 create mode 100644 docs/openapi/authorization/v2/authorization.swagger.json
 create mode 100644 docs/openapi/common/common.openapi.yaml
 create mode 100644 docs/openapi/common/common.swagger.json
 create mode 100644 docs/openapi/entity/entity.openapi.yaml
 create mode 100644 docs/openapi/entity/entity.swagger.json
 create mode 100644 docs/openapi/entityresolution/entity_resolution.openapi.yaml
 create mode 100644 docs/openapi/entityresolution/entity_resolution.swagger.json
 create mode 100644 docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml
 create mode 100644 docs/openapi/entityresolution/v2/entity_resolution.swagger.json
 create mode 100644 docs/openapi/kas/kas.openapi.yaml
 create mode 100644 docs/openapi/kas/kas.swagger.json
 create mode 100644 docs/openapi/policy/actions/actions.openapi.yaml
 create mode 100644 docs/openapi/policy/actions/actions.swagger.json
 create mode 100644 docs/openapi/policy/attributes/attributes.openapi.yaml
 create mode 100644 docs/openapi/policy/attributes/attributes.swagger.json
 create mode 100644 docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml
 create mode 100644 docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
 create mode 100644 docs/openapi/policy/keymanagement/key_management.openapi.yaml
 create mode 100644 docs/openapi/policy/keymanagement/key_management.swagger.json
 create mode 100644 docs/openapi/policy/namespaces/namespaces.openapi.yaml
 create mode 100644 docs/openapi/policy/namespaces/namespaces.swagger.json
 create mode 100644 docs/openapi/policy/objects.openapi.yaml
 create mode 100644 docs/openapi/policy/objects.swagger.json
 create mode 100644 docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
 create mode 100644 docs/openapi/policy/registeredresources/registered_resources.swagger.json
 create mode 100644 docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
 create mode 100644 docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
 create mode 100644 docs/openapi/policy/selectors.openapi.yaml
 create mode 100644 docs/openapi/policy/selectors.swagger.json
 create mode 100644 docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
 create mode 100644 docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
 create mode 100644 docs/openapi/policy/unsafe/unsafe.openapi.yaml
 create mode 100644 docs/openapi/policy/unsafe/unsafe.swagger.json
 create mode 100644 docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml
 create mode 100644 docs/openapi/wellknownconfiguration/wellknown_configuration.swagger.json

diff --git a/docs/openapi/authorization/authorization.openapi.yaml b/docs/openapi/authorization/authorization.openapi.yaml
new file mode 100644
index 0000000000..1f263fc4d0
--- /dev/null
+++ b/docs/openapi/authorization/authorization.openapi.yaml
@@ -0,0 +1,835 @@
+openapi: 3.1.0
+info:
+  title: authorization
+paths:
+  /v1/authorization:
+    post:
+      tags:
+        - authorization.AuthorizationService
+      summary: GetDecisions
+      operationId: authorization.AuthorizationService.GetDecisions
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/authorization.GetDecisionsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/authorization.GetDecisionsResponse'
+  /v1/token/authorization:
+    post:
+      tags:
+        - authorization.AuthorizationService
+      summary: GetDecisionsByToken
+      operationId: authorization.AuthorizationService.GetDecisionsByToken
+      parameters:
+        - name: decisionRequests.actions.id
+          in: query
+          description: Generated uuid in database
+          schema:
+            type: string
+            title: id
+            description: Generated uuid in database
+        - name: decisionRequests.actions.standard
+          in: query
+          description: Deprecated
+          schema:
+            title: standard
+            description: Deprecated
+            $ref: '#/components/schemas/policy.Action.StandardAction'
+        - name: decisionRequests.actions.custom
+          in: query
+          description: Deprecated
+          schema:
+            type: string
+            title: custom
+            description: Deprecated
+        - name: decisionRequests.actions.name
+          in: query
+          schema:
+            type: string
+            title: name
+        - name: decisionRequests.actions.metadata.createdAt.seconds
+          in: query
+          description: |-
+            Represents seconds of UTC time since Unix epoch
+             1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+             9999-12-31T23:59:59Z inclusive.
+          schema:
+            type:
+              - integer
+              - string
+            title: seconds
+            format: int64
+            description: |-
+              Represents seconds of UTC time since Unix epoch
+               1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+               9999-12-31T23:59:59Z inclusive.
+        - name: decisionRequests.actions.metadata.createdAt.nanos
+          in: query
+          description: |-
+            Non-negative fractions of a second at nanosecond resolution. Negative
+             second values with fractions must still have non-negative nanos values
+             that count forward in time. Must be from 0 to 999,999,999
+             inclusive.
+          schema:
+            type: integer
+            title: nanos
+            format: int32
+            description: |-
+              Non-negative fractions of a second at nanosecond resolution. Negative
+               second values with fractions must still have non-negative nanos values
+               that count forward in time. Must be from 0 to 999,999,999
+               inclusive.
+        - name: decisionRequests.actions.metadata.labels.key
+          in: query
+          schema:
+            type: string
+            title: key
+        - name: decisionRequests.actions.metadata.labels.value
+          in: query
+          schema:
+            type: string
+            title: value
+        - name: decisionRequests.tokens.id
+          in: query
+          description: ephemeral id for tracking between request and response
+          schema:
+            type: string
+            title: id
+            description: ephemeral id for tracking between request and response
+        - name: decisionRequests.tokens.jwt
+          in: query
+          description: the token
+          schema:
+            type: string
+            title: jwt
+            description: the token
+        - name: decisionRequests.resourceAttributes.resourceAttributesId
+          in: query
+          schema:
+            type: string
+            title: resource_attributes_id
+        - name: decisionRequests.resourceAttributes.attributeValueFqns
+          in: query
+          schema:
+            type: array
+            items:
+              type: string
+            title: attribute_value_fqns
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/authorization.GetDecisionsByTokenResponse'
+  /v1/entitlements:
+    post:
+      tags:
+        - authorization.AuthorizationService
+      summary: GetEntitlements
+      operationId: authorization.AuthorizationService.GetEntitlements
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/authorization.GetEntitlementsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/authorization.GetEntitlementsResponse'
+components:
+  schemas:
+    authorization.DecisionResponse.Decision:
+      type: string
+      title: Decision
+      enum:
+        - DECISION_UNSPECIFIED
+        - DECISION_DENY
+        - DECISION_PERMIT
+    authorization.Entity.Category:
+      type: string
+      title: Category
+      enum:
+        - CATEGORY_UNSPECIFIED
+        - CATEGORY_SUBJECT
+        - CATEGORY_ENVIRONMENT
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    authorization.DecisionRequest:
+      type: object
+      properties:
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+        entityChains:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.EntityChain'
+          title: entity_chains
+        resourceAttributes:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.ResourceAttribute'
+          title: resource_attributes
+      title: DecisionRequest
+      additionalProperties: false
+      description: |-
+        Example Request Get Decisions to answer the question -  Do Bob (represented by entity chain ec1)
+        and Alice (represented by entity chain ec2) have TRANSMIT authorization for
+        2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
+
+        {
+        "actions": [
+        {
+        "standard": "STANDARD_ACTION_TRANSMIT"
+        }
+        ],
+        "entityChains": [
+        {
+        "id": "ec1",
+        "entities": [
+        {
+        "emailAddress": "bob@example.org"
+        }
+        ]
+        },
+        {
+        "id": "ec2",
+        "entities": [
+        {
+        "userName": "alice@example.org"
+        }
+        ]
+        }
+        ],
+        "resourceAttributes": [
+        {
+        "resourceAttributeId":  "attr-set-1",
+        "attributeFqns": [
+        "https://www.example.org/attr/foo/value/value1"
+        ]
+        },
+        {
+        "resourceAttributeId":  "attr-set-2",
+        "attributeFqns": [
+        "https://example.net/attr/attr1/value/value1",
+        "https://example.net/attr/attr1/value/value2"
+        ]
+        }
+        ]
+        }
+    authorization.DecisionResponse:
+      type: object
+      properties:
+        entityChainId:
+          type: string
+          title: entity_chain_id
+          description: ephemeral entity chain id from the request
+        resourceAttributesId:
+          type: string
+          title: resource_attributes_id
+          description: ephemeral resource attributes id from the request
+        action:
+          title: action
+          description: Action of the decision response
+          $ref: '#/components/schemas/policy.Action'
+        decision:
+          title: decision
+          description: The decision response
+          $ref: '#/components/schemas/authorization.DecisionResponse.Decision'
+        obligations:
+          type: array
+          items:
+            type: string
+          title: obligations
+          description: optional list of obligations represented in URI format
+      title: DecisionResponse
+      additionalProperties: false
+      description: |-
+        Example response for a Decision Request -  Do Bob (represented by entity chain ec1)
+        and Alice (represented by entity chain ec2) have TRANSMIT authorization for
+        2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
+
+        Results:
+        - bob has permitted authorization to transmit for a resource defined by attr-set-1 attributes and has a watermark obligation
+        - bob has denied authorization to transmit a for a resource defined by attr-set-2 attributes
+        - alice has permitted authorization to transmit for a resource defined by attr-set-1 attributes
+        - alice has denied authorization to transmit a for a resource defined by attr-set-2 attributes
+
+        {
+        "entityChainId":  "ec1",
+        "resourceAttributesId":  "attr-set-1",
+        "decision":  "DECISION_PERMIT",
+        "obligations":  [
+        "http://www.example.org/obligation/watermark"
+        ]
+        },
+        {
+        "entityChainId":  "ec1",
+        "resourceAttributesId":  "attr-set-2",
+        "decision":  "DECISION_PERMIT"
+        },
+        {
+        "entityChainId":  "ec2",
+        "resourceAttributesId":  "attr-set-1",
+        "decision":  "DECISION_PERMIT"
+        },
+        {
+        "entityChainId":  "ec2",
+        "resourceAttributesId":  "attr-set-2",
+        "decision":  "DECISION_DENY"
+        }
+    authorization.Entity:
+      type: object
+      oneOf:
+        - properties:
+            claims:
+              title: claims
+              $ref: '#/components/schemas/google.protobuf.Any'
+          title: claims
+          required:
+            - claims
+        - properties:
+            clientId:
+              type: string
+              title: client_id
+          title: client_id
+          required:
+            - clientId
+        - properties:
+            custom:
+              title: custom
+              $ref: '#/components/schemas/authorization.EntityCustom'
+          title: custom
+          required:
+            - custom
+        - properties:
+            emailAddress:
+              type: string
+              title: email_address
+              description: one of the entity options must be set
+          title: email_address
+          required:
+            - emailAddress
+        - properties:
+            remoteClaimsUrl:
+              type: string
+              title: remote_claims_url
+          title: remote_claims_url
+          required:
+            - remoteClaimsUrl
+        - properties:
+            userName:
+              type: string
+              title: user_name
+          title: user_name
+          required:
+            - userName
+        - properties:
+            uuid:
+              type: string
+              title: uuid
+          title: uuid
+          required:
+            - uuid
+      properties:
+        id:
+          type: string
+          title: id
+          description: ephemeral id for tracking between request and response
+        category:
+          title: category
+          $ref: '#/components/schemas/authorization.Entity.Category'
+      title: Entity
+      additionalProperties: false
+      description: PE (Person Entity) or NPE (Non-Person Entity)
+    authorization.EntityChain:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: ephemeral id for tracking between request and response
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.Entity'
+          title: entities
+      title: EntityChain
+      additionalProperties: false
+      description: A set of related PE and NPE
+    authorization.EntityCustom:
+      type: object
+      properties:
+        extension:
+          title: extension
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: EntityCustom
+      additionalProperties: false
+      description: Entity type for custom entities beyond the standard types
+    authorization.EntityEntitlements:
+      type: object
+      properties:
+        entityId:
+          type: string
+          title: entity_id
+        attributeValueFqns:
+          type: array
+          items:
+            type: string
+          title: attribute_value_fqns
+      title: EntityEntitlements
+      additionalProperties: false
+    authorization.GetDecisionsByTokenRequest:
+      type: object
+      properties:
+        decisionRequests:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.TokenDecisionRequest'
+          title: decision_requests
+      title: GetDecisionsByTokenRequest
+      additionalProperties: false
+    authorization.GetDecisionsByTokenResponse:
+      type: object
+      properties:
+        decisionResponses:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.DecisionResponse'
+          title: decision_responses
+      title: GetDecisionsByTokenResponse
+      additionalProperties: false
+    authorization.GetDecisionsRequest:
+      type: object
+      properties:
+        decisionRequests:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.DecisionRequest'
+          title: decision_requests
+      title: GetDecisionsRequest
+      additionalProperties: false
+    authorization.GetDecisionsResponse:
+      type: object
+      properties:
+        decisionResponses:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.DecisionResponse'
+          title: decision_responses
+      title: GetDecisionsResponse
+      additionalProperties: false
+    authorization.GetEntitlementsRequest:
+      type: object
+      properties:
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.Entity'
+          title: entities
+          description: list of requested entities
+        scope:
+          title: scope
+          description: optional attribute fqn as a scope
+          nullable: true
+          $ref: '#/components/schemas/authorization.ResourceAttribute'
+        withComprehensiveHierarchy:
+          type: boolean
+          title: with_comprehensive_hierarchy
+          description: optional parameter to return a full list of entitlements - returns lower hierarchy attributes
+          nullable: true
+      title: GetEntitlementsRequest
+      additionalProperties: false
+      description: |-
+        Request to get entitlements for one or more entities for an optional attribute scope
+
+        Example: Get entitlements for bob and alice (both represented using an email address
+
+        {
+        "entities": [
+        {
+        "id": "e1",
+        "emailAddress": "bob@example.org"
+        },
+        {
+        "id": "e2",
+        "emailAddress": "alice@example.org"
+        }
+        ],
+        "scope": {
+        "attributeFqns": [
+        "https://example.net/attr/attr1/value/value1",
+        "https://example.net/attr/attr1/value/value2"
+        ]
+        }
+        }
+    authorization.GetEntitlementsResponse:
+      type: object
+      properties:
+        entitlements:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.EntityEntitlements'
+          title: entitlements
+      title: GetEntitlementsResponse
+      additionalProperties: false
+      description: |-
+        Example Response for a request of : Get entitlements for bob and alice (both represented using an email address
+
+        {
+        "entitlements":  [
+        {
+        "entityId":  "e1",
+        "attributeValueReferences":  [
+        {
+        "attributeFqn":  "http://www.example.org/attr/foo/value/bar"
+        }
+        ]
+        },
+        {
+        "entityId":  "e2",
+        "attributeValueReferences":  [
+        {
+        "attributeFqn":  "http://www.example.org/attr/color/value/red"
+        }
+        ]
+        }
+        ]
+        }
+    authorization.ResourceAttribute:
+      type: object
+      properties:
+        resourceAttributesId:
+          type: string
+          title: resource_attributes_id
+        attributeValueFqns:
+          type: array
+          items:
+            type: string
+          title: attribute_value_fqns
+      title: ResourceAttribute
+      additionalProperties: false
+      description: A logical bucket of attributes belonging to a "Resource"
+    authorization.Token:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: ephemeral id for tracking between request and response
+        jwt:
+          type: string
+          title: jwt
+          description: the token
+      title: Token
+      additionalProperties: false
+    authorization.TokenDecisionRequest:
+      type: object
+      properties:
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+        tokens:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.Token'
+          title: tokens
+        resourceAttributes:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.ResourceAttribute'
+          title: resource_attributes
+      title: TokenDecisionRequest
+      additionalProperties: false
+      description: |-
+        Example Request Get Decisions by Token to answer the question -  Do Bob and client1 (represented by token tok1)
+        and Alice and client2 (represented by token tok2) have TRANSMIT authorization for
+        2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
+
+        {
+        "actions": [
+        {
+        "standard": "STANDARD_ACTION_TRANSMIT"
+        }
+        ],
+        "tokens": [
+        {
+        "id": "tok1",
+        "jwt": ....
+        },
+        {
+        "id": "tok2",
+        "jwt": .....
+        }
+        ],
+        "resourceAttributes": [
+        {
+        "attributeFqns": [
+        "https://www.example.org/attr/foo/value/value1"
+        ]
+        },
+        {
+        "attributeFqns": [
+        "https://example.net/attr/attr1/value/value1",
+        "https://example.net/attr/attr1/value/value2"
+        ]
+        }
+        ]
+        }
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+security: []
+tags:
+  - name: authorization.AuthorizationService
diff --git a/docs/openapi/authorization/authorization.swagger.json b/docs/openapi/authorization/authorization.swagger.json
new file mode 100644
index 0000000000..5f9b787c93
--- /dev/null
+++ b/docs/openapi/authorization/authorization.swagger.json
@@ -0,0 +1,476 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "authorization/authorization.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "AuthorizationService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/v1/authorization": {
+      "post": {
+        "operationId": "AuthorizationService_GetDecisions",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/authorizationGetDecisionsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/authorizationGetDecisionsRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AuthorizationService"
+        ]
+      }
+    },
+    "/v1/entitlements": {
+      "post": {
+        "operationId": "AuthorizationService_GetEntitlements",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/authorizationGetEntitlementsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "description": "Example: Get entitlements for bob and alice (both represented using an email address\n\n{\n\"entities\": [\n{\n\"id\": \"e1\",\n\"emailAddress\": \"bob@example.org\"\n},\n{\n\"id\": \"e2\",\n\"emailAddress\": \"alice@example.org\"\n}\n],\n\"scope\": {\n\"attributeFqns\": [\n\"https://example.net/attr/attr1/value/value1\",\n\"https://example.net/attr/attr1/value/value2\"\n]\n}\n}",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/authorizationGetEntitlementsRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AuthorizationService"
+        ]
+      }
+    },
+    "/v1/token/authorization": {
+      "post": {
+        "operationId": "AuthorizationService_GetDecisionsByToken",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/authorizationGetDecisionsByTokenResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "tags": [
+          "AuthorizationService"
+        ]
+      }
+    }
+  },
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "authorizationDecisionRequest": {
+      "type": "object",
+      "properties": {
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          }
+        },
+        "entityChains": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationEntityChain"
+          }
+        },
+        "resourceAttributes": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationResourceAttribute"
+          }
+        }
+      },
+      "description": "{\n\"actions\": [\n{\n\"standard\": \"STANDARD_ACTION_TRANSMIT\"\n}\n],\n\"entityChains\": [\n{\n\"id\": \"ec1\",\n\"entities\": [\n{\n\"emailAddress\": \"bob@example.org\"\n}\n]\n},\n{\n\"id\": \"ec2\",\n\"entities\": [\n{\n\"userName\": \"alice@example.org\"\n}\n]\n}\n],\n\"resourceAttributes\": [\n{\n\"resourceAttributeId\":  \"attr-set-1\",\n\"attributeFqns\": [\n\"https://www.example.org/attr/foo/value/value1\"\n]\n},\n{\n\"resourceAttributeId\":  \"attr-set-2\",\n\"attributeFqns\": [\n\"https://example.net/attr/attr1/value/value1\",\n\"https://example.net/attr/attr1/value/value2\"\n]\n}\n]\n}",
+      "title": "Example Request Get Decisions to answer the question -  Do Bob (represented by entity chain ec1)\nand Alice (represented by entity chain ec2) have TRANSMIT authorization for\n2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?"
+    },
+    "authorizationDecisionResponse": {
+      "type": "object",
+      "properties": {
+        "entityChainId": {
+          "type": "string",
+          "title": "ephemeral entity chain id from the request"
+        },
+        "resourceAttributesId": {
+          "type": "string",
+          "title": "ephemeral resource attributes id from the request"
+        },
+        "action": {
+          "$ref": "#/definitions/policyAction",
+          "title": "Action of the decision response"
+        },
+        "decision": {
+          "$ref": "#/definitions/authorizationDecisionResponseDecision",
+          "title": "The decision response"
+        },
+        "obligations": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "title": "optional list of obligations represented in URI format"
+        }
+      },
+      "description": "Results:\n- bob has permitted authorization to transmit for a resource defined by attr-set-1 attributes and has a watermark obligation\n- bob has denied authorization to transmit a for a resource defined by attr-set-2 attributes\n- alice has permitted authorization to transmit for a resource defined by attr-set-1 attributes\n- alice has denied authorization to transmit a for a resource defined by attr-set-2 attributes\n\n{\n\"entityChainId\":  \"ec1\",\n\"resourceAttributesId\":  \"attr-set-1\",\n\"decision\":  \"DECISION_PERMIT\",\n\"obligations\":  [\n\"http://www.example.org/obligation/watermark\"\n]\n},\n{\n\"entityChainId\":  \"ec1\",\n\"resourceAttributesId\":  \"attr-set-2\",\n\"decision\":  \"DECISION_PERMIT\"\n},\n{\n\"entityChainId\":  \"ec2\",\n\"resourceAttributesId\":  \"attr-set-1\",\n\"decision\":  \"DECISION_PERMIT\"\n},\n{\n\"entityChainId\":  \"ec2\",\n\"resourceAttributesId\":  \"attr-set-2\",\n\"decision\":  \"DECISION_DENY\"\n}",
+      "title": "Example response for a Decision Request -  Do Bob (represented by entity chain ec1)\nand Alice (represented by entity chain ec2) have TRANSMIT authorization for\n2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?"
+    },
+    "authorizationDecisionResponseDecision": {
+      "type": "string",
+      "enum": [
+        "DECISION_UNSPECIFIED",
+        "DECISION_DENY",
+        "DECISION_PERMIT"
+      ],
+      "default": "DECISION_UNSPECIFIED"
+    },
+    "authorizationEntity": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "emailAddress": {
+          "type": "string",
+          "title": "one of the entity options must be set"
+        },
+        "userName": {
+          "type": "string"
+        },
+        "remoteClaimsUrl": {
+          "type": "string"
+        },
+        "uuid": {
+          "type": "string"
+        },
+        "claims": {
+          "$ref": "#/definitions/protobufAny"
+        },
+        "custom": {
+          "$ref": "#/definitions/authorizationEntityCustom"
+        },
+        "clientId": {
+          "type": "string"
+        },
+        "category": {
+          "$ref": "#/definitions/authorizationEntityCategory"
+        }
+      },
+      "title": "PE (Person Entity) or NPE (Non-Person Entity)"
+    },
+    "authorizationEntityCategory": {
+      "type": "string",
+      "enum": [
+        "CATEGORY_UNSPECIFIED",
+        "CATEGORY_SUBJECT",
+        "CATEGORY_ENVIRONMENT"
+      ],
+      "default": "CATEGORY_UNSPECIFIED"
+    },
+    "authorizationEntityChain": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "entities": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationEntity"
+          }
+        }
+      },
+      "title": "A set of related PE and NPE"
+    },
+    "authorizationEntityCustom": {
+      "type": "object",
+      "properties": {
+        "extension": {
+          "$ref": "#/definitions/protobufAny"
+        }
+      },
+      "title": "Entity type for custom entities beyond the standard types"
+    },
+    "authorizationEntityEntitlements": {
+      "type": "object",
+      "properties": {
+        "entityId": {
+          "type": "string"
+        },
+        "attributeValueFqns": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "authorizationGetDecisionsByTokenResponse": {
+      "type": "object",
+      "properties": {
+        "decisionResponses": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationDecisionResponse"
+          }
+        }
+      }
+    },
+    "authorizationGetDecisionsRequest": {
+      "type": "object",
+      "properties": {
+        "decisionRequests": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationDecisionRequest"
+          }
+        }
+      }
+    },
+    "authorizationGetDecisionsResponse": {
+      "type": "object",
+      "properties": {
+        "decisionResponses": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationDecisionResponse"
+          }
+        }
+      }
+    },
+    "authorizationGetEntitlementsRequest": {
+      "type": "object",
+      "properties": {
+        "entities": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationEntity"
+          },
+          "title": "list of requested entities"
+        },
+        "scope": {
+          "$ref": "#/definitions/authorizationResourceAttribute",
+          "title": "optional attribute fqn as a scope"
+        },
+        "withComprehensiveHierarchy": {
+          "type": "boolean",
+          "title": "optional parameter to return a full list of entitlements - returns lower hierarchy attributes"
+        }
+      },
+      "description": "Example: Get entitlements for bob and alice (both represented using an email address\n\n{\n\"entities\": [\n{\n\"id\": \"e1\",\n\"emailAddress\": \"bob@example.org\"\n},\n{\n\"id\": \"e2\",\n\"emailAddress\": \"alice@example.org\"\n}\n],\n\"scope\": {\n\"attributeFqns\": [\n\"https://example.net/attr/attr1/value/value1\",\n\"https://example.net/attr/attr1/value/value2\"\n]\n}\n}",
+      "title": "Request to get entitlements for one or more entities for an optional attribute scope"
+    },
+    "authorizationGetEntitlementsResponse": {
+      "type": "object",
+      "properties": {
+        "entitlements": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationEntityEntitlements"
+          }
+        }
+      },
+      "description": "{\n\"entitlements\":  [\n{\n\"entityId\":  \"e1\",\n\"attributeValueReferences\":  [\n{\n\"attributeFqn\":  \"http://www.example.org/attr/foo/value/bar\"\n}\n]\n},\n{\n\"entityId\":  \"e2\",\n\"attributeValueReferences\":  [\n{\n\"attributeFqn\":  \"http://www.example.org/attr/color/value/red\"\n}\n]\n}\n]\n}",
+      "title": "Example Response for a request of : Get entitlements for bob and alice (both represented using an email address"
+    },
+    "authorizationResourceAttribute": {
+      "type": "object",
+      "properties": {
+        "resourceAttributesId": {
+          "type": "string"
+        },
+        "attributeValueFqns": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      },
+      "title": "A logical bucket of attributes belonging to a \"Resource\""
+    },
+    "authorizationToken": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "jwt": {
+          "type": "string",
+          "title": "the token"
+        }
+      }
+    },
+    "authorizationTokenDecisionRequest": {
+      "type": "object",
+      "properties": {
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          }
+        },
+        "tokens": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationToken"
+          }
+        },
+        "resourceAttributes": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationResourceAttribute"
+          }
+        }
+      },
+      "description": "{\n\"actions\": [\n{\n\"standard\": \"STANDARD_ACTION_TRANSMIT\"\n}\n],\n\"tokens\": [\n{\n\"id\": \"tok1\",\n\"jwt\": ....\n},\n{\n\"id\": \"tok2\",\n\"jwt\": .....\n}\n],\n\"resourceAttributes\": [\n{\n\"attributeFqns\": [\n\"https://www.example.org/attr/foo/value/value1\"\n]\n},\n{\n\"attributeFqns\": [\n\"https://example.net/attr/attr1/value/value1\",\n\"https://example.net/attr/attr1/value/value2\"\n]\n}\n]\n}",
+      "title": "Example Request Get Decisions by Token to answer the question -  Do Bob and client1 (represented by token tok1)\nand Alice and client2 (represented by token tok2) have TRANSMIT authorization for\n2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/authorization/v2/authorization.openapi.yaml b/docs/openapi/authorization/v2/authorization.openapi.yaml
new file mode 100644
index 0000000000..dc54df177d
--- /dev/null
+++ b/docs/openapi/authorization/v2/authorization.openapi.yaml
@@ -0,0 +1,754 @@
+openapi: 3.1.0
+info:
+  title: authorization.v2
+paths:
+  /authorization.v2.AuthorizationService/GetDecision:
+    post:
+      tags:
+        - authorization.v2.AuthorizationService
+      summary: GetDecision
+      operationId: authorization.v2.AuthorizationService.GetDecision
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/authorization.v2.GetDecisionRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/authorization.v2.GetDecisionResponse'
+  /authorization.v2.AuthorizationService/GetDecisionMultiResource:
+    post:
+      tags:
+        - authorization.v2.AuthorizationService
+      summary: GetDecisionMultiResource
+      operationId: authorization.v2.AuthorizationService.GetDecisionMultiResource
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceResponse'
+  /authorization.v2.AuthorizationService/GetDecisionBulk:
+    post:
+      tags:
+        - authorization.v2.AuthorizationService
+      summary: GetDecisionBulk
+      operationId: authorization.v2.AuthorizationService.GetDecisionBulk
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/authorization.v2.GetDecisionBulkRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/authorization.v2.GetDecisionBulkResponse'
+  /authorization.v2.AuthorizationService/GetEntitlements:
+    post:
+      tags:
+        - authorization.v2.AuthorizationService
+      summary: GetEntitlements
+      operationId: authorization.v2.AuthorizationService.GetEntitlements
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/authorization.v2.GetEntitlementsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/authorization.v2.GetEntitlementsResponse'
+components:
+  schemas:
+    authorization.v2.Decision:
+      type: string
+      title: Decision
+      enum:
+        - DECISION_UNSPECIFIED
+        - DECISION_DENY
+        - DECISION_PERMIT
+    entity.Entity.Category:
+      type: string
+      title: Category
+      enum:
+        - CATEGORY_UNSPECIFIED
+        - CATEGORY_SUBJECT
+        - CATEGORY_ENVIRONMENT
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    authorization.v2.EntityEntitlements:
+      type: object
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        actionsPerAttributeValueFqn:
+          type: object
+          title: actions_per_attribute_value_fqn
+          additionalProperties:
+            title: value
+            $ref: '#/components/schemas/authorization.v2.EntityEntitlements.ActionsList'
+      title: EntityEntitlements
+      additionalProperties: false
+      description: Entitlements for a given entity, mapping each attribute value FQN to any entitled actions[]
+    authorization.v2.EntityEntitlements.ActionsList:
+      type: object
+      properties:
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+      title: ActionsList
+      additionalProperties: false
+    authorization.v2.EntityEntitlements.ActionsPerAttributeValueFqnEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/authorization.v2.EntityEntitlements.ActionsList'
+      title: ActionsPerAttributeValueFqnEntry
+      additionalProperties: false
+    authorization.v2.EntityIdentifier:
+      type: object
+      oneOf:
+        - properties:
+            entityChain:
+              title: entity_chain
+              description: |+
+                chain of one or more entities
+                entities must be provided:
+                ```
+                has(this.entities) && this.entities.size() > 0
+                ```
+
+              $ref: '#/components/schemas/entity.EntityChain'
+          title: entity_chain
+          required:
+            - entityChain
+        - properties:
+            registeredResourceValueFqn:
+              type: string
+              title: registered_resource_value_fqn
+              minLength: 1
+              format: uri
+              description: |-
+                fully qualified name of the registered resource value stored in platform policy, where in
+                 this case the resource acts as and represents a single entity for authorization/entitlement decisioning
+          title: registered_resource_value_fqn
+          required:
+            - registeredResourceValueFqn
+        - properties:
+            token:
+              title: token
+              description: |+
+                access token (JWT), which is used to create an entity chain (comprising one or more entities)
+                token must be provided:
+                ```
+                has(this.jwt) && this.jwt.size() > 0
+                ```
+
+              $ref: '#/components/schemas/entity.Token'
+          title: token
+          required:
+            - token
+      title: EntityIdentifier
+      additionalProperties: false
+      description: |-
+        The EntityIdentifier specifies the actor in an entitlement or decision request - the PE, NPE, or PE+NPE being authorized.
+         The abstraction houses the distinct entity types, PE and/or NPE combinations, or a registered resource value
+         being treated as an entity in entitlement/authorization decisioning.
+    authorization.v2.GetDecisionBulkRequest:
+      type: object
+      properties:
+        decisionRequests:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceRequest'
+          title: decision_requests
+      title: GetDecisionBulkRequest
+      additionalProperties: false
+      description: |-
+        Is access allowed?
+         1. Multiplexing of a Decision<EntityIdentifier, Action, repeated Resource> request
+         This is a more performant bulk request for complex decisioning (i.e. multiple entity chains or actions on
+         multiple resources)
+    authorization.v2.GetDecisionBulkResponse:
+      type: object
+      properties:
+        decisionResponses:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.v2.GetDecisionMultiResourceResponse'
+          title: decision_responses
+      title: GetDecisionBulkResponse
+      additionalProperties: false
+    authorization.v2.GetDecisionMultiResourceRequest:
+      type: object
+      properties:
+        entityIdentifier:
+          title: entity_identifier
+          description: an entity must be identified for authorization decisioning
+          $ref: '#/components/schemas/authorization.v2.EntityIdentifier'
+        action:
+          title: action
+          description: name on action is required
+          $ref: '#/components/schemas/policy.Action'
+        resources:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.v2.Resource'
+          title: resources
+          minItems: 1
+      title: GetDecisionMultiResourceRequest
+      required:
+        - entityIdentifier
+        - action
+        - resources
+      additionalProperties: false
+      description: |+
+        Can the identified entity/entities access?
+         1. one entity reference (actor)
+         2. one action
+         3. multiple resources
+         Note: this is a more performant bulk request for multiple resource decisions
+        action.name must be provided:
+        ```
+        has(this.action.name)
+        ```
+
+    authorization.v2.GetDecisionMultiResourceResponse:
+      type: object
+      properties:
+        allPermitted:
+          title: all_permitted
+          description: convenience flag indicating global resource decisions result (permit/deny)
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        resourceDecisions:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.v2.ResourceDecision'
+          title: resource_decisions
+          description: individual resource decisions
+      title: GetDecisionMultiResourceResponse
+      additionalProperties: false
+    authorization.v2.GetDecisionRequest:
+      type: object
+      properties:
+        entityIdentifier:
+          title: entity_identifier
+          description: an entity must be identified for authorization decisioning
+          $ref: '#/components/schemas/authorization.v2.EntityIdentifier'
+        action:
+          title: action
+          description: name on action is required
+          $ref: '#/components/schemas/policy.Action'
+        resource:
+          title: resource
+          $ref: '#/components/schemas/authorization.v2.Resource'
+      title: GetDecisionRequest
+      required:
+        - entityIdentifier
+        - action
+        - resource
+      additionalProperties: false
+      description: |+
+        Can the identified entity/entities access?
+         1. one entity reference (actor)
+         2. one action
+         3. one resource
+        action.name must be provided:
+        ```
+        has(this.action.name)
+        ```
+
+    authorization.v2.GetDecisionResponse:
+      type: object
+      properties:
+        decision:
+          title: decision
+          description: |-
+            decision on the resource optional list of obligations represented in URI format
+             repeated string obligations = 2;
+          $ref: '#/components/schemas/authorization.v2.ResourceDecision'
+      title: GetDecisionResponse
+      additionalProperties: false
+    authorization.v2.GetEntitlementsRequest:
+      type: object
+      properties:
+        entityIdentifier:
+          title: entity_identifier
+          description: an entity must be identified for entitlement decisioning
+          $ref: '#/components/schemas/authorization.v2.EntityIdentifier'
+        withComprehensiveHierarchy:
+          type: boolean
+          title: with_comprehensive_hierarchy
+          description: |-
+            optional parameter to return all entitled values for attribute definitions with hierarchy rules, propagating
+             down the hierarchical values instead of returning solely the value that is directly entitled
+          nullable: true
+      title: GetEntitlementsRequest
+      required:
+        - entityIdentifier
+      additionalProperties: false
+      description: |-
+        What is permitted to the identified entity/entities (actor), broken down as permitted actions on attribute value FQNs?
+
+         Note: the v1 API parameter 'scope' has been dropped, and it is recommended to use
+         GetDecision if the resource is known
+    authorization.v2.GetEntitlementsResponse:
+      type: object
+      properties:
+        entitlements:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.v2.EntityEntitlements'
+          title: entitlements
+      title: GetEntitlementsResponse
+      additionalProperties: false
+    authorization.v2.Resource:
+      type: object
+      oneOf:
+        - properties:
+            attributeValues:
+              title: attribute_values
+              description: |+
+                if provided, resource.attribute_values must not be empty:
+                ```
+                this.fqns.size() > 0 && this.fqns.all(item, item.isUri())
+                ```
+
+              $ref: '#/components/schemas/authorization.v2.Resource.AttributeValues'
+          title: attribute_values
+          required:
+            - attributeValues
+        - properties:
+            registeredResourceValueFqn:
+              type: string
+              title: registered_resource_value_fqn
+              minLength: 1
+              format: uri
+          title: registered_resource_value_fqn
+          required:
+            - registeredResourceValueFqn
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+      title: Resource
+      additionalProperties: false
+      description: Either a set of attribute values (such as those on a TDF) or a registered resource value
+    authorization.v2.Resource.AttributeValues:
+      type: object
+      properties:
+        fqns:
+          type: array
+          items:
+            type: string
+          title: fqns
+      title: AttributeValues
+      additionalProperties: false
+    authorization.v2.ResourceDecision:
+      type: object
+      properties:
+        ephemeralResourceId:
+          type: string
+          title: ephemeral_resource_id
+          description: ephemeral id for tracking between request and response
+        decision:
+          title: decision
+          description: decision result
+          $ref: '#/components/schemas/authorization.v2.Decision'
+      title: ResourceDecision
+      additionalProperties: false
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    entity.Entity:
+      type: object
+      oneOf:
+        - properties:
+            claims:
+              title: claims
+              description: used by ERS claims mode
+              $ref: '#/components/schemas/google.protobuf.Any'
+          title: claims
+          required:
+            - claims
+        - properties:
+            clientId:
+              type: string
+              title: client_id
+          title: client_id
+          required:
+            - clientId
+        - properties:
+            emailAddress:
+              type: string
+              title: email_address
+          title: email_address
+          required:
+            - emailAddress
+        - properties:
+            userName:
+              type: string
+              title: user_name
+          title: user_name
+          required:
+            - userName
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        category:
+          title: category
+          $ref: '#/components/schemas/entity.Entity.Category'
+      title: Entity
+      additionalProperties: false
+      description: PE (Person Entity) or NPE (Non-Person Entity)
+    entity.EntityChain:
+      type: object
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/entity.Entity'
+          title: entities
+      title: EntityChain
+      additionalProperties: false
+      description: A set of related PE and NPE
+    entity.Token:
+      type: object
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        jwt:
+          type: string
+          title: jwt
+          description: the token
+      title: Token
+      required:
+        - jwt
+      additionalProperties: false
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+security: []
+tags:
+  - name: authorization.v2.AuthorizationService
diff --git a/docs/openapi/authorization/v2/authorization.swagger.json b/docs/openapi/authorization/v2/authorization.swagger.json
new file mode 100644
index 0000000000..a1e5daaac9
--- /dev/null
+++ b/docs/openapi/authorization/v2/authorization.swagger.json
@@ -0,0 +1,341 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "authorization/v2/authorization.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "AuthorizationService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "EntityEntitlementsActionsList": {
+      "type": "object",
+      "properties": {
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          }
+        }
+      }
+    },
+    "ResourceAttributeValues": {
+      "type": "object",
+      "properties": {
+        "fqns": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "authorizationv2Decision": {
+      "type": "string",
+      "enum": [
+        "DECISION_UNSPECIFIED",
+        "DECISION_DENY",
+        "DECISION_PERMIT"
+      ],
+      "default": "DECISION_UNSPECIFIED",
+      "title": "- DECISION_PERMIT: DECISION_OBLIGATED = 3;"
+    },
+    "authorizationv2EntityEntitlements": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "actionsPerAttributeValueFqn": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/EntityEntitlementsActionsList"
+          }
+        }
+      },
+      "title": "Entitlements for a given entity, mapping each attribute value FQN to any entitled actions[]"
+    },
+    "authorizationv2GetEntitlementsResponse": {
+      "type": "object",
+      "properties": {
+        "entitlements": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationv2EntityEntitlements"
+          }
+        }
+      }
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "entityEntity": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "emailAddress": {
+          "type": "string"
+        },
+        "userName": {
+          "type": "string"
+        },
+        "claims": {
+          "$ref": "#/definitions/protobufAny",
+          "title": "used by ERS claims mode"
+        },
+        "clientId": {
+          "type": "string"
+        },
+        "category": {
+          "$ref": "#/definitions/entityEntityCategory"
+        }
+      },
+      "title": "PE (Person Entity) or NPE (Non-Person Entity)"
+    },
+    "entityEntityCategory": {
+      "type": "string",
+      "enum": [
+        "CATEGORY_UNSPECIFIED",
+        "CATEGORY_SUBJECT",
+        "CATEGORY_ENVIRONMENT"
+      ],
+      "default": "CATEGORY_UNSPECIFIED"
+    },
+    "entityEntityChain": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "entities": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/entityEntity"
+          }
+        }
+      },
+      "title": "A set of related PE and NPE"
+    },
+    "entityToken": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "jwt": {
+          "type": "string",
+          "title": "the token"
+        }
+      }
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    },
+    "v2EntityIdentifier": {
+      "type": "object",
+      "properties": {
+        "entityChain": {
+          "$ref": "#/definitions/entityEntityChain",
+          "title": "chain of one or more entities"
+        },
+        "registeredResourceValueFqn": {
+          "type": "string",
+          "title": "fully qualified name of the registered resource value stored in platform policy, where in\nthis case the resource acts as and represents a single entity for authorization/entitlement decisioning"
+        },
+        "token": {
+          "$ref": "#/definitions/entityToken",
+          "title": "access token (JWT), which is used to create an entity chain (comprising one or more entities)"
+        }
+      },
+      "description": "The EntityIdentifier specifies the actor in an entitlement or decision request - the PE, NPE, or PE+NPE being authorized.\nThe abstraction houses the distinct entity types, PE and/or NPE combinations, or a registered resource value\nbeing treated as an entity in entitlement/authorization decisioning."
+    },
+    "v2GetDecisionBulkResponse": {
+      "type": "object",
+      "properties": {
+        "decisionResponses": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/v2GetDecisionMultiResourceResponse"
+          }
+        }
+      }
+    },
+    "v2GetDecisionMultiResourceRequest": {
+      "type": "object",
+      "properties": {
+        "entityIdentifier": {
+          "$ref": "#/definitions/v2EntityIdentifier",
+          "title": "an entity must be identified for authorization decisioning"
+        },
+        "action": {
+          "$ref": "#/definitions/policyAction",
+          "title": "name on action is required"
+        },
+        "resources": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/v2Resource"
+          }
+        }
+      },
+      "title": "Can the identified entity/entities access?\n1. one entity reference (actor)\n2. one action\n3. multiple resources\nNote: this is a more performant bulk request for multiple resource decisions"
+    },
+    "v2GetDecisionMultiResourceResponse": {
+      "type": "object",
+      "properties": {
+        "allPermitted": {
+          "type": "boolean",
+          "title": "convenience flag indicating global resource decisions result (permit/deny)"
+        },
+        "resourceDecisions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/v2ResourceDecision"
+          },
+          "title": "individual resource decisions"
+        }
+      }
+    },
+    "v2GetDecisionResponse": {
+      "type": "object",
+      "properties": {
+        "decision": {
+          "$ref": "#/definitions/v2ResourceDecision",
+          "description": "optional list of obligations represented in URI format\n repeated string obligations = 2;",
+          "title": "decision on the resource"
+        }
+      }
+    },
+    "v2Resource": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "attributeValues": {
+          "$ref": "#/definitions/ResourceAttributeValues"
+        },
+        "registeredResourceValueFqn": {
+          "type": "string"
+        }
+      },
+      "title": "Either a set of attribute values (such as those on a TDF) or a registered resource value"
+    },
+    "v2ResourceDecision": {
+      "type": "object",
+      "properties": {
+        "ephemeralResourceId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "decision": {
+          "$ref": "#/definitions/authorizationv2Decision",
+          "title": "decision result"
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/common/common.openapi.yaml b/docs/openapi/common/common.openapi.yaml
new file mode 100644
index 0000000000..b19945f5df
--- /dev/null
+++ b/docs/openapi/common/common.openapi.yaml
@@ -0,0 +1,171 @@
+openapi: 3.1.0
+info:
+  title: common
+paths: {}
+components:
+  schemas:
+    common.ActiveStateEnum:
+      type: string
+      title: ActiveStateEnum
+      enum:
+        - ACTIVE_STATE_ENUM_UNSPECIFIED
+        - ACTIVE_STATE_ENUM_ACTIVE
+        - ACTIVE_STATE_ENUM_INACTIVE
+        - ACTIVE_STATE_ENUM_ANY
+      description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package'
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+security: []
diff --git a/docs/openapi/common/common.swagger.json b/docs/openapi/common/common.swagger.json
new file mode 100644
index 0000000000..a771c2cac8
--- /dev/null
+++ b/docs/openapi/common/common.swagger.json
@@ -0,0 +1,46 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "common/common.proto",
+    "version": "version not set"
+  },
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/entity/entity.openapi.yaml b/docs/openapi/entity/entity.openapi.yaml
new file mode 100644
index 0000000000..6484c863a0
--- /dev/null
+++ b/docs/openapi/entity/entity.openapi.yaml
@@ -0,0 +1,100 @@
+openapi: 3.1.0
+info:
+  title: entity
+paths: {}
+components:
+  schemas:
+    entity.Entity.Category:
+      type: string
+      title: Category
+      enum:
+        - CATEGORY_UNSPECIFIED
+        - CATEGORY_SUBJECT
+        - CATEGORY_ENVIRONMENT
+    entity.Entity:
+      type: object
+      oneOf:
+        - properties:
+            claims:
+              title: claims
+              description: used by ERS claims mode
+              $ref: '#/components/schemas/google.protobuf.Any'
+          title: claims
+          required:
+            - claims
+        - properties:
+            clientId:
+              type: string
+              title: client_id
+          title: client_id
+          required:
+            - clientId
+        - properties:
+            emailAddress:
+              type: string
+              title: email_address
+          title: email_address
+          required:
+            - emailAddress
+        - properties:
+            userName:
+              type: string
+              title: user_name
+          title: user_name
+          required:
+            - userName
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        category:
+          title: category
+          $ref: '#/components/schemas/entity.Entity.Category'
+      title: Entity
+      additionalProperties: false
+      description: PE (Person Entity) or NPE (Non-Person Entity)
+    entity.EntityChain:
+      type: object
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/entity.Entity'
+          title: entities
+      title: EntityChain
+      additionalProperties: false
+      description: A set of related PE and NPE
+    entity.Token:
+      type: object
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        jwt:
+          type: string
+          title: jwt
+          description: the token
+      title: Token
+      required:
+        - jwt
+      additionalProperties: false
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
diff --git a/docs/openapi/entity/entity.swagger.json b/docs/openapi/entity/entity.swagger.json
new file mode 100644
index 0000000000..3256109c9a
--- /dev/null
+++ b/docs/openapi/entity/entity.swagger.json
@@ -0,0 +1,46 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "entity/entity.proto",
+    "version": "version not set"
+  },
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/entityresolution/entity_resolution.openapi.yaml b/docs/openapi/entityresolution/entity_resolution.openapi.yaml
new file mode 100644
index 0000000000..d89cbdaa0a
--- /dev/null
+++ b/docs/openapi/entityresolution/entity_resolution.openapi.yaml
@@ -0,0 +1,424 @@
+openapi: 3.1.0
+info:
+  title: entityresolution
+paths:
+  /entityresolution/resolve:
+    post:
+      tags:
+        - entityresolution.EntityResolutionService
+      summary: ResolveEntities
+      description: 'Deprecated: use v2 ResolveEntities instead'
+      operationId: entityresolution.EntityResolutionService.ResolveEntities
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/entityresolution.ResolveEntitiesRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/entityresolution.ResolveEntitiesResponse'
+  /entityresolution/entitychain:
+    post:
+      tags:
+        - entityresolution.EntityResolutionService
+      summary: CreateEntityChainFromJwt
+      description: 'Deprecated: use v2 CreateEntityChainsFromTokens instead'
+      operationId: entityresolution.EntityResolutionService.CreateEntityChainFromJwt
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/entityresolution.CreateEntityChainFromJwtResponse'
+components:
+  schemas:
+    authorization.Entity.Category:
+      type: string
+      title: Category
+      enum:
+        - CATEGORY_UNSPECIFIED
+        - CATEGORY_SUBJECT
+        - CATEGORY_ENVIRONMENT
+    google.protobuf.NullValue:
+      type: string
+      title: NullValue
+      enum:
+        - NULL_VALUE
+      description: |-
+        `NullValue` is a singleton enumeration to represent the null value for the
+         `Value` type union.
+
+         The JSON representation for `NullValue` is JSON `null`.
+    authorization.Entity:
+      type: object
+      oneOf:
+        - properties:
+            claims:
+              title: claims
+              $ref: '#/components/schemas/google.protobuf.Any'
+          title: claims
+          required:
+            - claims
+        - properties:
+            clientId:
+              type: string
+              title: client_id
+          title: client_id
+          required:
+            - clientId
+        - properties:
+            custom:
+              title: custom
+              $ref: '#/components/schemas/authorization.EntityCustom'
+          title: custom
+          required:
+            - custom
+        - properties:
+            emailAddress:
+              type: string
+              title: email_address
+              description: one of the entity options must be set
+          title: email_address
+          required:
+            - emailAddress
+        - properties:
+            remoteClaimsUrl:
+              type: string
+              title: remote_claims_url
+          title: remote_claims_url
+          required:
+            - remoteClaimsUrl
+        - properties:
+            userName:
+              type: string
+              title: user_name
+          title: user_name
+          required:
+            - userName
+        - properties:
+            uuid:
+              type: string
+              title: uuid
+          title: uuid
+          required:
+            - uuid
+      properties:
+        id:
+          type: string
+          title: id
+          description: ephemeral id for tracking between request and response
+        category:
+          title: category
+          $ref: '#/components/schemas/authorization.Entity.Category'
+      title: Entity
+      additionalProperties: false
+      description: PE (Person Entity) or NPE (Non-Person Entity)
+    authorization.EntityChain:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: ephemeral id for tracking between request and response
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.Entity'
+          title: entities
+      title: EntityChain
+      additionalProperties: false
+      description: A set of related PE and NPE
+    authorization.EntityCustom:
+      type: object
+      properties:
+        extension:
+          title: extension
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: EntityCustom
+      additionalProperties: false
+      description: Entity type for custom entities beyond the standard types
+    authorization.Token:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: ephemeral id for tracking between request and response
+        jwt:
+          type: string
+          title: jwt
+          description: the token
+      title: Token
+      additionalProperties: false
+    entityresolution.CreateEntityChainFromJwtRequest:
+      type: object
+      properties:
+        tokens:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.Token'
+          title: tokens
+      title: CreateEntityChainFromJwtRequest
+      additionalProperties: false
+      description: |-
+        Example: Get Entity chains for tokens aaaaaa and bbbbbb
+        {
+        "tokens": [
+        "aaaaaaa",
+        "bbbbbbbb"
+        ]
+        }
+    entityresolution.CreateEntityChainFromJwtResponse:
+      type: object
+      properties:
+        entityChains:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.EntityChain'
+          title: entity_chains
+      title: CreateEntityChainFromJwtResponse
+      additionalProperties: false
+      description: |-
+        Example: Return the entity chains from the provided tokens
+        {
+        "entity_chains": [
+        {
+        "id": "tok1",
+        "entities": [
+        {
+        "clientId": "client1"
+        }
+        ]
+        },
+        {
+        "id": "tok2",
+        "entities": [
+        {
+        "userName": "alice",
+        "clientId": "client2"
+        }
+        ]
+        }
+        ]
+        }
+    entityresolution.EntityNotFoundError:
+      type: object
+      properties:
+        code:
+          type: integer
+          title: code
+          format: int32
+        message:
+          type: string
+          title: message
+        details:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Any'
+          title: details
+        entity:
+          type: string
+          title: entity
+      title: EntityNotFoundError
+      additionalProperties: false
+    entityresolution.EntityRepresentation:
+      type: object
+      properties:
+        additionalProps:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Struct'
+          title: additional_props
+        originalId:
+          type: string
+          title: original_id
+          description: ephemeral entity id from the request
+      title: EntityRepresentation
+      additionalProperties: false
+    entityresolution.ResolveEntitiesRequest:
+      type: object
+      properties:
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/authorization.Entity'
+          title: entities
+      title: ResolveEntitiesRequest
+      additionalProperties: false
+      description: |-
+        Example: Get idp attributes for bob and alice (both represented using an email address
+        {
+        "entities": [
+        {
+        "id": "e1",
+        "emailAddress": "bob@example.org"
+        },
+        {
+        "id": "e2",
+        "emailAddress": "alice@example.org"
+        }
+        ]
+        }
+    entityresolution.ResolveEntitiesResponse:
+      type: object
+      properties:
+        entityRepresentations:
+          type: array
+          items:
+            $ref: '#/components/schemas/entityresolution.EntityRepresentation'
+          title: entity_representations
+      title: ResolveEntitiesResponse
+      additionalProperties: false
+      description: |-
+        Example: Get idp attributes for bob and alice
+        {
+        "entity_representations": [
+        {
+        "idp_entity_id": "e1",
+        "additional_props": {"someAttr1":"someValue1"}
+        },
+        {
+        "idp_entity_id": "e2",
+        "additional_props": {"someAttr2":"someValue2"}
+        }
+        ]
+        }
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+    google.protobuf.ListValue:
+      type: object
+      properties:
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Value'
+          title: values
+          description: Repeated field of dynamically typed values.
+      title: ListValue
+      additionalProperties: false
+      description: |-
+        `ListValue` is a wrapper around a repeated field of values.
+
+         The JSON representation for `ListValue` is JSON array.
+    google.protobuf.Struct:
+      type: object
+      additionalProperties:
+        $ref: '#/components/schemas/google.protobuf.Value'
+      description: |-
+        `Struct` represents a structured data value, consisting of fields
+         which map to dynamically typed values. In some languages, `Struct`
+         might be supported by a native representation. For example, in
+         scripting languages like JS a struct is represented as an
+         object. The details of that representation are described together
+         with the proto support for the language.
+
+         The JSON representation for `Struct` is JSON object.
+    google.protobuf.Struct.FieldsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/google.protobuf.Value'
+      title: FieldsEntry
+      additionalProperties: false
+    google.protobuf.Value:
+      oneOf:
+        - type: "null"
+        - type: number
+        - type: string
+        - type: boolean
+        - type: array
+        - type: object
+          additionalProperties: true
+      description: |-
+        `Value` represents a dynamically typed value which can be either
+         null, a number, a string, a boolean, a recursive struct value, or a
+         list of values. A producer of value is expected to set one of these
+         variants. Absence of any variant indicates an error.
+
+         The JSON representation for `Value` is JSON value.
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+security: []
+tags:
+  - name: entityresolution.EntityResolutionService
diff --git a/docs/openapi/entityresolution/entity_resolution.swagger.json b/docs/openapi/entityresolution/entity_resolution.swagger.json
new file mode 100644
index 0000000000..42616b53bf
--- /dev/null
+++ b/docs/openapi/entityresolution/entity_resolution.swagger.json
@@ -0,0 +1,276 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "entityresolution/entity_resolution.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "EntityResolutionService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/entityresolution/entitychain": {
+      "post": {
+        "summary": "Deprecated: use v2 CreateEntityChainsFromTokens instead",
+        "operationId": "EntityResolutionService_CreateEntityChainFromJwt",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/entityresolutionCreateEntityChainFromJwtResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/entityresolutionCreateEntityChainFromJwtRequest"
+            }
+          }
+        ],
+        "tags": [
+          "EntityResolutionService"
+        ]
+      }
+    },
+    "/entityresolution/resolve": {
+      "post": {
+        "summary": "Deprecated: use v2 ResolveEntities instead",
+        "operationId": "EntityResolutionService_ResolveEntities",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/entityresolutionResolveEntitiesResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/entityresolutionResolveEntitiesRequest"
+            }
+          }
+        ],
+        "tags": [
+          "EntityResolutionService"
+        ]
+      }
+    }
+  },
+  "definitions": {
+    "authorizationEntity": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "emailAddress": {
+          "type": "string",
+          "title": "one of the entity options must be set"
+        },
+        "userName": {
+          "type": "string"
+        },
+        "remoteClaimsUrl": {
+          "type": "string"
+        },
+        "uuid": {
+          "type": "string"
+        },
+        "claims": {
+          "$ref": "#/definitions/protobufAny"
+        },
+        "custom": {
+          "$ref": "#/definitions/authorizationEntityCustom"
+        },
+        "clientId": {
+          "type": "string"
+        },
+        "category": {
+          "$ref": "#/definitions/authorizationEntityCategory"
+        }
+      },
+      "title": "PE (Person Entity) or NPE (Non-Person Entity)"
+    },
+    "authorizationEntityCategory": {
+      "type": "string",
+      "enum": [
+        "CATEGORY_UNSPECIFIED",
+        "CATEGORY_SUBJECT",
+        "CATEGORY_ENVIRONMENT"
+      ],
+      "default": "CATEGORY_UNSPECIFIED"
+    },
+    "authorizationEntityChain": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "entities": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationEntity"
+          }
+        }
+      },
+      "title": "A set of related PE and NPE"
+    },
+    "authorizationEntityCustom": {
+      "type": "object",
+      "properties": {
+        "extension": {
+          "$ref": "#/definitions/protobufAny"
+        }
+      },
+      "title": "Entity type for custom entities beyond the standard types"
+    },
+    "authorizationToken": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "jwt": {
+          "type": "string",
+          "title": "the token"
+        }
+      }
+    },
+    "entityresolutionCreateEntityChainFromJwtRequest": {
+      "type": "object",
+      "properties": {
+        "tokens": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationToken"
+          }
+        }
+      },
+      "title": "Example: Get Entity chains for tokens aaaaaa and bbbbbb\n{\n\"tokens\": [\n\"aaaaaaa\",\n\"bbbbbbbb\"\n]\n}"
+    },
+    "entityresolutionCreateEntityChainFromJwtResponse": {
+      "type": "object",
+      "properties": {
+        "entityChains": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationEntityChain"
+          }
+        }
+      },
+      "title": "Example: Return the entity chains from the provided tokens\n{\n\"entity_chains\": [\n{\n\"id\": \"tok1\",\n\"entities\": [\n{\n\"clientId\": \"client1\"\n}\n]\n},\n{\n\"id\": \"tok2\",\n\"entities\": [\n{\n\"userName\": \"alice\",\n\"clientId\": \"client2\"\n}\n]\n}\n]\n}"
+    },
+    "entityresolutionEntityRepresentation": {
+      "type": "object",
+      "properties": {
+        "additionalProps": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "originalId": {
+          "type": "string",
+          "title": "ephemeral entity id from the request"
+        }
+      }
+    },
+    "entityresolutionResolveEntitiesRequest": {
+      "type": "object",
+      "properties": {
+        "entities": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/authorizationEntity"
+          }
+        }
+      },
+      "title": "Example: Get idp attributes for bob and alice (both represented using an email address\n{\n\"entities\": [\n{\n\"id\": \"e1\",\n\"emailAddress\": \"bob@example.org\"\n},\n{\n\"id\": \"e2\",\n\"emailAddress\": \"alice@example.org\"\n}\n]\n}"
+    },
+    "entityresolutionResolveEntitiesResponse": {
+      "type": "object",
+      "properties": {
+        "entityRepresentations": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/entityresolutionEntityRepresentation"
+          }
+        }
+      },
+      "title": "Example: Get idp attributes for bob and alice\n{\n\"entity_representations\": [\n{\n\"idp_entity_id\": \"e1\",\n\"additional_props\": {\"someAttr1\":\"someValue1\"}\n},\n{\n\"idp_entity_id\": \"e2\",\n\"additional_props\": {\"someAttr2\":\"someValue2\"}\n}\n]\n}"
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "protobufNullValue": {
+      "type": "string",
+      "enum": [
+        "NULL_VALUE"
+      ],
+      "default": "NULL_VALUE",
+      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\nThe JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml b/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml
new file mode 100644
index 0000000000..c4a839fc80
--- /dev/null
+++ b/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml
@@ -0,0 +1,360 @@
+openapi: 3.1.0
+info:
+  title: entityresolution.v2
+paths:
+  /entityresolution.v2.EntityResolutionService/ResolveEntities:
+    post:
+      tags:
+        - entityresolution.v2.EntityResolutionService
+      summary: ResolveEntities
+      operationId: entityresolution.v2.EntityResolutionService.ResolveEntities
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/entityresolution.v2.ResolveEntitiesResponse'
+  /entityresolution.v2.EntityResolutionService/CreateEntityChainsFromTokens:
+    post:
+      tags:
+        - entityresolution.v2.EntityResolutionService
+      summary: CreateEntityChainsFromTokens
+      operationId: entityresolution.v2.EntityResolutionService.CreateEntityChainsFromTokens
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/entityresolution.v2.CreateEntityChainsFromTokensResponse'
+components:
+  schemas:
+    entity.Entity.Category:
+      type: string
+      title: Category
+      enum:
+        - CATEGORY_UNSPECIFIED
+        - CATEGORY_SUBJECT
+        - CATEGORY_ENVIRONMENT
+    google.protobuf.NullValue:
+      type: string
+      title: NullValue
+      enum:
+        - NULL_VALUE
+      description: |-
+        `NullValue` is a singleton enumeration to represent the null value for the
+         `Value` type union.
+
+         The JSON representation for `NullValue` is JSON `null`.
+    entity.Entity:
+      type: object
+      oneOf:
+        - properties:
+            claims:
+              title: claims
+              description: used by ERS claims mode
+              $ref: '#/components/schemas/google.protobuf.Any'
+          title: claims
+          required:
+            - claims
+        - properties:
+            clientId:
+              type: string
+              title: client_id
+          title: client_id
+          required:
+            - clientId
+        - properties:
+            emailAddress:
+              type: string
+              title: email_address
+          title: email_address
+          required:
+            - emailAddress
+        - properties:
+            userName:
+              type: string
+              title: user_name
+          title: user_name
+          required:
+            - userName
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        category:
+          title: category
+          $ref: '#/components/schemas/entity.Entity.Category'
+      title: Entity
+      additionalProperties: false
+      description: PE (Person Entity) or NPE (Non-Person Entity)
+    entity.EntityChain:
+      type: object
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/entity.Entity'
+          title: entities
+      title: EntityChain
+      additionalProperties: false
+      description: A set of related PE and NPE
+    entity.Token:
+      type: object
+      properties:
+        ephemeralId:
+          type: string
+          title: ephemeral_id
+          description: ephemeral id for tracking between request and response
+        jwt:
+          type: string
+          title: jwt
+          description: the token
+      title: Token
+      required:
+        - jwt
+      additionalProperties: false
+    entityresolution.v2.CreateEntityChainsFromTokensRequest:
+      type: object
+      properties:
+        tokens:
+          type: array
+          items:
+            $ref: '#/components/schemas/entity.Token'
+          title: tokens
+      title: CreateEntityChainsFromTokensRequest
+      additionalProperties: false
+      description: Create an entity chain for each token (JWT) in the request.
+    entityresolution.v2.CreateEntityChainsFromTokensResponse:
+      type: object
+      properties:
+        entityChains:
+          type: array
+          items:
+            $ref: '#/components/schemas/entity.EntityChain'
+          title: entity_chains
+      title: CreateEntityChainsFromTokensResponse
+      additionalProperties: false
+    entityresolution.v2.EntityNotFoundError:
+      type: object
+      properties:
+        code:
+          type: integer
+          title: code
+          format: int32
+        message:
+          type: string
+          title: message
+        details:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Any'
+          title: details
+        entity:
+          type: string
+          title: entity
+      title: EntityNotFoundError
+      additionalProperties: false
+    entityresolution.v2.EntityRepresentation:
+      type: object
+      properties:
+        originalId:
+          type: string
+          title: original_id
+          description: ephemeral entity id from the request
+        additionalProps:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Struct'
+          title: additional_props
+      title: EntityRepresentation
+      additionalProperties: false
+    entityresolution.v2.ResolveEntitiesRequest:
+      type: object
+      properties:
+        entities:
+          type: array
+          items:
+            $ref: '#/components/schemas/entity.Entity'
+          title: entities
+          minItems: 1
+      title: ResolveEntitiesRequest
+      required:
+        - entities
+      additionalProperties: false
+      description: Resolve a set of entities to their representations.
+    entityresolution.v2.ResolveEntitiesResponse:
+      type: object
+      properties:
+        entityRepresentations:
+          type: array
+          items:
+            $ref: '#/components/schemas/entityresolution.v2.EntityRepresentation'
+          title: entity_representations
+      title: ResolveEntitiesResponse
+      additionalProperties: false
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+    google.protobuf.ListValue:
+      type: object
+      properties:
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Value'
+          title: values
+          description: Repeated field of dynamically typed values.
+      title: ListValue
+      additionalProperties: false
+      description: |-
+        `ListValue` is a wrapper around a repeated field of values.
+
+         The JSON representation for `ListValue` is JSON array.
+    google.protobuf.Struct:
+      type: object
+      additionalProperties:
+        $ref: '#/components/schemas/google.protobuf.Value'
+      description: |-
+        `Struct` represents a structured data value, consisting of fields
+         which map to dynamically typed values. In some languages, `Struct`
+         might be supported by a native representation. For example, in
+         scripting languages like JS a struct is represented as an
+         object. The details of that representation are described together
+         with the proto support for the language.
+
+         The JSON representation for `Struct` is JSON object.
+    google.protobuf.Struct.FieldsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/google.protobuf.Value'
+      title: FieldsEntry
+      additionalProperties: false
+    google.protobuf.Value:
+      oneOf:
+        - type: "null"
+        - type: number
+        - type: string
+        - type: boolean
+        - type: array
+        - type: object
+          additionalProperties: true
+      description: |-
+        `Value` represents a dynamically typed value which can be either
+         null, a number, a string, a boolean, a recursive struct value, or a
+         list of values. A producer of value is expected to set one of these
+         variants. Absence of any variant indicates an error.
+
+         The JSON representation for `Value` is JSON value.
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+security: []
+tags:
+  - name: entityresolution.v2.EntityResolutionService
diff --git a/docs/openapi/entityresolution/v2/entity_resolution.swagger.json b/docs/openapi/entityresolution/v2/entity_resolution.swagger.json
new file mode 100644
index 0000000000..8c24c517f9
--- /dev/null
+++ b/docs/openapi/entityresolution/v2/entity_resolution.swagger.json
@@ -0,0 +1,163 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "entityresolution/v2/entity_resolution.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "EntityResolutionService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "entityEntity": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "emailAddress": {
+          "type": "string"
+        },
+        "userName": {
+          "type": "string"
+        },
+        "claims": {
+          "$ref": "#/definitions/protobufAny",
+          "title": "used by ERS claims mode"
+        },
+        "clientId": {
+          "type": "string"
+        },
+        "category": {
+          "$ref": "#/definitions/entityEntityCategory"
+        }
+      },
+      "title": "PE (Person Entity) or NPE (Non-Person Entity)"
+    },
+    "entityEntityCategory": {
+      "type": "string",
+      "enum": [
+        "CATEGORY_UNSPECIFIED",
+        "CATEGORY_SUBJECT",
+        "CATEGORY_ENVIRONMENT"
+      ],
+      "default": "CATEGORY_UNSPECIFIED"
+    },
+    "entityEntityChain": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "entities": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/entityEntity"
+          }
+        }
+      },
+      "title": "A set of related PE and NPE"
+    },
+    "entityToken": {
+      "type": "object",
+      "properties": {
+        "ephemeralId": {
+          "type": "string",
+          "title": "ephemeral id for tracking between request and response"
+        },
+        "jwt": {
+          "type": "string",
+          "title": "the token"
+        }
+      }
+    },
+    "entityresolutionv2EntityRepresentation": {
+      "type": "object",
+      "properties": {
+        "originalId": {
+          "type": "string",
+          "title": "ephemeral entity id from the request"
+        },
+        "additionalProps": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        }
+      }
+    },
+    "entityresolutionv2ResolveEntitiesResponse": {
+      "type": "object",
+      "properties": {
+        "entityRepresentations": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/entityresolutionv2EntityRepresentation"
+          }
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "protobufNullValue": {
+      "type": "string",
+      "enum": [
+        "NULL_VALUE"
+      ],
+      "default": "NULL_VALUE",
+      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\nThe JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    },
+    "v2CreateEntityChainsFromTokensResponse": {
+      "type": "object",
+      "properties": {
+        "entityChains": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/entityEntityChain"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/kas/kas.openapi.yaml b/docs/openapi/kas/kas.openapi.yaml
new file mode 100644
index 0000000000..25023a8a32
--- /dev/null
+++ b/docs/openapi/kas/kas.openapi.yaml
@@ -0,0 +1,495 @@
+openapi: 3.1.0
+info:
+  title: kas
+paths:
+  /kas/v2/kas_public_key:
+    get:
+      tags:
+        - kas.AccessService
+      summary: PublicKey
+      operationId: kas.AccessService.PublicKey
+      parameters:
+        - name: algorithm
+          in: query
+          schema:
+            type: string
+            title: algorithm
+        - name: fmt
+          in: query
+          schema:
+            type: string
+            title: fmt
+        - name: v
+          in: query
+          schema:
+            type: string
+            title: v
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/kas.PublicKeyResponse'
+  /kas/kas_public_key:
+    get:
+      tags:
+        - kas.AccessService
+      summary: LegacyPublicKey
+      description: buf:lint:ignore RPC_RESPONSE_STANDARD_NAME
+      operationId: kas.AccessService.LegacyPublicKey
+      parameters:
+        - name: algorithm
+          in: query
+          schema:
+            type: string
+            title: algorithm
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/google.protobuf.StringValue'
+  /kas/v2/rewrap:
+    post:
+      tags:
+        - kas.AccessService
+      summary: Rewrap
+      operationId: kas.AccessService.Rewrap
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/kas.RewrapRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/kas.RewrapResponse'
+components:
+  schemas:
+    google.protobuf.NullValue:
+      type: string
+      title: NullValue
+      enum:
+        - NULL_VALUE
+      description: |-
+        `NullValue` is a singleton enumeration to represent the null value for the
+         `Value` type union.
+
+         The JSON representation for `NullValue` is JSON `null`.
+    google.protobuf.ListValue:
+      type: object
+      properties:
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Value'
+          title: values
+          description: Repeated field of dynamically typed values.
+      title: ListValue
+      additionalProperties: false
+      description: |-
+        `ListValue` is a wrapper around a repeated field of values.
+
+         The JSON representation for `ListValue` is JSON array.
+    google.protobuf.StringValue:
+      type: string
+      description: |-
+        Wrapper message for `string`.
+
+         The JSON representation for `StringValue` is JSON string.
+    google.protobuf.Struct:
+      type: object
+      additionalProperties:
+        $ref: '#/components/schemas/google.protobuf.Value'
+      description: |-
+        `Struct` represents a structured data value, consisting of fields
+         which map to dynamically typed values. In some languages, `Struct`
+         might be supported by a native representation. For example, in
+         scripting languages like JS a struct is represented as an
+         object. The details of that representation are described together
+         with the proto support for the language.
+
+         The JSON representation for `Struct` is JSON object.
+    google.protobuf.Struct.FieldsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/google.protobuf.Value'
+      title: FieldsEntry
+      additionalProperties: false
+    google.protobuf.Value:
+      oneOf:
+        - type: "null"
+        - type: number
+        - type: string
+        - type: boolean
+        - type: array
+        - type: object
+          additionalProperties: true
+      description: |-
+        `Value` represents a dynamically typed value which can be either
+         null, a number, a string, a boolean, a recursive struct value, or a
+         list of values. A producer of value is expected to set one of these
+         variants. Absence of any variant indicates an error.
+
+         The JSON representation for `Value` is JSON value.
+    kas.InfoRequest:
+      type: object
+      title: InfoRequest
+      additionalProperties: false
+      description: Intentionally empty. May include features later.
+    kas.InfoResponse:
+      type: object
+      properties:
+        version:
+          type: string
+          title: version
+      title: InfoResponse
+      additionalProperties: false
+      description: Service application level metadata
+    kas.KeyAccess:
+      type: object
+      properties:
+        encryptedMetadata:
+          type: string
+          title: encrypted_metadata
+        policyBinding:
+          title: policy_binding
+          $ref: '#/components/schemas/kas.PolicyBinding'
+        protocol:
+          type: string
+          title: protocol
+        type:
+          type: string
+          title: key_type
+        url:
+          type: string
+          title: kas_url
+        kid:
+          type: string
+          title: kid
+        sid:
+          type: string
+          title: split_id
+        wrappedKey:
+          type: string
+          title: wrapped_key
+          format: byte
+        header:
+          type: string
+          title: header
+          format: byte
+          description: header is only used for NanoTDFs
+        ephemeralPublicKey:
+          type: string
+          title: ephemeral_public_key
+          description: |-
+            For wrapping with an ECDH derived key, when type=ec-wrapped.
+             Should be a PEM-encoded PKCS#8 (asn.1) value.
+      title: KeyAccess
+      additionalProperties: false
+    kas.KeyAccessRewrapResult:
+      type: object
+      oneOf:
+        - properties:
+            error:
+              type: string
+              title: error
+          title: error
+          required:
+            - error
+        - properties:
+            kasWrappedKey:
+              type: string
+              title: kas_wrapped_key
+              format: byte
+          title: kas_wrapped_key
+          required:
+            - kasWrappedKey
+      properties:
+        metadata:
+          type: object
+          title: metadata
+          additionalProperties:
+            title: value
+            $ref: '#/components/schemas/google.protobuf.Value'
+        keyAccessObjectId:
+          type: string
+          title: key_access_object_id
+        status:
+          type: string
+          title: status
+      title: KeyAccessRewrapResult
+      additionalProperties: false
+    kas.KeyAccessRewrapResult.MetadataEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/google.protobuf.Value'
+      title: MetadataEntry
+      additionalProperties: false
+    kas.LegacyPublicKeyRequest:
+      type: object
+      properties:
+        algorithm:
+          type: string
+          title: algorithm
+      title: LegacyPublicKeyRequest
+      additionalProperties: false
+    kas.PolicyBinding:
+      type: object
+      properties:
+        alg:
+          type: string
+          title: algorithm
+        hash:
+          type: string
+          title: hash
+      title: PolicyBinding
+      additionalProperties: false
+    kas.PolicyRewrapResult:
+      type: object
+      properties:
+        policyId:
+          type: string
+          title: policy_id
+        results:
+          type: array
+          items:
+            $ref: '#/components/schemas/kas.KeyAccessRewrapResult'
+          title: results
+      title: PolicyRewrapResult
+      additionalProperties: false
+    kas.PublicKeyRequest:
+      type: object
+      properties:
+        algorithm:
+          type: string
+          title: algorithm
+        fmt:
+          type: string
+          title: fmt
+        v:
+          type: string
+          title: v
+      title: PublicKeyRequest
+      additionalProperties: false
+    kas.PublicKeyResponse:
+      type: object
+      properties:
+        publicKey:
+          type: string
+          title: public_key
+        kid:
+          type: string
+          title: kid
+      title: PublicKeyResponse
+      additionalProperties: false
+    kas.RewrapRequest:
+      type: object
+      properties:
+        signedRequestToken:
+          type: string
+          title: signed_request_token
+      title: RewrapRequest
+      additionalProperties: false
+    kas.RewrapResponse:
+      type: object
+      properties:
+        metadata:
+          type: object
+          title: metadata
+          additionalProperties:
+            title: value
+            $ref: '#/components/schemas/google.protobuf.Value'
+          deprecated: true
+        entityWrappedKey:
+          type: string
+          title: entity_wrapped_key
+          format: byte
+          deprecated: true
+        sessionPublicKey:
+          type: string
+          title: session_public_key
+        schemaVersion:
+          type: string
+          title: schema_version
+          deprecated: true
+        responses:
+          type: array
+          items:
+            $ref: '#/components/schemas/kas.PolicyRewrapResult'
+          title: responses
+          description: New Rewrap API changes
+      title: RewrapResponse
+      additionalProperties: false
+    kas.RewrapResponse.MetadataEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/google.protobuf.Value'
+      title: MetadataEntry
+      additionalProperties: false
+    kas.UnsignedRewrapRequest:
+      type: object
+      properties:
+        clientPublicKey:
+          type: string
+          title: client_public_key
+        requests:
+          type: array
+          items:
+            $ref: '#/components/schemas/kas.UnsignedRewrapRequest.WithPolicyRequest'
+          title: requests
+        keyAccess:
+          title: key_access
+          description: Used for legacy non-bulk requests
+          deprecated: true
+          $ref: '#/components/schemas/kas.KeyAccess'
+        policy:
+          type: string
+          title: policy
+          description: Used for legacy non-bulk requests
+          deprecated: true
+        algorithm:
+          type: string
+          title: algorithm
+          description: Used for legacy non-bulk requests
+          deprecated: true
+      title: UnsignedRewrapRequest
+      additionalProperties: false
+    kas.UnsignedRewrapRequest.WithKeyAccessObject:
+      type: object
+      properties:
+        keyAccessObjectId:
+          type: string
+          title: key_access_object_id
+        keyAccessObject:
+          title: key_access_object
+          $ref: '#/components/schemas/kas.KeyAccess'
+      title: WithKeyAccessObject
+      additionalProperties: false
+    kas.UnsignedRewrapRequest.WithPolicy:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        body:
+          type: string
+          title: body
+      title: WithPolicy
+      additionalProperties: false
+    kas.UnsignedRewrapRequest.WithPolicyRequest:
+      type: object
+      properties:
+        keyAccessObjects:
+          type: array
+          items:
+            $ref: '#/components/schemas/kas.UnsignedRewrapRequest.WithKeyAccessObject'
+          title: key_access_objects
+        policy:
+          title: policy
+          $ref: '#/components/schemas/kas.UnsignedRewrapRequest.WithPolicy'
+        algorithm:
+          type: string
+          title: algorithm
+      title: WithPolicyRequest
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: kas.AccessService
+    description: Get app info from the root path
diff --git a/docs/openapi/kas/kas.swagger.json b/docs/openapi/kas/kas.swagger.json
new file mode 100644
index 0000000000..d422537e3c
--- /dev/null
+++ b/docs/openapi/kas/kas.swagger.json
@@ -0,0 +1,255 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "OpenTDF Key Access Service",
+    "version": "1.5.0",
+    "license": {
+      "name": "BSD 3-Clause Clear",
+      "url": "https://github.com/opentdf/backend/blob/master/LICENSE"
+    }
+  },
+  "tags": [
+    {
+      "name": "AccessService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/kas/kas_public_key": {
+      "get": {
+        "summary": "buf:lint:ignore RPC_RESPONSE_STANDARD_NAME",
+        "operationId": "AccessService_LegacyPublicKey",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "type": "string"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "algorithm",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "AccessService"
+        ]
+      }
+    },
+    "/kas/v2/kas_public_key": {
+      "get": {
+        "operationId": "AccessService_PublicKey",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/kasPublicKeyResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "algorithm",
+            "description": "algorithm type rsa:\u003ckeysize\u003e or ec:\u003ccurvename\u003e",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          },
+          {
+            "name": "fmt",
+            "description": "response format",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          },
+          {
+            "name": "v",
+            "description": "request version",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "AccessService"
+        ]
+      }
+    },
+    "/kas/v2/rewrap": {
+      "post": {
+        "operationId": "AccessService_Rewrap",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/kasRewrapResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/kasRewrapRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AccessService"
+        ]
+      }
+    }
+  },
+  "definitions": {
+    "kasKeyAccessRewrapResult": {
+      "type": "object",
+      "properties": {
+        "metadata": {
+          "type": "object",
+          "additionalProperties": {}
+        },
+        "keyAccessObjectId": {
+          "type": "string"
+        },
+        "status": {
+          "type": "string"
+        },
+        "kasWrappedKey": {
+          "type": "string",
+          "format": "byte"
+        },
+        "error": {
+          "type": "string"
+        }
+      }
+    },
+    "kasPolicyRewrapResult": {
+      "type": "object",
+      "properties": {
+        "policyId": {
+          "type": "string"
+        },
+        "results": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasKeyAccessRewrapResult"
+          }
+        }
+      }
+    },
+    "kasPublicKeyResponse": {
+      "type": "object",
+      "properties": {
+        "publicKey": {
+          "type": "string"
+        },
+        "kid": {
+          "type": "string"
+        }
+      }
+    },
+    "kasRewrapRequest": {
+      "type": "object",
+      "properties": {
+        "signedRequestToken": {
+          "type": "string"
+        }
+      }
+    },
+    "kasRewrapResponse": {
+      "type": "object",
+      "properties": {
+        "metadata": {
+          "type": "object",
+          "additionalProperties": {}
+        },
+        "entityWrappedKey": {
+          "type": "string",
+          "format": "byte"
+        },
+        "sessionPublicKey": {
+          "type": "string"
+        },
+        "schemaVersion": {
+          "type": "string"
+        },
+        "responses": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasPolicyRewrapResult"
+          },
+          "title": "New Rewrap API changes"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "protobufNullValue": {
+      "type": "string",
+      "enum": [
+        "NULL_VALUE"
+      ],
+      "default": "NULL_VALUE",
+      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\nThe JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/actions/actions.openapi.yaml b/docs/openapi/policy/actions/actions.openapi.yaml
new file mode 100644
index 0000000000..619dcd242f
--- /dev/null
+++ b/docs/openapi/policy/actions/actions.openapi.yaml
@@ -0,0 +1,1151 @@
+openapi: 3.1.0
+info:
+  title: policy.actions
+paths:
+  /policy.actions.ActionService/GetAction:
+    post:
+      tags:
+        - policy.actions.ActionService
+      summary: GetAction
+      operationId: policy.actions.ActionService.GetAction
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.actions.GetActionRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.actions.GetActionResponse'
+  /policy.actions.ActionService/ListActions:
+    post:
+      tags:
+        - policy.actions.ActionService
+      summary: ListActions
+      operationId: policy.actions.ActionService.ListActions
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.actions.ListActionsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.actions.ListActionsResponse'
+  /policy.actions.ActionService/CreateAction:
+    post:
+      tags:
+        - policy.actions.ActionService
+      summary: CreateAction
+      operationId: policy.actions.ActionService.CreateAction
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.actions.CreateActionRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.actions.CreateActionResponse'
+  /policy.actions.ActionService/UpdateAction:
+    post:
+      tags:
+        - policy.actions.ActionService
+      summary: UpdateAction
+      operationId: policy.actions.ActionService.UpdateAction
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.actions.UpdateActionRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.actions.UpdateActionResponse'
+  /policy.actions.ActionService/DeleteAction:
+    post:
+      tags:
+        - policy.actions.ActionService
+      summary: DeleteAction
+      operationId: policy.actions.ActionService.DeleteAction
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.actions.DeleteActionRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.actions.DeleteActionResponse'
+components:
+  schemas:
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.AttributeRuleTypeEnum:
+      type: string
+      title: AttributeRuleTypeEnum
+      enum:
+        - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+        - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+    policy.ConditionBooleanTypeEnum:
+      type: string
+      title: ConditionBooleanTypeEnum
+      enum:
+        - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+        - CONDITION_BOOLEAN_TYPE_ENUM_AND
+        - CONDITION_BOOLEAN_TYPE_ENUM_OR
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    policy.SubjectMappingOperatorEnum:
+      type: string
+      title: SubjectMappingOperatorEnum
+      enum:
+        - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    policy.Attribute:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespace:
+          title: namespace
+          description: namespace of the attribute
+          $ref: '#/components/schemas/policy.Namespace'
+        name:
+          type: string
+          title: name
+          description: attribute name
+        rule:
+          title: rule
+          description: attribute rule enum
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: Deprecated
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys associated with the attribute
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Attribute
+      required:
+        - rule
+      additionalProperties: false
+    policy.Condition:
+      type: object
+      properties:
+        subjectExternalSelectorValue:
+          type: string
+          title: subject_external_selector_value
+          description: |-
+            a selector for a field value on a flattened Entity Representation (such as
+             from idP/LDAP)
+        operator:
+          title: operator
+          description: the evaluation operator of relation
+          $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+        subjectExternalValues:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: subject_external_values
+          minItems: 1
+          description: |-
+            list of comparison values for the result of applying the
+             subject_external_selector_value on a flattened Entity Representation
+             (Subject), evaluated by the operator
+      title: Condition
+      required:
+        - subjectExternalSelectorValue
+        - operator
+      additionalProperties: false
+      description: |-
+        *
+        A Condition defines a rule of <the value at the flattened 'selector value'
+        location> <operator> <subject external values>
+    policy.ConditionGroup:
+      type: object
+      properties:
+        conditions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Condition'
+          title: conditions
+          minItems: 1
+        booleanOperator:
+          title: boolean_operator
+          description: the boolean evaluation type across the conditions
+          $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+      title: ConditionGroup
+      required:
+        - booleanOperator
+      additionalProperties: false
+      description: A collection of Conditions evaluated by the boolean_operator provided
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.ResourceMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        terms:
+          type: array
+          items:
+            type: string
+          title: terms
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: ResourceMapping
+      required:
+        - attributeValue
+      additionalProperties: false
+      description: |-
+        Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+        structures supporting the mapping of Resources and Attribute Values
+    policy.ResourceMappingGroup:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: the namespace containing the group of resource mappings
+        name:
+          type: string
+          title: name
+          description: |-
+            the common name for the group of resource mappings, which must be unique
+             per namespace
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ResourceMappingGroup
+      required:
+        - namespaceId
+        - name
+      additionalProperties: false
+      description: |-
+        Resource Mapping Groups are namespaced collections of Resource Mappings
+        associated under a common group name.
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.SubjectConditionSet:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectConditionSet
+      additionalProperties: false
+      description: |-
+        A container for multiple Subject Sets, each containing Condition Groups, each
+        containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+        evaluated with AND logic. As each Subject Mapping has only one Attribute
+        Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+        Attribute Values and is an independent unit.
+    policy.SubjectMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        attributeValue:
+          title: attribute_value
+          description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+          $ref: '#/components/schemas/policy.Value'
+        subjectConditionSet:
+          title: subject_condition_set
+          description: the reusable SubjectConditionSet mapped to the given Attribute Value
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: The actions permitted by subjects in this mapping
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectMapping
+      additionalProperties: false
+      description: |-
+        Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+        value + action(s) combination
+    policy.SubjectSet:
+      type: object
+      properties:
+        conditionGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ConditionGroup'
+          title: condition_groups
+          minItems: 1
+          description: multiple Condition Groups are evaluated with AND logic
+      title: SubjectSet
+      additionalProperties: false
+      description: A collection of Condition Groups
+    policy.Value:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          type: string
+          title: value
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: |-
+            Deprecated
+             list of key access servers
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: subject mapping
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Value
+      additionalProperties: false
+    policy.actions.CreateActionRequest:
+      type: object
+      properties:
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Required
+            Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.:
+            ```
+            this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        metadata:
+          title: metadata
+          description: Optional
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateActionRequest
+      required:
+        - name
+      additionalProperties: false
+      description: |-
+        Create a new Custom action name with optional metadata.
+         Creation of Standard actions is not supported.
+    policy.actions.CreateActionResponse:
+      type: object
+      properties:
+        action:
+          title: action
+          $ref: '#/components/schemas/policy.Action'
+      title: CreateActionResponse
+      additionalProperties: false
+    policy.actions.DeleteActionRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteActionRequest
+      additionalProperties: false
+      description: 'Custom only: deletion of Standard actions is not supported.'
+    policy.actions.DeleteActionResponse:
+      type: object
+      properties:
+        action:
+          title: action
+          $ref: '#/components/schemas/policy.Action'
+      title: DeleteActionResponse
+      additionalProperties: false
+    policy.actions.GetActionRequest:
+      type: object
+      oneOf:
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+          title: id
+          required:
+            - id
+        - properties:
+            name:
+              type: string
+              title: name
+              maxLength: 253
+              description: |+
+                Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.:
+                ```
+                this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+                ```
+
+          title: name
+          required:
+            - name
+      title: GetActionRequest
+      additionalProperties: false
+    policy.actions.GetActionResponse:
+      type: object
+      properties:
+        action:
+          title: action
+          $ref: '#/components/schemas/policy.Action'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: Subject Mappings driving entitlement to the action
+      title: GetActionResponse
+      additionalProperties: false
+    policy.actions.ListActionsRequest:
+      type: object
+      properties:
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListActionsRequest
+      additionalProperties: false
+    policy.actions.ListActionsResponse:
+      type: object
+      properties:
+        actionsStandard:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions_standard
+        actionsCustom:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions_custom
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListActionsResponse
+      additionalProperties: false
+    policy.actions.UpdateActionRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Optional
+             Custom actions only: replaces the existing action name
+            Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.:
+            ```
+            size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateActionRequest
+      additionalProperties: false
+      description: |-
+        Metadata may be updated for either Custom or Standard actions.
+         Names may only be updated for Custom actions.
+    policy.actions.UpdateActionResponse:
+      type: object
+      properties:
+        action:
+          title: action
+          $ref: '#/components/schemas/policy.Action'
+      title: UpdateActionResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.actions.ActionService
diff --git a/docs/openapi/policy/actions/actions.swagger.json b/docs/openapi/policy/actions/actions.swagger.json
new file mode 100644
index 0000000000..45ed7bfb58
--- /dev/null
+++ b/docs/openapi/policy/actions/actions.swagger.json
@@ -0,0 +1,698 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/actions/actions.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "ActionService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "actionsCreateActionResponse": {
+      "type": "object",
+      "properties": {
+        "action": {
+          "$ref": "#/definitions/policyAction"
+        }
+      }
+    },
+    "actionsDeleteActionResponse": {
+      "type": "object",
+      "properties": {
+        "action": {
+          "$ref": "#/definitions/policyAction"
+        }
+      }
+    },
+    "actionsGetActionResponse": {
+      "type": "object",
+      "properties": {
+        "action": {
+          "$ref": "#/definitions/policyAction"
+        },
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "Subject Mappings driving entitlement to the action"
+        }
+      }
+    },
+    "actionsListActionsResponse": {
+      "type": "object",
+      "properties": {
+        "actionsStandard": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          }
+        },
+        "actionsCustom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "actionsUpdateActionResponse": {
+      "type": "object",
+      "properties": {
+        "action": {
+          "$ref": "#/definitions/policyAction"
+        }
+      }
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyAttribute": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace",
+          "title": "namespace of the attribute"
+        },
+        "name": {
+          "type": "string",
+          "title": "attribute name"
+        },
+        "rule": {
+          "$ref": "#/definitions/policyAttributeRuleTypeEnum",
+          "title": "attribute rule enum"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyValue"
+          }
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys associated with the attribute"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyAttributeRuleTypeEnum": {
+      "type": "string",
+      "enum": [
+        "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY"
+      ],
+      "default": "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyCondition": {
+      "type": "object",
+      "properties": {
+        "subjectExternalSelectorValue": {
+          "type": "string",
+          "title": "a selector for a field value on a flattened Entity Representation (such as\nfrom idP/LDAP)"
+        },
+        "operator": {
+          "$ref": "#/definitions/policySubjectMappingOperatorEnum",
+          "title": "the evaluation operator of relation"
+        },
+        "subjectExternalValues": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "title": "list of comparison values for the result of applying the\nsubject_external_selector_value on a flattened Entity Representation\n(Subject), evaluated by the operator"
+        }
+      },
+      "title": "*\nA Condition defines a rule of \u003cthe value at the flattened 'selector value'\nlocation\u003e \u003coperator\u003e \u003csubject external values\u003e"
+    },
+    "policyConditionBooleanTypeEnum": {
+      "type": "string",
+      "enum": [
+        "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED",
+        "CONDITION_BOOLEAN_TYPE_ENUM_AND",
+        "CONDITION_BOOLEAN_TYPE_ENUM_OR"
+      ],
+      "default": "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyConditionGroup": {
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyCondition"
+          }
+        },
+        "booleanOperator": {
+          "$ref": "#/definitions/policyConditionBooleanTypeEnum",
+          "title": "the boolean evaluation type across the conditions"
+        }
+      },
+      "title": "A collection of Conditions evaluated by the boolean_operator provided"
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyNamespace": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "name": {
+          "type": "string",
+          "title": "used to partition Attribute Definitions, support by namespace AuthN and\nenable federation"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "KAS grants for the namespace"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys for the namespace"
+        }
+      }
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policyResourceMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue"
+        },
+        "terms": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "group": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      },
+      "title": "Resource Mappings (aka Access Control Resource Encodings aka ACRE) are\nstructures supporting the mapping of Resources and Attribute Values"
+    },
+    "policyResourceMappingGroup": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespaceId": {
+          "type": "string",
+          "title": "the namespace containing the group of resource mappings"
+        },
+        "name": {
+          "type": "string",
+          "title": "the common name for the group of resource mappings, which must be unique\nper namespace"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "policySubjectConditionSet": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "subjectSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectSet"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "description": "A container for multiple Subject Sets, each containing Condition Groups, each\ncontaining Conditions. Multiple Subject Sets in a SubjectConditionSet are\nevaluated with AND logic. As each Subject Mapping has only one Attribute\nValue, the SubjectConditionSet is reusable across multiple Subject Mappings /\nAttribute Values and is an independent unit."
+    },
+    "policySubjectMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue",
+          "title": "the Attribute Value mapped to; aka: \"The Entity Entitlement Attribute\""
+        },
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "the reusable SubjectConditionSet mapped to the given Attribute Value"
+        },
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          },
+          "title": "The actions permitted by subjects in this mapping"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute\nvalue + action(s) combination"
+    },
+    "policySubjectMappingOperatorEnum": {
+      "type": "string",
+      "enum": [
+        "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS"
+      ],
+      "default": "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+      "title": "- SUBJECT_MAPPING_OPERATOR_ENUM_IN: operator that returns true if a value in a list matches the string\n - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN: operator that returns true if a value is not in a list that is matched by\nstring\n - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: operator that returns true if a value in a list contains the substring"
+    },
+    "policySubjectSet": {
+      "type": "object",
+      "properties": {
+        "conditionGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyConditionGroup"
+          },
+          "title": "multiple Condition Groups are evaluated with AND logic"
+        }
+      },
+      "title": "A collection of Condition Groups"
+    },
+    "policyValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        },
+        "value": {
+          "type": "string"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated\nlist of key access servers"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "subject mapping"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          }
+        },
+        "resourceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/attributes/attributes.openapi.yaml b/docs/openapi/policy/attributes/attributes.openapi.yaml
new file mode 100644
index 0000000000..7bdb5d458e
--- /dev/null
+++ b/docs/openapi/policy/attributes/attributes.openapi.yaml
@@ -0,0 +1,2174 @@
+openapi: 3.1.0
+info:
+  title: policy.attributes
+paths:
+  /policy.attributes.AttributesService/ListAttributes:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: ListAttributes
+      description: |-
+        --------------------------------------*
+         Attribute RPCs
+        ---------------------------------------
+      operationId: policy.attributes.AttributesService.ListAttributes
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.ListAttributesRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.ListAttributesResponse'
+  /policy.attributes.AttributesService/ListAttributeValues:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: ListAttributeValues
+      operationId: policy.attributes.AttributesService.ListAttributeValues
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.ListAttributeValuesRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.ListAttributeValuesResponse'
+  /policy.attributes.AttributesService/GetAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: GetAttribute
+      operationId: policy.attributes.AttributesService.GetAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.GetAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.GetAttributeResponse'
+  /attributes/*/fqn:
+    get:
+      tags:
+        - policy.attributes.AttributesService
+      summary: GetAttributeValuesByFqns
+      operationId: policy.attributes.AttributesService.GetAttributeValuesByFqns
+      parameters:
+        - name: fqns
+          in: query
+          description: |-
+            Required
+             Fully Qualified Names of attribute values (i.e. https://<namespace>/attr/<attribute_name>/value/<value_name>), normalized to lower case.
+          schema:
+            type: array
+            items:
+              type: string
+              maxItems: 250
+              minItems: 1
+            title: fqns
+            maxItems: 250
+            minItems: 1
+            description: |-
+              Required
+               Fully Qualified Names of attribute values (i.e. https://<namespace>/attr/<attribute_name>/value/<value_name>), normalized to lower case.
+        - name: withValue.withKeyAccessGrants
+          in: query
+          schema:
+            type: boolean
+            title: with_key_access_grants
+        - name: withValue.withSubjectMaps
+          in: query
+          schema:
+            type: boolean
+            title: with_subject_maps
+        - name: withValue.withResourceMaps
+          in: query
+          schema:
+            type: boolean
+            title: with_resource_maps
+        - name: withValue.withAttribute.withKeyAccessGrants
+          in: query
+          schema:
+            type: boolean
+            title: with_key_access_grants
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse'
+  /policy.attributes.AttributesService/CreateAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: CreateAttribute
+      operationId: policy.attributes.AttributesService.CreateAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.CreateAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.CreateAttributeResponse'
+  /policy.attributes.AttributesService/UpdateAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: UpdateAttribute
+      operationId: policy.attributes.AttributesService.UpdateAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.UpdateAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.UpdateAttributeResponse'
+  /policy.attributes.AttributesService/DeactivateAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: DeactivateAttribute
+      operationId: policy.attributes.AttributesService.DeactivateAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.DeactivateAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.DeactivateAttributeResponse'
+  /policy.attributes.AttributesService/GetAttributeValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: GetAttributeValue
+      description: |-
+        --------------------------------------*
+         Value RPCs
+        ---------------------------------------
+      operationId: policy.attributes.AttributesService.GetAttributeValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.GetAttributeValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.GetAttributeValueResponse'
+  /policy.attributes.AttributesService/CreateAttributeValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: CreateAttributeValue
+      operationId: policy.attributes.AttributesService.CreateAttributeValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.CreateAttributeValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.CreateAttributeValueResponse'
+  /policy.attributes.AttributesService/UpdateAttributeValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: UpdateAttributeValue
+      operationId: policy.attributes.AttributesService.UpdateAttributeValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.UpdateAttributeValueResponse'
+  /policy.attributes.AttributesService/DeactivateAttributeValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: DeactivateAttributeValue
+      operationId: policy.attributes.AttributesService.DeactivateAttributeValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.DeactivateAttributeValueResponse'
+  /policy.attributes.AttributesService/AssignKeyAccessServerToAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: AssignKeyAccessServerToAttribute
+      description: |-
+        --------------------------------------*
+         Attribute <> Key Access Server RPCs
+        ---------------------------------------
+      operationId: policy.attributes.AttributesService.AssignKeyAccessServerToAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeResponse'
+  /policy.attributes.AttributesService/RemoveKeyAccessServerFromAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: RemoveKeyAccessServerFromAttribute
+      operationId: policy.attributes.AttributesService.RemoveKeyAccessServerFromAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeResponse'
+  /policy.attributes.AttributesService/AssignKeyAccessServerToValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: AssignKeyAccessServerToValue
+      operationId: policy.attributes.AttributesService.AssignKeyAccessServerToValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueResponse'
+  /policy.attributes.AttributesService/RemoveKeyAccessServerFromValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: RemoveKeyAccessServerFromValue
+      operationId: policy.attributes.AttributesService.RemoveKeyAccessServerFromValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromValueResponse'
+  /policy.attributes.AttributesService/AssignPublicKeyToAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: AssignPublicKeyToAttribute
+      operationId: policy.attributes.AttributesService.AssignPublicKeyToAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToAttributeResponse'
+  /policy.attributes.AttributesService/RemovePublicKeyFromAttribute:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: RemovePublicKeyFromAttribute
+      operationId: policy.attributes.AttributesService.RemovePublicKeyFromAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromAttributeResponse'
+  /policy.attributes.AttributesService/AssignPublicKeyToValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: AssignPublicKeyToValue
+      operationId: policy.attributes.AttributesService.AssignPublicKeyToValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.AssignPublicKeyToValueResponse'
+  /policy.attributes.AttributesService/RemovePublicKeyFromValue:
+    post:
+      tags:
+        - policy.attributes.AttributesService
+      summary: RemovePublicKeyFromValue
+      operationId: policy.attributes.AttributesService.RemovePublicKeyFromValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.attributes.RemovePublicKeyFromValueResponse'
+components:
+  schemas:
+    common.ActiveStateEnum:
+      type: string
+      title: ActiveStateEnum
+      enum:
+        - ACTIVE_STATE_ENUM_UNSPECIFIED
+        - ACTIVE_STATE_ENUM_ACTIVE
+        - ACTIVE_STATE_ENUM_INACTIVE
+        - ACTIVE_STATE_ENUM_ANY
+      description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package'
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.AttributeRuleTypeEnum:
+      type: string
+      title: AttributeRuleTypeEnum
+      enum:
+        - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+        - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+    policy.ConditionBooleanTypeEnum:
+      type: string
+      title: ConditionBooleanTypeEnum
+      enum:
+        - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+        - CONDITION_BOOLEAN_TYPE_ENUM_AND
+        - CONDITION_BOOLEAN_TYPE_ENUM_OR
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    policy.SubjectMappingOperatorEnum:
+      type: string
+      title: SubjectMappingOperatorEnum
+      enum:
+        - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    policy.Attribute:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespace:
+          title: namespace
+          description: namespace of the attribute
+          $ref: '#/components/schemas/policy.Namespace'
+        name:
+          type: string
+          title: name
+          description: attribute name
+        rule:
+          title: rule
+          description: attribute rule enum
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: Deprecated
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys associated with the attribute
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Attribute
+      required:
+        - rule
+      additionalProperties: false
+    policy.AttributeValueSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withSubjectMaps:
+          type: boolean
+          title: with_subject_maps
+        withResourceMaps:
+          type: boolean
+          title: with_resource_maps
+        withAttribute:
+          title: with_attribute
+          $ref: '#/components/schemas/policy.AttributeValueSelector.AttributeSelector'
+      title: AttributeValueSelector
+      additionalProperties: false
+    policy.AttributeValueSelector.AttributeSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withNamespace:
+          title: with_namespace
+          $ref: '#/components/schemas/policy.AttributeValueSelector.AttributeSelector.NamespaceSelector'
+      title: AttributeSelector
+      additionalProperties: false
+    policy.AttributeValueSelector.AttributeSelector.NamespaceSelector:
+      type: object
+      title: NamespaceSelector
+      additionalProperties: false
+    policy.Condition:
+      type: object
+      properties:
+        subjectExternalSelectorValue:
+          type: string
+          title: subject_external_selector_value
+          description: |-
+            a selector for a field value on a flattened Entity Representation (such as
+             from idP/LDAP)
+        operator:
+          title: operator
+          description: the evaluation operator of relation
+          $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+        subjectExternalValues:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: subject_external_values
+          minItems: 1
+          description: |-
+            list of comparison values for the result of applying the
+             subject_external_selector_value on a flattened Entity Representation
+             (Subject), evaluated by the operator
+      title: Condition
+      required:
+        - subjectExternalSelectorValue
+        - operator
+      additionalProperties: false
+      description: |-
+        *
+        A Condition defines a rule of <the value at the flattened 'selector value'
+        location> <operator> <subject external values>
+    policy.ConditionGroup:
+      type: object
+      properties:
+        conditions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Condition'
+          title: conditions
+          minItems: 1
+        booleanOperator:
+          title: boolean_operator
+          description: the boolean evaluation type across the conditions
+          $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+      title: ConditionGroup
+      required:
+        - booleanOperator
+      additionalProperties: false
+      description: A collection of Conditions evaluated by the boolean_operator provided
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.ResourceMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        terms:
+          type: array
+          items:
+            type: string
+          title: terms
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: ResourceMapping
+      required:
+        - attributeValue
+      additionalProperties: false
+      description: |-
+        Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+        structures supporting the mapping of Resources and Attribute Values
+    policy.ResourceMappingGroup:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: the namespace containing the group of resource mappings
+        name:
+          type: string
+          title: name
+          description: |-
+            the common name for the group of resource mappings, which must be unique
+             per namespace
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ResourceMappingGroup
+      required:
+        - namespaceId
+        - name
+      additionalProperties: false
+      description: |-
+        Resource Mapping Groups are namespaced collections of Resource Mappings
+        associated under a common group name.
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.SubjectConditionSet:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectConditionSet
+      additionalProperties: false
+      description: |-
+        A container for multiple Subject Sets, each containing Condition Groups, each
+        containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+        evaluated with AND logic. As each Subject Mapping has only one Attribute
+        Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+        Attribute Values and is an independent unit.
+    policy.SubjectMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        attributeValue:
+          title: attribute_value
+          description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+          $ref: '#/components/schemas/policy.Value'
+        subjectConditionSet:
+          title: subject_condition_set
+          description: the reusable SubjectConditionSet mapped to the given Attribute Value
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: The actions permitted by subjects in this mapping
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectMapping
+      additionalProperties: false
+      description: |-
+        Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+        value + action(s) combination
+    policy.SubjectSet:
+      type: object
+      properties:
+        conditionGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ConditionGroup'
+          title: condition_groups
+          minItems: 1
+          description: multiple Condition Groups are evaluated with AND logic
+      title: SubjectSet
+      additionalProperties: false
+      description: A collection of Condition Groups
+    policy.Value:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          type: string
+          title: value
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: |-
+            Deprecated
+             list of key access servers
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: subject mapping
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Value
+      additionalProperties: false
+    policy.attributes.AssignKeyAccessServerToAttributeRequest:
+      type: object
+      properties:
+        attributeKeyAccessServer:
+          title: attribute_key_access_server
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.AttributeKeyAccessServer'
+      title: AssignKeyAccessServerToAttributeRequest
+      additionalProperties: false
+    policy.attributes.AssignKeyAccessServerToAttributeResponse:
+      type: object
+      properties:
+        attributeKeyAccessServer:
+          title: attribute_key_access_server
+          $ref: '#/components/schemas/policy.attributes.AttributeKeyAccessServer'
+      title: AssignKeyAccessServerToAttributeResponse
+      additionalProperties: false
+    policy.attributes.AssignKeyAccessServerToValueRequest:
+      type: object
+      properties:
+        valueKeyAccessServer:
+          title: value_key_access_server
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.ValueKeyAccessServer'
+      title: AssignKeyAccessServerToValueRequest
+      additionalProperties: false
+    policy.attributes.AssignKeyAccessServerToValueResponse:
+      type: object
+      properties:
+        valueKeyAccessServer:
+          title: value_key_access_server
+          $ref: '#/components/schemas/policy.attributes.ValueKeyAccessServer'
+      title: AssignKeyAccessServerToValueResponse
+      additionalProperties: false
+    policy.attributes.AssignPublicKeyToAttributeRequest:
+      type: object
+      properties:
+        attributeKey:
+          title: attribute_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.AttributeKey'
+      title: AssignPublicKeyToAttributeRequest
+      required:
+        - attributeKey
+      additionalProperties: false
+    policy.attributes.AssignPublicKeyToAttributeResponse:
+      type: object
+      properties:
+        attributeKey:
+          title: attribute_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.AttributeKey'
+      title: AssignPublicKeyToAttributeResponse
+      additionalProperties: false
+    policy.attributes.AssignPublicKeyToValueRequest:
+      type: object
+      properties:
+        valueKey:
+          title: value_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.ValueKey'
+      title: AssignPublicKeyToValueRequest
+      required:
+        - valueKey
+      additionalProperties: false
+    policy.attributes.AssignPublicKeyToValueResponse:
+      type: object
+      properties:
+        valueKey:
+          title: value_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.ValueKey'
+      title: AssignPublicKeyToValueResponse
+      additionalProperties: false
+    policy.attributes.AttributeKey:
+      type: object
+      properties:
+        attributeId:
+          type: string
+          title: attribute_id
+          format: uuid
+          description: Required
+        keyId:
+          type: string
+          title: key_id
+          format: uuid
+          description: Required
+      title: AttributeKey
+      required:
+        - attributeId
+        - keyId
+      additionalProperties: false
+    policy.attributes.AttributeKeyAccessServer:
+      type: object
+      properties:
+        attributeId:
+          type: string
+          title: attribute_id
+          format: uuid
+          description: Required
+        keyAccessServerId:
+          type: string
+          title: key_access_server_id
+          format: uuid
+          description: Required
+      title: AttributeKeyAccessServer
+      additionalProperties: false
+    policy.attributes.CreateAttributeRequest:
+      type: object
+      properties:
+        namespaceId:
+          type: string
+          title: namespace_id
+          format: uuid
+          description: Required
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Required
+            Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case.:
+            ```
+            this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        rule:
+          title: rule
+          description: Required
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            type: string
+            maxLength: 253
+            pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$
+            uniqueItems: true
+          title: values
+          uniqueItems: true
+          description: "Optional \n Attribute values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character.\n The stored attribute value will be normalized to lower case."
+        metadata:
+          title: metadata
+          description: Optional
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateAttributeRequest
+      required:
+        - name
+        - rule
+      additionalProperties: false
+    policy.attributes.CreateAttributeResponse:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+      title: CreateAttributeResponse
+      additionalProperties: false
+    policy.attributes.CreateAttributeValueRequest:
+      type: object
+      properties:
+        attributeId:
+          type: string
+          title: attribute_id
+          format: uuid
+          description: Required
+        value:
+          type: string
+          title: value
+          maxLength: 253
+          description: |+
+            Required
+            Attribute value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case.:
+            ```
+            this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateAttributeValueRequest
+      required:
+        - value
+      additionalProperties: false
+    policy.attributes.CreateAttributeValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: CreateAttributeValueResponse
+      additionalProperties: false
+    policy.attributes.DeactivateAttributeRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeactivateAttributeRequest
+      additionalProperties: false
+    policy.attributes.DeactivateAttributeResponse:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+      title: DeactivateAttributeResponse
+      additionalProperties: false
+    policy.attributes.DeactivateAttributeValueRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeactivateAttributeValueRequest
+      additionalProperties: false
+    policy.attributes.DeactivateAttributeValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: DeactivateAttributeValueResponse
+      additionalProperties: false
+    policy.attributes.GetAttributeRequest:
+      type: object
+      oneOf:
+        - properties:
+            attributeId:
+              type: string
+              title: attribute_id
+              format: uuid
+              description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field'
+          title: attribute_id
+          required:
+            - attributeId
+        - properties:
+            fqn:
+              type: string
+              title: fqn
+              minLength: 1
+              format: uri
+          title: fqn
+          required:
+            - fqn
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Deprecated
+          deprecated: true
+      title: GetAttributeRequest
+      additionalProperties: false
+      description: |+
+        Either use deprecated 'id' field or one of 'attribute_id' or 'fqn', but not both:
+        ```
+        !(has(this.id) && (has(this.attribute_id) || has(this.fqn)))
+        ```
+
+        Either id or one of attribute_id or fqn must be set:
+        ```
+        has(this.id) || has(this.attribute_id) || has(this.fqn)
+        ```
+
+    policy.attributes.GetAttributeResponse:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+      title: GetAttributeResponse
+      additionalProperties: false
+    policy.attributes.GetAttributeValueRequest:
+      type: object
+      oneOf:
+        - properties:
+            fqn:
+              type: string
+              title: fqn
+              minLength: 1
+              format: uri
+          title: fqn
+          required:
+            - fqn
+        - properties:
+            valueId:
+              type: string
+              title: value_id
+              format: uuid
+              description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field'
+          title: value_id
+          required:
+            - valueId
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Deprecated
+          deprecated: true
+      title: GetAttributeValueRequest
+      additionalProperties: false
+      description: |+
+        /
+        / Value RPC messages
+        /
+        Either use deprecated 'id' field or one of 'value_id' or 'fqn', but not both:
+        ```
+        !(has(this.id) && (has(this.value_id) || has(this.fqn)))
+        ```
+
+        Either id or one of value_id or fqn must be set:
+        ```
+        has(this.id) || has(this.value_id) || has(this.fqn)
+        ```
+
+    policy.attributes.GetAttributeValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: GetAttributeValueResponse
+      additionalProperties: false
+    policy.attributes.GetAttributeValuesByFqnsRequest:
+      type: object
+      properties:
+        fqns:
+          type: array
+          items:
+            type: string
+            maxItems: 250
+            minItems: 1
+          title: fqns
+          maxItems: 250
+          minItems: 1
+          description: |-
+            Required
+             Fully Qualified Names of attribute values (i.e. https://<namespace>/attr/<attribute_name>/value/<value_name>), normalized to lower case.
+        withValue:
+          title: with_value
+          description: |-
+            Optional
+             This attribute value selector is not used currently, but left here for future use.
+          $ref: '#/components/schemas/policy.AttributeValueSelector'
+      title: GetAttributeValuesByFqnsRequest
+      additionalProperties: false
+    policy.attributes.GetAttributeValuesByFqnsResponse:
+      type: object
+      properties:
+        fqnAttributeValues:
+          type: object
+          title: fqn_attribute_values
+          additionalProperties:
+            title: value
+            $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue'
+          description: map of FQNs to complete attributes and the one selected value
+      title: GetAttributeValuesByFqnsResponse
+      additionalProperties: false
+    policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: AttributeAndValue
+      additionalProperties: false
+    policy.attributes.GetAttributeValuesByFqnsResponse.FqnAttributeValuesEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue'
+      title: FqnAttributeValuesEntry
+      additionalProperties: false
+    policy.attributes.ListAttributeValuesRequest:
+      type: object
+      properties:
+        attributeId:
+          type: string
+          title: attribute_id
+          format: uuid
+          description: Required
+        state:
+          title: state
+          description: |-
+            Optional
+             ACTIVE by default when not specified
+          $ref: '#/components/schemas/common.ActiveStateEnum'
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListAttributeValuesRequest
+      additionalProperties: false
+    policy.attributes.ListAttributeValuesResponse:
+      type: object
+      properties:
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListAttributeValuesResponse
+      additionalProperties: false
+    policy.attributes.ListAttributesRequest:
+      type: object
+      properties:
+        state:
+          title: state
+          description: |-
+            Optional
+             ACTIVE by default when not specified
+          $ref: '#/components/schemas/common.ActiveStateEnum'
+        namespace:
+          type: string
+          title: namespace
+          description: |-
+            Optional
+             Namespace ID or name
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListAttributesRequest
+      additionalProperties: false
+    policy.attributes.ListAttributesResponse:
+      type: object
+      properties:
+        attributes:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Attribute'
+          title: attributes
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListAttributesResponse
+      additionalProperties: false
+    policy.attributes.RemoveKeyAccessServerFromAttributeRequest:
+      type: object
+      properties:
+        attributeKeyAccessServer:
+          title: attribute_key_access_server
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.AttributeKeyAccessServer'
+      title: RemoveKeyAccessServerFromAttributeRequest
+      additionalProperties: false
+    policy.attributes.RemoveKeyAccessServerFromAttributeResponse:
+      type: object
+      properties:
+        attributeKeyAccessServer:
+          title: attribute_key_access_server
+          $ref: '#/components/schemas/policy.attributes.AttributeKeyAccessServer'
+      title: RemoveKeyAccessServerFromAttributeResponse
+      additionalProperties: false
+    policy.attributes.RemoveKeyAccessServerFromValueRequest:
+      type: object
+      properties:
+        valueKeyAccessServer:
+          title: value_key_access_server
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.ValueKeyAccessServer'
+      title: RemoveKeyAccessServerFromValueRequest
+      additionalProperties: false
+    policy.attributes.RemoveKeyAccessServerFromValueResponse:
+      type: object
+      properties:
+        valueKeyAccessServer:
+          title: value_key_access_server
+          $ref: '#/components/schemas/policy.attributes.ValueKeyAccessServer'
+      title: RemoveKeyAccessServerFromValueResponse
+      additionalProperties: false
+    policy.attributes.RemovePublicKeyFromAttributeRequest:
+      type: object
+      properties:
+        attributeKey:
+          title: attribute_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.AttributeKey'
+      title: RemovePublicKeyFromAttributeRequest
+      required:
+        - attributeKey
+      additionalProperties: false
+    policy.attributes.RemovePublicKeyFromAttributeResponse:
+      type: object
+      properties:
+        attributeKey:
+          title: attribute_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.AttributeKey'
+      title: RemovePublicKeyFromAttributeResponse
+      additionalProperties: false
+    policy.attributes.RemovePublicKeyFromValueRequest:
+      type: object
+      properties:
+        valueKey:
+          title: value_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.ValueKey'
+      title: RemovePublicKeyFromValueRequest
+      required:
+        - valueKey
+      additionalProperties: false
+    policy.attributes.RemovePublicKeyFromValueResponse:
+      type: object
+      properties:
+        valueKey:
+          title: value_key
+          description: Required
+          $ref: '#/components/schemas/policy.attributes.ValueKey'
+      title: RemovePublicKeyFromValueResponse
+      additionalProperties: false
+    policy.attributes.UpdateAttributeRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        metadata:
+          title: metadata
+          description: Optional
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateAttributeRequest
+      additionalProperties: false
+    policy.attributes.UpdateAttributeResponse:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+      title: UpdateAttributeResponse
+      additionalProperties: false
+    policy.attributes.UpdateAttributeValueRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateAttributeValueRequest
+      additionalProperties: false
+    policy.attributes.UpdateAttributeValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: UpdateAttributeValueResponse
+      additionalProperties: false
+    policy.attributes.ValueKey:
+      type: object
+      properties:
+        valueId:
+          type: string
+          title: value_id
+          format: uuid
+          description: Required
+        keyId:
+          type: string
+          title: key_id
+          format: uuid
+          description: Required (The id listed in the AsymmetricKeys object)
+      title: ValueKey
+      required:
+        - valueId
+        - keyId
+      additionalProperties: false
+    policy.attributes.ValueKeyAccessServer:
+      type: object
+      properties:
+        valueId:
+          type: string
+          title: value_id
+          format: uuid
+          description: Required
+        keyAccessServerId:
+          type: string
+          title: key_access_server_id
+          format: uuid
+          description: Required
+      title: ValueKeyAccessServer
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.attributes.AttributesService
+    description: |-
+      /
+      / Attribute Service
+      /
diff --git a/docs/openapi/policy/attributes/attributes.swagger.json b/docs/openapi/policy/attributes/attributes.swagger.json
new file mode 100644
index 0000000000..780da3650c
--- /dev/null
+++ b/docs/openapi/policy/attributes/attributes.swagger.json
@@ -0,0 +1,975 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/attributes/attributes.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "AttributesService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/attributes/*/fqn": {
+      "get": {
+        "operationId": "AttributesService_GetAttributeValuesByFqns",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/attributesGetAttributeValuesByFqnsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "fqns",
+            "description": "Required\nFully Qualified Names of attribute values (i.e. https://\u003cnamespace\u003e/attr/\u003cattribute_name\u003e/value/\u003cvalue_name\u003e), normalized to lower case.",
+            "in": "query",
+            "required": false,
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi"
+          },
+          {
+            "name": "withValue.withKeyAccessGrants",
+            "in": "query",
+            "required": false,
+            "type": "boolean"
+          },
+          {
+            "name": "withValue.withSubjectMaps",
+            "in": "query",
+            "required": false,
+            "type": "boolean"
+          },
+          {
+            "name": "withValue.withResourceMaps",
+            "in": "query",
+            "required": false,
+            "type": "boolean"
+          },
+          {
+            "name": "withValue.withAttribute.withKeyAccessGrants",
+            "in": "query",
+            "required": false,
+            "type": "boolean"
+          }
+        ],
+        "tags": [
+          "AttributesService"
+        ]
+      }
+    }
+  },
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "AttributeValueSelectorAttributeSelectorNamespaceSelector": {
+      "type": "object"
+    },
+    "GetAttributeValuesByFqnsResponseAttributeAndValue": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        },
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "attributesAssignKeyAccessServerToAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attributeKeyAccessServer": {
+          "$ref": "#/definitions/attributesAttributeKeyAccessServer"
+        }
+      }
+    },
+    "attributesAssignKeyAccessServerToValueResponse": {
+      "type": "object",
+      "properties": {
+        "valueKeyAccessServer": {
+          "$ref": "#/definitions/attributesValueKeyAccessServer"
+        }
+      }
+    },
+    "attributesAssignPublicKeyToAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attributeKey": {
+          "$ref": "#/definitions/attributesAttributeKey",
+          "title": "Required"
+        }
+      }
+    },
+    "attributesAssignPublicKeyToValueResponse": {
+      "type": "object",
+      "properties": {
+        "valueKey": {
+          "$ref": "#/definitions/attributesValueKey",
+          "title": "Required"
+        }
+      }
+    },
+    "attributesAttributeKey": {
+      "type": "object",
+      "properties": {
+        "attributeId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyId": {
+          "type": "string",
+          "title": "Required"
+        }
+      }
+    },
+    "attributesAttributeKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "attributeId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyAccessServerId": {
+          "type": "string",
+          "title": "Required"
+        }
+      }
+    },
+    "attributesCreateAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        }
+      }
+    },
+    "attributesCreateAttributeValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "attributesDeactivateAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        }
+      }
+    },
+    "attributesDeactivateAttributeValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "attributesGetAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        }
+      }
+    },
+    "attributesGetAttributeValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "attributesGetAttributeValuesByFqnsResponse": {
+      "type": "object",
+      "properties": {
+        "fqnAttributeValues": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/GetAttributeValuesByFqnsResponseAttributeAndValue"
+          },
+          "title": "map of FQNs to complete attributes and the one selected value"
+        }
+      }
+    },
+    "attributesListAttributeValuesResponse": {
+      "type": "object",
+      "properties": {
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyValue"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "attributesListAttributesResponse": {
+      "type": "object",
+      "properties": {
+        "attributes": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAttribute"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "attributesRemoveKeyAccessServerFromAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attributeKeyAccessServer": {
+          "$ref": "#/definitions/attributesAttributeKeyAccessServer"
+        }
+      }
+    },
+    "attributesRemoveKeyAccessServerFromValueResponse": {
+      "type": "object",
+      "properties": {
+        "valueKeyAccessServer": {
+          "$ref": "#/definitions/attributesValueKeyAccessServer"
+        }
+      }
+    },
+    "attributesRemovePublicKeyFromAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attributeKey": {
+          "$ref": "#/definitions/attributesAttributeKey",
+          "title": "Required"
+        }
+      }
+    },
+    "attributesRemovePublicKeyFromValueResponse": {
+      "type": "object",
+      "properties": {
+        "valueKey": {
+          "$ref": "#/definitions/attributesValueKey",
+          "title": "Required"
+        }
+      }
+    },
+    "attributesUpdateAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        }
+      }
+    },
+    "attributesUpdateAttributeValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "attributesValueKey": {
+      "type": "object",
+      "properties": {
+        "valueId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyId": {
+          "type": "string",
+          "title": "Required (The id listed in the AsymmetricKeys object)"
+        }
+      }
+    },
+    "attributesValueKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "valueId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyAccessServerId": {
+          "type": "string",
+          "title": "Required"
+        }
+      }
+    },
+    "commonActiveStateEnum": {
+      "type": "string",
+      "enum": [
+        "ACTIVE_STATE_ENUM_UNSPECIFIED",
+        "ACTIVE_STATE_ENUM_ACTIVE",
+        "ACTIVE_STATE_ENUM_INACTIVE",
+        "ACTIVE_STATE_ENUM_ANY"
+      ],
+      "default": "ACTIVE_STATE_ENUM_UNSPECIFIED",
+      "title": "buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren't violated when users add new enum values to an enum in a given package"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyAttribute": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace",
+          "title": "namespace of the attribute"
+        },
+        "name": {
+          "type": "string",
+          "title": "attribute name"
+        },
+        "rule": {
+          "$ref": "#/definitions/policyAttributeRuleTypeEnum",
+          "title": "attribute rule enum"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyValue"
+          }
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys associated with the attribute"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyAttributeRuleTypeEnum": {
+      "type": "string",
+      "enum": [
+        "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY"
+      ],
+      "default": "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyAttributeValueSelector": {
+      "type": "object",
+      "properties": {
+        "withKeyAccessGrants": {
+          "type": "boolean"
+        },
+        "withSubjectMaps": {
+          "type": "boolean"
+        },
+        "withResourceMaps": {
+          "type": "boolean"
+        },
+        "withAttribute": {
+          "$ref": "#/definitions/policyAttributeValueSelectorAttributeSelector"
+        }
+      }
+    },
+    "policyAttributeValueSelectorAttributeSelector": {
+      "type": "object",
+      "properties": {
+        "withKeyAccessGrants": {
+          "type": "boolean"
+        },
+        "withNamespace": {
+          "$ref": "#/definitions/AttributeValueSelectorAttributeSelectorNamespaceSelector"
+        }
+      }
+    },
+    "policyCondition": {
+      "type": "object",
+      "properties": {
+        "subjectExternalSelectorValue": {
+          "type": "string",
+          "title": "a selector for a field value on a flattened Entity Representation (such as\nfrom idP/LDAP)"
+        },
+        "operator": {
+          "$ref": "#/definitions/policySubjectMappingOperatorEnum",
+          "title": "the evaluation operator of relation"
+        },
+        "subjectExternalValues": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "title": "list of comparison values for the result of applying the\nsubject_external_selector_value on a flattened Entity Representation\n(Subject), evaluated by the operator"
+        }
+      },
+      "title": "*\nA Condition defines a rule of \u003cthe value at the flattened 'selector value'\nlocation\u003e \u003coperator\u003e \u003csubject external values\u003e"
+    },
+    "policyConditionBooleanTypeEnum": {
+      "type": "string",
+      "enum": [
+        "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED",
+        "CONDITION_BOOLEAN_TYPE_ENUM_AND",
+        "CONDITION_BOOLEAN_TYPE_ENUM_OR"
+      ],
+      "default": "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyConditionGroup": {
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyCondition"
+          }
+        },
+        "booleanOperator": {
+          "$ref": "#/definitions/policyConditionBooleanTypeEnum",
+          "title": "the boolean evaluation type across the conditions"
+        }
+      },
+      "title": "A collection of Conditions evaluated by the boolean_operator provided"
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyNamespace": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "name": {
+          "type": "string",
+          "title": "used to partition Attribute Definitions, support by namespace AuthN and\nenable federation"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "KAS grants for the namespace"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys for the namespace"
+        }
+      }
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policyResourceMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue"
+        },
+        "terms": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "group": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      },
+      "title": "Resource Mappings (aka Access Control Resource Encodings aka ACRE) are\nstructures supporting the mapping of Resources and Attribute Values"
+    },
+    "policyResourceMappingGroup": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespaceId": {
+          "type": "string",
+          "title": "the namespace containing the group of resource mappings"
+        },
+        "name": {
+          "type": "string",
+          "title": "the common name for the group of resource mappings, which must be unique\nper namespace"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "policySubjectConditionSet": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "subjectSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectSet"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "description": "A container for multiple Subject Sets, each containing Condition Groups, each\ncontaining Conditions. Multiple Subject Sets in a SubjectConditionSet are\nevaluated with AND logic. As each Subject Mapping has only one Attribute\nValue, the SubjectConditionSet is reusable across multiple Subject Mappings /\nAttribute Values and is an independent unit."
+    },
+    "policySubjectMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue",
+          "title": "the Attribute Value mapped to; aka: \"The Entity Entitlement Attribute\""
+        },
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "the reusable SubjectConditionSet mapped to the given Attribute Value"
+        },
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          },
+          "title": "The actions permitted by subjects in this mapping"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute\nvalue + action(s) combination"
+    },
+    "policySubjectMappingOperatorEnum": {
+      "type": "string",
+      "enum": [
+        "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS"
+      ],
+      "default": "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+      "title": "- SUBJECT_MAPPING_OPERATOR_ENUM_IN: operator that returns true if a value in a list matches the string\n - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN: operator that returns true if a value is not in a list that is matched by\nstring\n - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: operator that returns true if a value in a list contains the substring"
+    },
+    "policySubjectSet": {
+      "type": "object",
+      "properties": {
+        "conditionGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyConditionGroup"
+          },
+          "title": "multiple Condition Groups are evaluated with AND logic"
+        }
+      },
+      "title": "A collection of Condition Groups"
+    },
+    "policyValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        },
+        "value": {
+          "type": "string"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated\nlist of key access servers"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "subject mapping"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          }
+        },
+        "resourceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml
new file mode 100644
index 0000000000..d311651f8a
--- /dev/null
+++ b/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml
@@ -0,0 +1,2091 @@
+openapi: 3.1.0
+info:
+  title: policy.kasregistry
+paths:
+  /key-access-servers:
+    get:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: ListKeyAccessServers
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServers
+      parameters:
+        - name: pagination.limit
+          in: query
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+          schema:
+            type: integer
+            title: limit
+            format: int32
+            description: |-
+              Optional
+               Set to configured default limit if not provided
+               Maximum limit set in platform config and enforced by services
+        - name: pagination.offset
+          in: query
+          description: |-
+            Optional
+             Defaulted if not provided
+          schema:
+            type: integer
+            title: offset
+            format: int32
+            description: |-
+              Optional
+               Defaulted if not provided
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServersResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/GetKeyAccessServer:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: GetKeyAccessServer
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKeyAccessServer
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.GetKeyAccessServerResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/CreateKeyAccessServer:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: CreateKeyAccessServer
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKeyAccessServer
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.CreateKeyAccessServerResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/UpdateKeyAccessServer:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: UpdateKeyAccessServer
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKeyAccessServer
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.UpdateKeyAccessServerResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/DeleteKeyAccessServer:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: DeleteKeyAccessServer
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.DeleteKeyAccessServer
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.DeleteKeyAccessServerResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/ListKeyAccessServerGrants:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: ListKeyAccessServerGrants
+      description: Deprecated
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyAccessServerGrants
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/CreateKey:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: CreateKey
+      description: |-
+        KAS Key Management
+         Request to create a new key in the Key Access Service.
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.CreateKey
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.CreateKeyRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.CreateKeyResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/GetKey:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: GetKey
+      description: Request to retrieve a key from the Key Access Service.
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.GetKey
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.GetKeyRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.GetKeyResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/ListKeys:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: ListKeys
+      description: Request to list keys in the Key Access Service.
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeys
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.ListKeysRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.ListKeysResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/UpdateKey:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: UpdateKey
+      description: Request to update a key in the Key Access Service.
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.UpdateKey
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.UpdateKeyRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.UpdateKeyResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/RotateKey:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: RotateKey
+      description: Request to rotate a key in the Key Access Service.
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.RotateKey
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.RotateKeyRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.RotateKeyResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/SetBaseKey:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: SetBaseKey
+      description: Request to set the default a default kas key.
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.SetBaseKey
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.SetBaseKeyRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.SetBaseKeyResponse'
+  /policy.kasregistry.KeyAccessServerRegistryService/GetBaseKey:
+    post:
+      tags:
+        - policy.kasregistry.KeyAccessServerRegistryService
+      summary: GetBaseKey
+      description: Get Default kas keys
+      operationId: policy.kasregistry.KeyAccessServerRegistryService.GetBaseKey
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyResponse'
+components:
+  schemas:
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.KeyMode:
+      type: string
+      title: KeyMode
+      enum:
+        - KEY_MODE_UNSPECIFIED
+        - KEY_MODE_CONFIG_ROOT_KEY
+        - KEY_MODE_PROVIDER_ROOT_KEY
+        - KEY_MODE_REMOTE
+        - KEY_MODE_PUBLIC_KEY_ONLY
+      description: Describes the management and operational mode of a cryptographic key.
+    policy.KeyStatus:
+      type: string
+      title: KeyStatus
+      enum:
+        - KEY_STATUS_UNSPECIFIED
+        - KEY_STATUS_ACTIVE
+        - KEY_STATUS_ROTATED
+      description: The status of the key
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.AsymmetricKey:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: Required
+        keyId:
+          type: string
+          title: key_id
+          description: Required
+        keyAlgorithm:
+          title: key_algorithm
+          description: Required
+          $ref: '#/components/schemas/policy.Algorithm'
+        keyStatus:
+          title: key_status
+          description: Required
+          $ref: '#/components/schemas/policy.KeyStatus'
+        keyMode:
+          title: key_mode
+          description: Required Specifies how the key is managed (local or remote)
+          $ref: '#/components/schemas/policy.KeyMode'
+        publicKeyCtx:
+          title: public_key_ctx
+          description: Required Specific structure based on key provider implementation
+          $ref: '#/components/schemas/policy.PublicKeyCtx'
+        privateKeyCtx:
+          title: private_key_ctx
+          description: Optional Specific structure based on key provider implementation
+          $ref: '#/components/schemas/policy.PrivateKeyCtx'
+        providerConfig:
+          title: provider_config
+          description: Optional Configuration for the key provider
+          $ref: '#/components/schemas/policy.KeyProviderConfig'
+        metadata:
+          title: metadata
+          description: Common metadata fields
+          $ref: '#/components/schemas/common.Metadata'
+      title: AsymmetricKey
+      additionalProperties: false
+    policy.KasKey:
+      type: object
+      properties:
+        kasId:
+          type: string
+          title: kas_id
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.AsymmetricKey'
+        kasUri:
+          type: string
+          title: kas_uri
+      title: KasKey
+      additionalProperties: false
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.Key:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: the database record ID, not the key ID (`kid`)
+        isActive:
+          title: is_active
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        wasMapped:
+          title: was_mapped
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        publicKey:
+          title: public_key
+          $ref: '#/components/schemas/policy.KasPublicKey'
+        kas:
+          title: kas
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Key
+      additionalProperties: false
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.KeyProviderConfig:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        name:
+          type: string
+          title: name
+        configJson:
+          type: string
+          title: config_json
+          format: byte
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyProviderConfig
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.PrivateKeyCtx:
+      type: object
+      properties:
+        keyId:
+          type: string
+          title: key_id
+          minLength: 1
+          description: Required Key ID for the symmetric key wrapping this key.
+        wrappedKey:
+          type: string
+          title: wrapped_key
+          description: Optional Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.
+      title: PrivateKeyCtx
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.PublicKeyCtx:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          minLength: 1
+          description: Required Base64 encoded public key in PEM format
+      title: PublicKeyCtx
+      additionalProperties: false
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.kasregistry.ActivatePublicKeyRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+      title: ActivatePublicKeyRequest
+      additionalProperties: false
+    policy.kasregistry.ActivatePublicKeyResponse:
+      type: object
+      properties:
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.Key'
+      title: ActivatePublicKeyResponse
+      additionalProperties: false
+    policy.kasregistry.ChangeMappings:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        fqn:
+          type: string
+          title: fqn
+      title: ChangeMappings
+      additionalProperties: false
+      description: |-
+        *
+         Simplified information about the resources that were rotated as part of the key rotation process.
+    policy.kasregistry.CreateKeyAccessServerRequest:
+      type: object
+      properties:
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Required
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.isUri()
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: Optional
+          $ref: '#/components/schemas/policy.SourceType'
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Optional
+            Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.:
+            ```
+            size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true
+            ```
+
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateKeyAccessServerRequest
+      additionalProperties: false
+    policy.kasregistry.CreateKeyAccessServerResponse:
+      type: object
+      properties:
+        keyAccessServer:
+          title: key_access_server
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+      title: CreateKeyAccessServerResponse
+      additionalProperties: false
+    policy.kasregistry.CreateKeyRequest:
+      type: object
+      properties:
+        kasId:
+          type: string
+          title: kas_id
+          format: uuid
+          description: Required The unique identifier of the Key Access Server
+        keyId:
+          type: string
+          title: key_id
+          minLength: 1
+          description: Required A user-defined identifier for the key
+        keyAlgorithm:
+          title: key_algorithm
+          description: |+
+            Required The algorithm to be used for the key
+            The key_algorithm must be one of the defined values.:
+            ```
+            this in [1, 2, 3, 4]
+            ```
+
+          $ref: '#/components/schemas/policy.Algorithm'
+        keyMode:
+          title: key_mode
+          description: |+
+            Required The mode of the key (e.g., local or external)
+            The key_mode must be one of the defined values (1-4).:
+            ```
+            this >= 1 && this <= 4
+            ```
+
+          $ref: '#/components/schemas/policy.KeyMode'
+        publicKeyCtx:
+          title: public_key_ctx
+          description: Required Context or additional data specific to the public key, based on the key provider implementation
+          $ref: '#/components/schemas/policy.PublicKeyCtx'
+        privateKeyCtx:
+          title: private_key_ctx
+          description: Conditionally Required Context or additional data specific to the private key, based on the key provider implementation
+          $ref: '#/components/schemas/policy.PrivateKeyCtx'
+        providerConfigId:
+          type: string
+          title: provider_config_id
+          description: Optional Configuration ID for the key provider, if applicable
+        metadata:
+          title: metadata
+          description: Common metadata Mutable metadata for the key
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateKeyRequest
+      required:
+        - publicKeyCtx
+      additionalProperties: false
+      description: |+
+        Create a new asymmetric key for the specified Key Access Server (KAS)
+        The wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY.:
+        ```
+        ((this.key_mode == 1 || this.key_mode == 2) && this.private_key_ctx.wrapped_key != '') || ((this.key_mode == 3 || this.key_mode == 4) && this.private_key_ctx.wrapped_key == '')
+        ```
+
+        Provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY.:
+        ```
+        ((this.key_mode == 1 || this.key_mode == 4) && this.provider_config_id == '') || ((this.key_mode == 2 || this.key_mode == 3) && this.provider_config_id != '')
+        ```
+
+        private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY.:
+        ```
+        !(this.key_mode == 4 && has(this.private_key_ctx))
+        ```
+
+    policy.kasregistry.CreateKeyResponse:
+      type: object
+      properties:
+        kasKey:
+          title: kas_key
+          description: The created asymmetric key for a KAS.
+          $ref: '#/components/schemas/policy.KasKey'
+      title: CreateKeyResponse
+      additionalProperties: false
+      description: Response to a CreateKeyRequest, containing the created asymmetric key
+    policy.kasregistry.CreatePublicKeyRequest:
+      type: object
+      properties:
+        kasId:
+          type: string
+          title: kas_id
+          format: uuid
+          description: Required
+        key:
+          title: key
+          description: Required
+          $ref: '#/components/schemas/policy.KasPublicKey'
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreatePublicKeyRequest
+      required:
+        - key
+      additionalProperties: false
+    policy.kasregistry.CreatePublicKeyResponse:
+      type: object
+      properties:
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.Key'
+      title: CreatePublicKeyResponse
+      additionalProperties: false
+    policy.kasregistry.DeactivatePublicKeyRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+      title: DeactivatePublicKeyRequest
+      additionalProperties: false
+    policy.kasregistry.DeactivatePublicKeyResponse:
+      type: object
+      properties:
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.Key'
+      title: DeactivatePublicKeyResponse
+      additionalProperties: false
+    policy.kasregistry.DeleteKeyAccessServerRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteKeyAccessServerRequest
+      additionalProperties: false
+    policy.kasregistry.DeleteKeyAccessServerResponse:
+      type: object
+      properties:
+        keyAccessServer:
+          title: key_access_server
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+      title: DeleteKeyAccessServerResponse
+      additionalProperties: false
+    policy.kasregistry.GetBaseKeyRequest:
+      type: object
+      title: GetBaseKeyRequest
+      additionalProperties: false
+    policy.kasregistry.GetBaseKeyResponse:
+      type: object
+      properties:
+        baseKey:
+          title: base_key
+          description: The current base key
+          $ref: '#/components/schemas/policy.SimpleKasKey'
+      title: GetBaseKeyResponse
+      additionalProperties: false
+    policy.kasregistry.GetKeyAccessServerRequest:
+      type: object
+      oneOf:
+        - properties:
+            kasId:
+              type: string
+              title: kas_id
+              format: uuid
+              description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field'
+          title: kas_id
+          required:
+            - kasId
+        - properties:
+            name:
+              type: string
+              title: name
+              minLength: 1
+          title: name
+          required:
+            - name
+        - properties:
+            uri:
+              type: string
+              title: uri
+              minLength: 1
+              format: uri
+          title: uri
+          required:
+            - uri
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Deprecated
+          deprecated: true
+      title: GetKeyAccessServerRequest
+      additionalProperties: false
+      description: |+
+        Either use deprecated 'id' field or one of 'kas_id' or 'uri', but not both:
+        ```
+        !(has(this.id) && (has(this.kas_id) || has(this.uri) || has(this.name)))
+        ```
+
+        Either id or one of kas_id or uri must be set:
+        ```
+        has(this.id) || has(this.kas_id) || has(this.uri) || has(this.name)
+        ```
+
+    policy.kasregistry.GetKeyAccessServerResponse:
+      type: object
+      properties:
+        keyAccessServer:
+          title: key_access_server
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+      title: GetKeyAccessServerResponse
+      additionalProperties: false
+    policy.kasregistry.GetKeyRequest:
+      type: object
+      oneOf:
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+              description: The unique identifier of the key to retrieve
+          title: id
+          required:
+            - id
+        - properties:
+            key:
+              title: key
+              $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier'
+          title: key
+          required:
+            - key
+      title: GetKeyRequest
+      additionalProperties: false
+      description: Retrieve an existing asymmetric key from the Key Management System
+    policy.kasregistry.GetKeyResponse:
+      type: object
+      properties:
+        kasKey:
+          title: kas_key
+          description: The requested asymmetric key for a KAS.
+          $ref: '#/components/schemas/policy.KasKey'
+      title: GetKeyResponse
+      additionalProperties: false
+      description: Response to a GetKeyRequest, containing the requested asymmetric key
+    policy.kasregistry.GetPublicKeyRequest:
+      type: object
+      oneOf:
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+          title: id
+          required:
+            - id
+      title: GetPublicKeyRequest
+      additionalProperties: false
+    policy.kasregistry.GetPublicKeyResponse:
+      type: object
+      properties:
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.Key'
+      title: GetPublicKeyResponse
+      additionalProperties: false
+    policy.kasregistry.GrantedPolicyObject:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        fqn:
+          type: string
+          title: fqn
+      title: GrantedPolicyObject
+      additionalProperties: false
+      description: Can be namespace, attribute definition, or value
+    policy.kasregistry.KasKeyIdentifier:
+      type: object
+      oneOf:
+        - properties:
+            kasId:
+              type: string
+              title: kas_id
+              format: uuid
+          title: kas_id
+          required:
+            - kasId
+        - properties:
+            name:
+              type: string
+              title: name
+              minLength: 1
+          title: name
+          required:
+            - name
+        - properties:
+            uri:
+              type: string
+              title: uri
+              minLength: 1
+              format: uri
+          title: uri
+          required:
+            - uri
+      properties:
+        kid:
+          type: string
+          title: kid
+          minLength: 1
+          description: Required Key ID of the key in question
+      title: KasKeyIdentifier
+      additionalProperties: false
+      description: Nested message for specifying the active key using KAS ID and Key ID
+    policy.kasregistry.KeyAccessServerGrants:
+      type: object
+      properties:
+        keyAccessServer:
+          title: key_access_server
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+        namespaceGrants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.GrantedPolicyObject'
+          title: namespace_grants
+        attributeGrants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.GrantedPolicyObject'
+          title: attribute_grants
+        valueGrants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.GrantedPolicyObject'
+          title: value_grants
+      title: KeyAccessServerGrants
+      additionalProperties: false
+      description: Deprecated
+    policy.kasregistry.ListKeyAccessServerGrantsRequest:
+      type: object
+      properties:
+        kasId:
+          type: string
+          title: kas_id
+          description: |+
+            Optional
+             Filter LIST by ID of a registered Key Access Server.
+             If neither is provided, grants from all registered KASs to policy attribute
+             objects are returned.
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        kasUri:
+          type: string
+          title: kas_uri
+          description: |+
+            Optional
+             Filter LIST by URI of a registered Key Access Server.
+             If none is provided, grants from all registered KASs to policy attribute
+             objects are returned.
+            Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            size(this) == 0 || this.isUri()
+            ```
+
+        kasName:
+          type: string
+          title: kas_name
+          maxLength: 253
+          description: |+
+            Optional
+             Filter LIST by name of a registered Key Access Server.
+             If none are provided, grants from all registered KASs to policy attribute
+             objects are returned.
+            Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.:
+            ```
+            size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListKeyAccessServerGrantsRequest
+      additionalProperties: false
+      description: |-
+        LIST of KAS Grants returns flat response of grants to all policy objects. It
+         does not employ selectors for grants to specific policy objects or build the
+         attribute tree relation. If grants to a known namespace, attribute, or value
+         are needed, use the respective GET request to the specific policy object.
+    policy.kasregistry.ListKeyAccessServerGrantsResponse:
+      type: object
+      properties:
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.KeyAccessServerGrants'
+          title: grants
+          deprecated: true
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListKeyAccessServerGrantsResponse
+      additionalProperties: false
+      description: Deprecated
+    policy.kasregistry.ListKeyAccessServersRequest:
+      type: object
+      properties:
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListKeyAccessServersRequest
+      additionalProperties: false
+    policy.kasregistry.ListKeyAccessServersResponse:
+      type: object
+      properties:
+        keyAccessServers:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: key_access_servers
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListKeyAccessServersResponse
+      additionalProperties: false
+    policy.kasregistry.ListKeysRequest:
+      type: object
+      oneOf:
+        - properties:
+            kasId:
+              type: string
+              title: kas_id
+              format: uuid
+              description: Filter keys by the KAS ID
+          title: kas_id
+          required:
+            - kasId
+        - properties:
+            kasName:
+              type: string
+              title: kas_name
+              minLength: 1
+              description: Filter keys by the KAS name
+          title: kas_name
+          required:
+            - kasName
+        - properties:
+            kasUri:
+              type: string
+              title: kas_uri
+              minLength: 1
+              format: uri
+              description: Filter keys by the KAS URI
+          title: kas_uri
+          required:
+            - kasUri
+      properties:
+        keyAlgorithm:
+          title: key_algorithm
+          description: |+
+            Filter keys by algorithm
+            The key_algorithm must be one of the defined values.:
+            ```
+            this in [0, 1, 2, 3, 4]
+            ```
+
+          $ref: '#/components/schemas/policy.Algorithm'
+        pagination:
+          title: pagination
+          description: Optional Pagination request for the list of keys
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListKeysRequest
+      additionalProperties: false
+      description: List all asymmetric keys managed by a specific Key Access Server or with a given algorithm
+    policy.kasregistry.ListKeysResponse:
+      type: object
+      properties:
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasKey'
+          title: kas_keys
+          description: The list of kas keys
+        pagination:
+          title: pagination
+          description: Pagination response for the list of keys
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListKeysResponse
+      additionalProperties: false
+      description: Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information
+    policy.kasregistry.ListPublicKeyMappingRequest:
+      type: object
+      oneOf:
+        - properties:
+            kasId:
+              type: string
+              title: kas_id
+              format: uuid
+              description: Optional
+          title: kas_id
+          required:
+            - kasId
+        - properties:
+            kasName:
+              type: string
+              title: kas_name
+              minLength: 1
+              description: Optional
+          title: kas_name
+          required:
+            - kasName
+        - properties:
+            kasUri:
+              type: string
+              title: kas_uri
+              minLength: 1
+              format: uri
+              description: Optional
+          title: kas_uri
+          required:
+            - kasUri
+      properties:
+        publicKeyId:
+          type: string
+          title: public_key_id
+          format: uuid
+          description: Optional Public Key ID
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListPublicKeyMappingRequest
+      additionalProperties: false
+    policy.kasregistry.ListPublicKeyMappingResponse:
+      type: object
+      properties:
+        publicKeyMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping'
+          title: public_key_mappings
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListPublicKeyMappingResponse
+      additionalProperties: false
+    policy.kasregistry.ListPublicKeyMappingResponse.Association:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        fqn:
+          type: string
+          title: fqn
+      title: Association
+      additionalProperties: false
+    policy.kasregistry.ListPublicKeyMappingResponse.PublicKey:
+      type: object
+      properties:
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.Key'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ListPublicKeyMappingResponse.Association'
+          title: values
+        definitions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ListPublicKeyMappingResponse.Association'
+          title: definitions
+        namespaces:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ListPublicKeyMappingResponse.Association'
+          title: namespaces
+      title: PublicKey
+      additionalProperties: false
+    policy.kasregistry.ListPublicKeyMappingResponse.PublicKeyMapping:
+      type: object
+      properties:
+        kasId:
+          type: string
+          title: kas_id
+        kasName:
+          type: string
+          title: kas_name
+        kasUri:
+          type: string
+          title: kas_uri
+        publicKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ListPublicKeyMappingResponse.PublicKey'
+          title: public_keys
+      title: PublicKeyMapping
+      additionalProperties: false
+    policy.kasregistry.ListPublicKeysRequest:
+      type: object
+      oneOf:
+        - properties:
+            kasId:
+              type: string
+              title: kas_id
+              format: uuid
+              description: Optional
+          title: kas_id
+          required:
+            - kasId
+        - properties:
+            kasName:
+              type: string
+              title: kas_name
+              minLength: 1
+              description: Optional
+          title: kas_name
+          required:
+            - kasName
+        - properties:
+            kasUri:
+              type: string
+              title: kas_uri
+              minLength: 1
+              format: uri
+              description: Optional
+          title: kas_uri
+          required:
+            - kasUri
+      properties:
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListPublicKeysRequest
+      additionalProperties: false
+    policy.kasregistry.ListPublicKeysResponse:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Key'
+          title: keys
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListPublicKeysResponse
+      additionalProperties: false
+    policy.kasregistry.RotateKeyRequest:
+      type: object
+      oneOf:
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+              description: Current Active Key UUID
+          title: id
+          required:
+            - id
+        - properties:
+            key:
+              title: key
+              description: Alternative way to specify the active key using KAS ID and Key ID
+              $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier'
+          title: key
+          required:
+            - key
+      properties:
+        newKey:
+          title: new_key
+          description: Information about the new key to be rotated in
+          $ref: '#/components/schemas/policy.kasregistry.RotateKeyRequest.NewKey'
+      title: RotateKeyRequest
+      additionalProperties: false
+      description: |+
+        For the new key, the wrapped_key is required if key_mode is KEY_MODE_CONFIG_ROOT_KEY or KEY_MODE_PROVIDER_ROOT_KEY. The wrapped_key must be empty if key_mode is KEY_MODE_REMOTE or KEY_MODE_PUBLIC_KEY_ONLY.:
+        ```
+        ((this.new_key.key_mode == 1 || this.new_key.key_mode == 2) && this.new_key.private_key_ctx.wrapped_key != '') || ((this.new_key.key_mode == 3 || this.new_key.key_mode == 4) && this.new_key.private_key_ctx.wrapped_key == '')
+        ```
+
+        For the new key, provider config id is required if key_mode is KEY_MODE_PROVIDER_ROOT_KEY or KEY_MODE_REMOTE. It must be empty for KEY_MODE_CONFIG_ROOT_KEY and KEY_MODE_PUBLIC_KEY_ONLY.:
+        ```
+        ((this.new_key.key_mode == 1 || this.new_key.key_mode == 4) && this.new_key.provider_config_id == '') || ((this.new_key.key_mode == 2 || this.new_key.key_mode == 3) && this.new_key.provider_config_id != '')
+        ```
+
+        private_key_ctx must not be set if key_mode is KEY_MODE_PUBLIC_KEY_ONLY.:
+        ```
+        !(this.new_key.key_mode == 4 && has(this.new_key.private_key_ctx))
+        ```
+
+    policy.kasregistry.RotateKeyRequest.NewKey:
+      type: object
+      properties:
+        keyId:
+          type: string
+          title: key_id
+          minLength: 1
+          description: Required
+        algorithm:
+          title: algorithm
+          description: |+
+            Required
+            The key_algorithm must be one of the defined values.:
+            ```
+            this in [1, 2, 3, 4]
+            ```
+
+          $ref: '#/components/schemas/policy.Algorithm'
+        keyMode:
+          title: key_mode
+          description: |+
+            Required
+            The new key_mode must be one of the defined values (1-4).:
+            ```
+            this in [1, 2, 3, 4]
+            ```
+
+          $ref: '#/components/schemas/policy.KeyMode'
+        publicKeyCtx:
+          title: public_key_ctx
+          description: Required
+          $ref: '#/components/schemas/policy.PublicKeyCtx'
+        privateKeyCtx:
+          title: private_key_ctx
+          description: Required
+          $ref: '#/components/schemas/policy.PrivateKeyCtx'
+        providerConfigId:
+          type: string
+          title: provider_config_id
+          description: Conditionally Required. Validation handled by message-level CEL
+        metadata:
+          title: metadata
+          description: Common metadata fields
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: NewKey
+      required:
+        - publicKeyCtx
+      additionalProperties: false
+      description: Nested message for specifying the new key details
+    policy.kasregistry.RotateKeyResponse:
+      type: object
+      properties:
+        kasKey:
+          title: kas_key
+          description: The newly rotated Kas Key
+          $ref: '#/components/schemas/policy.KasKey'
+        rotatedResources:
+          title: rotated_resources
+          description: All resources that were rotated as part of the key rotation process
+          $ref: '#/components/schemas/policy.kasregistry.RotatedResources'
+      title: RotateKeyResponse
+      additionalProperties: false
+      description: Response message for the RotateKey request
+    policy.kasregistry.RotatedResources:
+      type: object
+      properties:
+        rotatedOutKey:
+          title: rotated_out_key
+          description: The old key that was rotated out
+          $ref: '#/components/schemas/policy.KasKey'
+        attributeDefinitionMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ChangeMappings'
+          title: attribute_definition_mappings
+        attributeValueMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ChangeMappings'
+          title: attribute_value_mappings
+        namespaceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.kasregistry.ChangeMappings'
+          title: namespace_mappings
+      title: RotatedResources
+      additionalProperties: false
+      description: All resources that were rotated as part of the key rotation process
+    policy.kasregistry.SetBaseKeyRequest:
+      type: object
+      oneOf:
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+              description: Current Key UUID tp be set as default
+          title: id
+          required:
+            - id
+        - properties:
+            key:
+              title: key
+              description: Alternative way to specify the key using KAS ID and Key ID
+              $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier'
+          title: key
+          required:
+            - key
+      title: SetBaseKeyRequest
+      additionalProperties: false
+      description: |-
+        Sets the specified key as the base key for the Key Access Server
+         Note: The key must be active.
+    policy.kasregistry.SetBaseKeyResponse:
+      type: object
+      properties:
+        newBaseKey:
+          title: new_base_key
+          description: The key that was set as base
+          $ref: '#/components/schemas/policy.SimpleKasKey'
+        previousBaseKey:
+          title: previous_base_key
+          description: The previous base key, if any
+          $ref: '#/components/schemas/policy.SimpleKasKey'
+      title: SetBaseKeyResponse
+      additionalProperties: false
+    policy.kasregistry.UpdateKeyAccessServerRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Optional
+            Optional URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            size(this) == 0 || this.isUri()
+            ```
+
+        publicKey:
+          title: public_key
+          description: |-
+            Deprecated
+             Optional
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: |-
+            Optional
+             Using UNSPECIFIED will result in a successful update,
+             but will not actually update the underlying source.
+             You should not update KAS's from INTERNAL/EXTERNAL
+             to unspecified.
+          $ref: '#/components/schemas/policy.SourceType'
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Optional
+            Registered KAS name must be an alphanumeric string, allowing hyphens, and underscores but not as the first or last character. The stored KAS name will be normalized to lower case.:
+            ```
+            size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateKeyAccessServerRequest
+      additionalProperties: false
+    policy.kasregistry.UpdateKeyAccessServerResponse:
+      type: object
+      properties:
+        keyAccessServer:
+          title: key_access_server
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+      title: UpdateKeyAccessServerResponse
+      additionalProperties: false
+    policy.kasregistry.UpdateKeyRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required The unique identifier of the key to update
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata Mutable metadata for the key
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          description: The behavior for updating the metadata
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateKeyRequest
+      additionalProperties: false
+      description: |+
+        Update an existing asymmetric key in the Key Management System
+        Metadata update behavior must be either APPEND or REPLACE, when updating metadata.:
+        ```
+        ((!has(this.metadata)) || (has(this.metadata) && this.metadata_update_behavior != 0))
+        ```
+
+    policy.kasregistry.UpdateKeyResponse:
+      type: object
+      properties:
+        kasKey:
+          title: kas_key
+          description: The updated kas key
+          $ref: '#/components/schemas/policy.KasKey'
+      title: UpdateKeyResponse
+      additionalProperties: false
+      description: Response to an UpdateKeyRequest, containing the updated asymmetric key
+    policy.kasregistry.UpdatePublicKeyRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdatePublicKeyRequest
+      additionalProperties: false
+    policy.kasregistry.UpdatePublicKeyResponse:
+      type: object
+      properties:
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.Key'
+      title: UpdatePublicKeyResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.kasregistry.KeyAccessServerRegistryService
diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
new file mode 100644
index 0000000000..118f1ea91f
--- /dev/null
+++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json
@@ -0,0 +1,730 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/kasregistry/key_access_server_registry.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "KeyAccessServerRegistryService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/key-access-servers": {
+      "get": {
+        "operationId": "KeyAccessServerRegistryService_ListKeyAccessServers",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/kasregistryListKeyAccessServersResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "pagination.limit",
+            "description": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services",
+            "in": "query",
+            "required": false,
+            "type": "integer",
+            "format": "int32"
+          },
+          {
+            "name": "pagination.offset",
+            "description": "Optional\nDefaulted if not provided",
+            "in": "query",
+            "required": false,
+            "type": "integer",
+            "format": "int32"
+          }
+        ],
+        "tags": [
+          "KeyAccessServerRegistryService"
+        ]
+      }
+    }
+  },
+  "definitions": {
+    "RotateKeyRequestNewKey": {
+      "type": "object",
+      "properties": {
+        "keyId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm",
+          "title": "Required"
+        },
+        "keyMode": {
+          "$ref": "#/definitions/policyKeyMode",
+          "title": "Required"
+        },
+        "publicKeyCtx": {
+          "$ref": "#/definitions/policyPublicKeyCtx",
+          "title": "Required"
+        },
+        "privateKeyCtx": {
+          "$ref": "#/definitions/policyPrivateKeyCtx",
+          "title": "Required"
+        },
+        "providerConfigId": {
+          "type": "string",
+          "description": "Conditionally Required.\n\nValidation handled by message-level CEL"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadataMutable",
+          "title": "Common metadata fields"
+        }
+      },
+      "title": "Nested message for specifying the new key details"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "kasregistryChangeMappings": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "fqn": {
+          "type": "string"
+        }
+      },
+      "description": "*\nSimplified information about the resources that were rotated as part of the key rotation process."
+    },
+    "kasregistryCreateKeyAccessServerResponse": {
+      "type": "object",
+      "properties": {
+        "keyAccessServer": {
+          "$ref": "#/definitions/policyKeyAccessServer"
+        }
+      }
+    },
+    "kasregistryCreateKeyResponse": {
+      "type": "object",
+      "properties": {
+        "kasKey": {
+          "$ref": "#/definitions/policyKasKey",
+          "description": "The created asymmetric key for a KAS."
+        }
+      },
+      "title": "Response to a CreateKeyRequest, containing the created asymmetric key"
+    },
+    "kasregistryDeleteKeyAccessServerResponse": {
+      "type": "object",
+      "properties": {
+        "keyAccessServer": {
+          "$ref": "#/definitions/policyKeyAccessServer"
+        }
+      }
+    },
+    "kasregistryGetBaseKeyResponse": {
+      "type": "object",
+      "properties": {
+        "baseKey": {
+          "$ref": "#/definitions/policySimpleKasKey",
+          "title": "The current base key"
+        }
+      }
+    },
+    "kasregistryGetKeyAccessServerResponse": {
+      "type": "object",
+      "properties": {
+        "keyAccessServer": {
+          "$ref": "#/definitions/policyKeyAccessServer"
+        }
+      }
+    },
+    "kasregistryGetKeyResponse": {
+      "type": "object",
+      "properties": {
+        "kasKey": {
+          "$ref": "#/definitions/policyKasKey",
+          "description": "The requested asymmetric key for a KAS."
+        }
+      },
+      "title": "Response to a GetKeyRequest, containing the requested asymmetric key"
+    },
+    "kasregistryGrantedPolicyObject": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "fqn": {
+          "type": "string"
+        }
+      },
+      "title": "Can be namespace, attribute definition, or value"
+    },
+    "kasregistryKasKeyIdentifier": {
+      "type": "object",
+      "properties": {
+        "kasId": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string"
+        },
+        "kid": {
+          "type": "string",
+          "title": "Required Key ID of the key in question"
+        }
+      },
+      "title": "Nested message for specifying the active key using KAS ID and Key ID"
+    },
+    "kasregistryKeyAccessServerGrants": {
+      "type": "object",
+      "properties": {
+        "keyAccessServer": {
+          "$ref": "#/definitions/policyKeyAccessServer"
+        },
+        "namespaceGrants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasregistryGrantedPolicyObject"
+          }
+        },
+        "attributeGrants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasregistryGrantedPolicyObject"
+          }
+        },
+        "valueGrants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasregistryGrantedPolicyObject"
+          }
+        }
+      },
+      "title": "Deprecated"
+    },
+    "kasregistryListKeyAccessServerGrantsResponse": {
+      "type": "object",
+      "properties": {
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasregistryKeyAccessServerGrants"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "kasregistryListKeyAccessServersResponse": {
+      "type": "object",
+      "properties": {
+        "keyAccessServers": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "kasregistryListKeysResponse": {
+      "type": "object",
+      "properties": {
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasKey"
+          },
+          "title": "The list of kas keys"
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse",
+          "title": "Pagination response for the list of keys"
+        }
+      },
+      "title": "Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information"
+    },
+    "kasregistryRotateKeyResponse": {
+      "type": "object",
+      "properties": {
+        "kasKey": {
+          "$ref": "#/definitions/policyKasKey",
+          "title": "The newly rotated Kas Key"
+        },
+        "rotatedResources": {
+          "$ref": "#/definitions/kasregistryRotatedResources",
+          "title": "All resources that were rotated as part of the key rotation process"
+        }
+      },
+      "title": "Response message for the RotateKey request"
+    },
+    "kasregistryRotatedResources": {
+      "type": "object",
+      "properties": {
+        "rotatedOutKey": {
+          "$ref": "#/definitions/policyKasKey",
+          "title": "The old key that was rotated out"
+        },
+        "attributeDefinitionMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasregistryChangeMappings"
+          }
+        },
+        "attributeValueMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasregistryChangeMappings"
+          }
+        },
+        "namespaceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasregistryChangeMappings"
+          }
+        }
+      },
+      "title": "All resources that were rotated as part of the key rotation process"
+    },
+    "kasregistrySetBaseKeyResponse": {
+      "type": "object",
+      "properties": {
+        "newBaseKey": {
+          "$ref": "#/definitions/policySimpleKasKey",
+          "title": "The key that was set as base"
+        },
+        "previousBaseKey": {
+          "$ref": "#/definitions/policySimpleKasKey",
+          "title": "The previous base key, if any"
+        }
+      }
+    },
+    "kasregistryUpdateKeyAccessServerResponse": {
+      "type": "object",
+      "properties": {
+        "keyAccessServer": {
+          "$ref": "#/definitions/policyKeyAccessServer"
+        }
+      }
+    },
+    "kasregistryUpdateKeyResponse": {
+      "type": "object",
+      "properties": {
+        "kasKey": {
+          "$ref": "#/definitions/policyKasKey",
+          "title": "The updated kas key"
+        }
+      },
+      "title": "Response to an UpdateKeyRequest, containing the updated asymmetric key"
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyAsymmetricKey": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyAlgorithm": {
+          "$ref": "#/definitions/policyAlgorithm",
+          "title": "Required"
+        },
+        "keyStatus": {
+          "$ref": "#/definitions/policyKeyStatus",
+          "title": "Required"
+        },
+        "keyMode": {
+          "$ref": "#/definitions/policyKeyMode",
+          "description": "Specifies how the key is managed (local or remote)",
+          "title": "Required"
+        },
+        "publicKeyCtx": {
+          "$ref": "#/definitions/policyPublicKeyCtx",
+          "description": "Specific structure based on key provider implementation",
+          "title": "Required"
+        },
+        "privateKeyCtx": {
+          "$ref": "#/definitions/policyPrivateKeyCtx",
+          "description": "Specific structure based on key provider implementation",
+          "title": "Optional"
+        },
+        "providerConfig": {
+          "$ref": "#/definitions/policyKeyProviderConfig",
+          "description": "Configuration for the key provider",
+          "title": "Optional"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata fields"
+        }
+      }
+    },
+    "policyKasKey": {
+      "type": "object",
+      "properties": {
+        "kasId": {
+          "type": "string"
+        },
+        "key": {
+          "$ref": "#/definitions/policyAsymmetricKey"
+        },
+        "kasUri": {
+          "type": "string"
+        }
+      }
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyKeyMode": {
+      "type": "string",
+      "enum": [
+        "KEY_MODE_UNSPECIFIED",
+        "KEY_MODE_CONFIG_ROOT_KEY",
+        "KEY_MODE_PROVIDER_ROOT_KEY",
+        "KEY_MODE_REMOTE",
+        "KEY_MODE_PUBLIC_KEY_ONLY"
+      ],
+      "default": "KEY_MODE_UNSPECIFIED",
+      "description": "Describes the management and operational mode of a cryptographic key.\n\n - KEY_MODE_UNSPECIFIED: KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.\n - KEY_MODE_CONFIG_ROOT_KEY: KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nsourced from local configuration. Unwrapping and all cryptographic operations are performed locally.\n - KEY_MODE_PROVIDER_ROOT_KEY: KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)\nmanaged by an external provider (e.g., a Hardware Security Module or Cloud KMS).\nKey unwrapping is delegated to the external provider; subsequent cryptographic operations\nare performed locally using the unwrapped key.\n - KEY_MODE_REMOTE: KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic\noperations are performed by, a remote Key Management Service (KMS) or HSM.\nThe private key material never leaves the secure boundary of the remote system.\n - KEY_MODE_PUBLIC_KEY_ONLY: KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,\ntypically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).\nThe corresponding private key is not managed or accessible by this system."
+    },
+    "policyKeyProviderConfig": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string"
+        },
+        "configJson": {
+          "type": "string",
+          "format": "byte"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyKeyStatus": {
+      "type": "string",
+      "enum": [
+        "KEY_STATUS_UNSPECIFIED",
+        "KEY_STATUS_ACTIVE",
+        "KEY_STATUS_ROTATED"
+      ],
+      "default": "KEY_STATUS_UNSPECIFIED",
+      "title": "The status of the key"
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "policyPrivateKeyCtx": {
+      "type": "object",
+      "properties": {
+        "keyId": {
+          "type": "string",
+          "description": "Key ID for the symmetric key wrapping this key.",
+          "title": "Required"
+        },
+        "wrappedKey": {
+          "type": "string",
+          "description": "Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.",
+          "title": "Optional"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policyPublicKeyCtx": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "description": "Base64 encoded public key in PEM format",
+          "title": "Required"
+        }
+      }
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/keymanagement/key_management.openapi.yaml b/docs/openapi/policy/keymanagement/key_management.openapi.yaml
new file mode 100644
index 0000000000..4d28d36dc0
--- /dev/null
+++ b/docs/openapi/policy/keymanagement/key_management.openapi.yaml
@@ -0,0 +1,600 @@
+openapi: 3.1.0
+info:
+  title: policy.keymanagement
+paths:
+  /policy.keymanagement.KeyManagementService/CreateProviderConfig:
+    post:
+      tags:
+        - policy.keymanagement.KeyManagementService
+      summary: CreateProviderConfig
+      description: |-
+        Key Management
+         Provider Management
+      operationId: policy.keymanagement.KeyManagementService.CreateProviderConfig
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.keymanagement.CreateProviderConfigRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.keymanagement.CreateProviderConfigResponse'
+  /policy.keymanagement.KeyManagementService/GetProviderConfig:
+    post:
+      tags:
+        - policy.keymanagement.KeyManagementService
+      summary: GetProviderConfig
+      operationId: policy.keymanagement.KeyManagementService.GetProviderConfig
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.keymanagement.GetProviderConfigResponse'
+  /policy.keymanagement.KeyManagementService/ListProviderConfigs:
+    post:
+      tags:
+        - policy.keymanagement.KeyManagementService
+      summary: ListProviderConfigs
+      operationId: policy.keymanagement.KeyManagementService.ListProviderConfigs
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.keymanagement.ListProviderConfigsResponse'
+  /policy.keymanagement.KeyManagementService/UpdateProviderConfig:
+    post:
+      tags:
+        - policy.keymanagement.KeyManagementService
+      summary: UpdateProviderConfig
+      operationId: policy.keymanagement.KeyManagementService.UpdateProviderConfig
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.keymanagement.UpdateProviderConfigResponse'
+  /policy.keymanagement.KeyManagementService/DeleteProviderConfig:
+    post:
+      tags:
+        - policy.keymanagement.KeyManagementService
+      summary: DeleteProviderConfig
+      operationId: policy.keymanagement.KeyManagementService.DeleteProviderConfig
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.keymanagement.DeleteProviderConfigResponse'
+components:
+  schemas:
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.KeyProviderConfig:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        name:
+          type: string
+          title: name
+        configJson:
+          type: string
+          title: config_json
+          format: byte
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyProviderConfig
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.keymanagement.CreateProviderConfigRequest:
+      type: object
+      properties:
+        name:
+          type: string
+          title: name
+          description: |-
+            Required
+             The name of the key provider. (e.g. "AWS KMS", "Google Cloud KMS", "Azure Key Vault")
+        configJson:
+          type: string
+          title: config_json
+          format: byte
+          description: |-
+            Required
+             JSON configuration for the key provider. This is unique to individual key providers.
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateProviderConfigRequest
+      required:
+        - name
+        - configJson
+      additionalProperties: false
+      description: Provider Configuration Requests and Response Messages
+    policy.keymanagement.CreateProviderConfigResponse:
+      type: object
+      properties:
+        providerConfig:
+          title: provider_config
+          $ref: '#/components/schemas/policy.KeyProviderConfig'
+      title: CreateProviderConfigResponse
+      additionalProperties: false
+    policy.keymanagement.DeleteProviderConfigRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteProviderConfigRequest
+      additionalProperties: false
+      description: In order to delete a provider configuration you must first delete all keys associated with the provider.
+    policy.keymanagement.DeleteProviderConfigResponse:
+      type: object
+      properties:
+        providerConfig:
+          title: provider_config
+          $ref: '#/components/schemas/policy.KeyProviderConfig'
+      title: DeleteProviderConfigResponse
+      additionalProperties: false
+    policy.keymanagement.GetProviderConfigRequest:
+      type: object
+      oneOf:
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+          title: id
+          required:
+            - id
+        - properties:
+            name:
+              type: string
+              title: name
+              minLength: 1
+          title: name
+          required:
+            - name
+      title: GetProviderConfigRequest
+      additionalProperties: false
+    policy.keymanagement.GetProviderConfigResponse:
+      type: object
+      properties:
+        providerConfig:
+          title: provider_config
+          $ref: '#/components/schemas/policy.KeyProviderConfig'
+      title: GetProviderConfigResponse
+      additionalProperties: false
+    policy.keymanagement.ListProviderConfigsRequest:
+      type: object
+      properties:
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListProviderConfigsRequest
+      additionalProperties: false
+    policy.keymanagement.ListProviderConfigsResponse:
+      type: object
+      properties:
+        providerConfigs:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyProviderConfig'
+          title: provider_configs
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListProviderConfigsResponse
+      additionalProperties: false
+    policy.keymanagement.UpdateProviderConfigRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        name:
+          type: string
+          title: name
+          description: Optional
+        configJson:
+          type: string
+          title: config_json
+          format: byte
+          description: Optional
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateProviderConfigRequest
+      additionalProperties: false
+    policy.keymanagement.UpdateProviderConfigResponse:
+      type: object
+      properties:
+        providerConfig:
+          title: provider_config
+          $ref: '#/components/schemas/policy.KeyProviderConfig'
+      title: UpdateProviderConfigResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.keymanagement.KeyManagementService
diff --git a/docs/openapi/policy/keymanagement/key_management.swagger.json b/docs/openapi/policy/keymanagement/key_management.swagger.json
new file mode 100644
index 0000000000..ef0a76d390
--- /dev/null
+++ b/docs/openapi/policy/keymanagement/key_management.swagger.json
@@ -0,0 +1,197 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/keymanagement/key_management.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "KeyManagementService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "keymanagementCreateProviderConfigResponse": {
+      "type": "object",
+      "properties": {
+        "providerConfig": {
+          "$ref": "#/definitions/policyKeyProviderConfig"
+        }
+      }
+    },
+    "keymanagementDeleteProviderConfigResponse": {
+      "type": "object",
+      "properties": {
+        "providerConfig": {
+          "$ref": "#/definitions/policyKeyProviderConfig"
+        }
+      }
+    },
+    "keymanagementGetProviderConfigResponse": {
+      "type": "object",
+      "properties": {
+        "providerConfig": {
+          "$ref": "#/definitions/policyKeyProviderConfig"
+        }
+      }
+    },
+    "keymanagementListProviderConfigsResponse": {
+      "type": "object",
+      "properties": {
+        "providerConfigs": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyProviderConfig"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "keymanagementUpdateProviderConfigResponse": {
+      "type": "object",
+      "properties": {
+        "providerConfig": {
+          "$ref": "#/definitions/policyKeyProviderConfig"
+        }
+      }
+    },
+    "policyKeyProviderConfig": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string"
+        },
+        "configJson": {
+          "type": "string",
+          "format": "byte"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/namespaces/namespaces.openapi.yaml b/docs/openapi/policy/namespaces/namespaces.openapi.yaml
new file mode 100644
index 0000000000..a33a2be8cd
--- /dev/null
+++ b/docs/openapi/policy/namespaces/namespaces.openapi.yaml
@@ -0,0 +1,1063 @@
+openapi: 3.1.0
+info:
+  title: policy.namespaces
+paths:
+  /policy.namespaces.NamespaceService/GetNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: GetNamespace
+      operationId: policy.namespaces.NamespaceService.GetNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.GetNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.GetNamespaceResponse'
+  /policy.namespaces.NamespaceService/ListNamespaces:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: ListNamespaces
+      operationId: policy.namespaces.NamespaceService.ListNamespaces
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.ListNamespacesRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.ListNamespacesResponse'
+  /policy.namespaces.NamespaceService/CreateNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: CreateNamespace
+      operationId: policy.namespaces.NamespaceService.CreateNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.CreateNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.CreateNamespaceResponse'
+  /policy.namespaces.NamespaceService/UpdateNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: UpdateNamespace
+      operationId: policy.namespaces.NamespaceService.UpdateNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.UpdateNamespaceResponse'
+  /policy.namespaces.NamespaceService/DeactivateNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: DeactivateNamespace
+      operationId: policy.namespaces.NamespaceService.DeactivateNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.DeactivateNamespaceResponse'
+  /policy.namespaces.NamespaceService/AssignKeyAccessServerToNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: AssignKeyAccessServerToNamespace
+      description: |-
+        --------------------------------------*
+         Namespace <> Key Access Server RPCs
+        ---------------------------------------
+      operationId: policy.namespaces.NamespaceService.AssignKeyAccessServerToNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceResponse'
+  /policy.namespaces.NamespaceService/RemoveKeyAccessServerFromNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: RemoveKeyAccessServerFromNamespace
+      operationId: policy.namespaces.NamespaceService.RemoveKeyAccessServerFromNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.RemoveKeyAccessServerFromNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.RemoveKeyAccessServerFromNamespaceResponse'
+  /policy.namespaces.NamespaceService/AssignPublicKeyToNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: AssignPublicKeyToNamespace
+      description: |-
+        --------------------------------------*
+         Namespace <> Key RPCs
+        ---------------------------------------
+      operationId: policy.namespaces.NamespaceService.AssignPublicKeyToNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.AssignPublicKeyToNamespaceResponse'
+  /policy.namespaces.NamespaceService/RemovePublicKeyFromNamespace:
+    post:
+      tags:
+        - policy.namespaces.NamespaceService
+      summary: RemovePublicKeyFromNamespace
+      operationId: policy.namespaces.NamespaceService.RemovePublicKeyFromNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.namespaces.RemovePublicKeyFromNamespaceResponse'
+components:
+  schemas:
+    common.ActiveStateEnum:
+      type: string
+      title: ActiveStateEnum
+      enum:
+        - ACTIVE_STATE_ENUM_UNSPECIFIED
+        - ACTIVE_STATE_ENUM_ACTIVE
+        - ACTIVE_STATE_ENUM_INACTIVE
+        - ACTIVE_STATE_ENUM_ANY
+      description: 'buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren''t violated when users add new enum values to an enum in a given package'
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.namespaces.AssignKeyAccessServerToNamespaceRequest:
+      type: object
+      properties:
+        namespaceKeyAccessServer:
+          title: namespace_key_access_server
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKeyAccessServer'
+      title: AssignKeyAccessServerToNamespaceRequest
+      additionalProperties: false
+    policy.namespaces.AssignKeyAccessServerToNamespaceResponse:
+      type: object
+      properties:
+        namespaceKeyAccessServer:
+          title: namespace_key_access_server
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKeyAccessServer'
+      title: AssignKeyAccessServerToNamespaceResponse
+      additionalProperties: false
+    policy.namespaces.AssignPublicKeyToNamespaceRequest:
+      type: object
+      properties:
+        namespaceKey:
+          title: namespace_key
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKey'
+      title: AssignPublicKeyToNamespaceRequest
+      required:
+        - namespaceKey
+      additionalProperties: false
+      description: Assign Key to Namespace
+    policy.namespaces.AssignPublicKeyToNamespaceResponse:
+      type: object
+      properties:
+        namespaceKey:
+          title: namespace_key
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKey'
+      title: AssignPublicKeyToNamespaceResponse
+      additionalProperties: false
+    policy.namespaces.CreateNamespaceRequest:
+      type: object
+      properties:
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Required
+            Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.:
+            ```
+            this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,}$')
+            ```
+
+        metadata:
+          title: metadata
+          description: Optional
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateNamespaceRequest
+      required:
+        - name
+      additionalProperties: false
+    policy.namespaces.CreateNamespaceResponse:
+      type: object
+      properties:
+        namespace:
+          title: namespace
+          $ref: '#/components/schemas/policy.Namespace'
+      title: CreateNamespaceResponse
+      additionalProperties: false
+    policy.namespaces.DeactivateNamespaceRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeactivateNamespaceRequest
+      additionalProperties: false
+    policy.namespaces.DeactivateNamespaceResponse:
+      type: object
+      title: DeactivateNamespaceResponse
+      additionalProperties: false
+    policy.namespaces.GetNamespaceRequest:
+      type: object
+      oneOf:
+        - properties:
+            fqn:
+              type: string
+              title: fqn
+              minLength: 1
+              format: uri
+          title: fqn
+          required:
+            - fqn
+        - properties:
+            namespaceId:
+              type: string
+              title: namespace_id
+              format: uuid
+              description: 'option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field'
+          title: namespace_id
+          required:
+            - namespaceId
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Deprecated
+          deprecated: true
+      title: GetNamespaceRequest
+      additionalProperties: false
+      description: |+
+        Either use deprecated 'id' field or one of 'namespace_id' or 'fqn', but not both:
+        ```
+        !(has(this.id) && (has(this.namespace_id) || has(this.fqn)))
+        ```
+
+        Either id or one of namespace_id or fqn must be set:
+        ```
+        has(this.id) || has(this.namespace_id) || has(this.fqn)
+        ```
+
+    policy.namespaces.GetNamespaceResponse:
+      type: object
+      properties:
+        namespace:
+          title: namespace
+          $ref: '#/components/schemas/policy.Namespace'
+      title: GetNamespaceResponse
+      additionalProperties: false
+    policy.namespaces.ListNamespacesRequest:
+      type: object
+      properties:
+        state:
+          title: state
+          description: |-
+            Optional
+             ACTIVE by default when not specified
+          $ref: '#/components/schemas/common.ActiveStateEnum'
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListNamespacesRequest
+      additionalProperties: false
+    policy.namespaces.ListNamespacesResponse:
+      type: object
+      properties:
+        namespaces:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Namespace'
+          title: namespaces
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListNamespacesResponse
+      additionalProperties: false
+    policy.namespaces.NamespaceKey:
+      type: object
+      properties:
+        namespaceId:
+          type: string
+          title: namespace_id
+          format: uuid
+          description: Required
+        keyId:
+          type: string
+          title: key_id
+          format: uuid
+          description: Required (The id from the Asymmetric Key object)
+      title: NamespaceKey
+      required:
+        - namespaceId
+        - keyId
+      additionalProperties: false
+    policy.namespaces.NamespaceKeyAccessServer:
+      type: object
+      properties:
+        namespaceId:
+          type: string
+          title: namespace_id
+          format: uuid
+          description: Required
+        keyAccessServerId:
+          type: string
+          title: key_access_server_id
+          format: uuid
+          description: Required
+      title: NamespaceKeyAccessServer
+      additionalProperties: false
+    policy.namespaces.RemoveKeyAccessServerFromNamespaceRequest:
+      type: object
+      properties:
+        namespaceKeyAccessServer:
+          title: namespace_key_access_server
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKeyAccessServer'
+      title: RemoveKeyAccessServerFromNamespaceRequest
+      additionalProperties: false
+    policy.namespaces.RemoveKeyAccessServerFromNamespaceResponse:
+      type: object
+      properties:
+        namespaceKeyAccessServer:
+          title: namespace_key_access_server
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKeyAccessServer'
+      title: RemoveKeyAccessServerFromNamespaceResponse
+      additionalProperties: false
+    policy.namespaces.RemovePublicKeyFromNamespaceRequest:
+      type: object
+      properties:
+        namespaceKey:
+          title: namespace_key
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKey'
+      title: RemovePublicKeyFromNamespaceRequest
+      required:
+        - namespaceKey
+      additionalProperties: false
+    policy.namespaces.RemovePublicKeyFromNamespaceResponse:
+      type: object
+      properties:
+        namespaceKey:
+          title: namespace_key
+          $ref: '#/components/schemas/policy.namespaces.NamespaceKey'
+      title: RemovePublicKeyFromNamespaceResponse
+      additionalProperties: false
+    policy.namespaces.UpdateNamespaceRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        metadata:
+          title: metadata
+          description: Optional
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateNamespaceRequest
+      additionalProperties: false
+    policy.namespaces.UpdateNamespaceResponse:
+      type: object
+      properties:
+        namespace:
+          title: namespace
+          $ref: '#/components/schemas/policy.Namespace'
+      title: UpdateNamespaceResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.namespaces.NamespaceService
diff --git a/docs/openapi/policy/namespaces/namespaces.swagger.json b/docs/openapi/policy/namespaces/namespaces.swagger.json
new file mode 100644
index 0000000000..a4e7cb7ade
--- /dev/null
+++ b/docs/openapi/policy/namespaces/namespaces.swagger.json
@@ -0,0 +1,429 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/namespaces/namespaces.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "NamespaceService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "commonActiveStateEnum": {
+      "type": "string",
+      "enum": [
+        "ACTIVE_STATE_ENUM_UNSPECIFIED",
+        "ACTIVE_STATE_ENUM_ACTIVE",
+        "ACTIVE_STATE_ENUM_INACTIVE",
+        "ACTIVE_STATE_ENUM_ANY"
+      ],
+      "default": "ACTIVE_STATE_ENUM_UNSPECIFIED",
+      "title": "buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren't violated when users add new enum values to an enum in a given package"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "namespacesAssignKeyAccessServerToNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespaceKeyAccessServer": {
+          "$ref": "#/definitions/namespacesNamespaceKeyAccessServer"
+        }
+      }
+    },
+    "namespacesAssignPublicKeyToNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespaceKey": {
+          "$ref": "#/definitions/namespacesNamespaceKey"
+        }
+      }
+    },
+    "namespacesCreateNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace"
+        }
+      }
+    },
+    "namespacesDeactivateNamespaceResponse": {
+      "type": "object"
+    },
+    "namespacesGetNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace"
+        }
+      }
+    },
+    "namespacesListNamespacesResponse": {
+      "type": "object",
+      "properties": {
+        "namespaces": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyNamespace"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "namespacesNamespaceKey": {
+      "type": "object",
+      "properties": {
+        "namespaceId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyId": {
+          "type": "string",
+          "title": "Required (The id from the Asymmetric Key object)"
+        }
+      }
+    },
+    "namespacesNamespaceKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "namespaceId": {
+          "type": "string",
+          "title": "Required"
+        },
+        "keyAccessServerId": {
+          "type": "string",
+          "title": "Required"
+        }
+      }
+    },
+    "namespacesRemoveKeyAccessServerFromNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespaceKeyAccessServer": {
+          "$ref": "#/definitions/namespacesNamespaceKeyAccessServer"
+        }
+      }
+    },
+    "namespacesRemovePublicKeyFromNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespaceKey": {
+          "$ref": "#/definitions/namespacesNamespaceKey"
+        }
+      }
+    },
+    "namespacesUpdateNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace"
+        }
+      }
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyNamespace": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "name": {
+          "type": "string",
+          "title": "used to partition Attribute Definitions, support by namespace AuthN and\nenable federation"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "KAS grants for the namespace"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys for the namespace"
+        }
+      }
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/objects.openapi.yaml b/docs/openapi/policy/objects.openapi.yaml
new file mode 100644
index 0000000000..d2b2c9ed7a
--- /dev/null
+++ b/docs/openapi/policy/objects.openapi.yaml
@@ -0,0 +1,943 @@
+openapi: 3.1.0
+info:
+  title: policy
+paths: {}
+components:
+  schemas:
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.AttributeRuleTypeEnum:
+      type: string
+      title: AttributeRuleTypeEnum
+      enum:
+        - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+        - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+    policy.ConditionBooleanTypeEnum:
+      type: string
+      title: ConditionBooleanTypeEnum
+      enum:
+        - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+        - CONDITION_BOOLEAN_TYPE_ENUM_AND
+        - CONDITION_BOOLEAN_TYPE_ENUM_OR
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.KeyMode:
+      type: string
+      title: KeyMode
+      enum:
+        - KEY_MODE_UNSPECIFIED
+        - KEY_MODE_CONFIG_ROOT_KEY
+        - KEY_MODE_PROVIDER_ROOT_KEY
+        - KEY_MODE_REMOTE
+        - KEY_MODE_PUBLIC_KEY_ONLY
+      description: Describes the management and operational mode of a cryptographic key.
+    policy.KeyStatus:
+      type: string
+      title: KeyStatus
+      enum:
+        - KEY_STATUS_UNSPECIFIED
+        - KEY_STATUS_ACTIVE
+        - KEY_STATUS_ROTATED
+      description: The status of the key
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    policy.SubjectMappingOperatorEnum:
+      type: string
+      title: SubjectMappingOperatorEnum
+      enum:
+        - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    policy.AsymmetricKey:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: Required
+        keyId:
+          type: string
+          title: key_id
+          description: Required
+        keyAlgorithm:
+          title: key_algorithm
+          description: Required
+          $ref: '#/components/schemas/policy.Algorithm'
+        keyStatus:
+          title: key_status
+          description: Required
+          $ref: '#/components/schemas/policy.KeyStatus'
+        keyMode:
+          title: key_mode
+          description: Required Specifies how the key is managed (local or remote)
+          $ref: '#/components/schemas/policy.KeyMode'
+        publicKeyCtx:
+          title: public_key_ctx
+          description: Required Specific structure based on key provider implementation
+          $ref: '#/components/schemas/policy.PublicKeyCtx'
+        privateKeyCtx:
+          title: private_key_ctx
+          description: Optional Specific structure based on key provider implementation
+          $ref: '#/components/schemas/policy.PrivateKeyCtx'
+        providerConfig:
+          title: provider_config
+          description: Optional Configuration for the key provider
+          $ref: '#/components/schemas/policy.KeyProviderConfig'
+        metadata:
+          title: metadata
+          description: Common metadata fields
+          $ref: '#/components/schemas/common.Metadata'
+      title: AsymmetricKey
+      additionalProperties: false
+    policy.Attribute:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespace:
+          title: namespace
+          description: namespace of the attribute
+          $ref: '#/components/schemas/policy.Namespace'
+        name:
+          type: string
+          title: name
+          description: attribute name
+        rule:
+          title: rule
+          description: attribute rule enum
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: Deprecated
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys associated with the attribute
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Attribute
+      required:
+        - rule
+      additionalProperties: false
+    policy.Condition:
+      type: object
+      properties:
+        subjectExternalSelectorValue:
+          type: string
+          title: subject_external_selector_value
+          description: |-
+            a selector for a field value on a flattened Entity Representation (such as
+             from idP/LDAP)
+        operator:
+          title: operator
+          description: the evaluation operator of relation
+          $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+        subjectExternalValues:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: subject_external_values
+          minItems: 1
+          description: |-
+            list of comparison values for the result of applying the
+             subject_external_selector_value on a flattened Entity Representation
+             (Subject), evaluated by the operator
+      title: Condition
+      required:
+        - subjectExternalSelectorValue
+        - operator
+      additionalProperties: false
+      description: |-
+        *
+        A Condition defines a rule of <the value at the flattened 'selector value'
+        location> <operator> <subject external values>
+    policy.ConditionGroup:
+      type: object
+      properties:
+        conditions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Condition'
+          title: conditions
+          minItems: 1
+        booleanOperator:
+          title: boolean_operator
+          description: the boolean evaluation type across the conditions
+          $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+      title: ConditionGroup
+      required:
+        - booleanOperator
+      additionalProperties: false
+      description: A collection of Conditions evaluated by the boolean_operator provided
+    policy.KasKey:
+      type: object
+      properties:
+        kasId:
+          type: string
+          title: kas_id
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.AsymmetricKey'
+        kasUri:
+          type: string
+          title: kas_uri
+      title: KasKey
+      additionalProperties: false
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.Key:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: the database record ID, not the key ID (`kid`)
+        isActive:
+          title: is_active
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        wasMapped:
+          title: was_mapped
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        publicKey:
+          title: public_key
+          $ref: '#/components/schemas/policy.KasPublicKey'
+        kas:
+          title: kas
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Key
+      additionalProperties: false
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.KeyProviderConfig:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        name:
+          type: string
+          title: name
+        configJson:
+          type: string
+          title: config_json
+          format: byte
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyProviderConfig
+      additionalProperties: false
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PrivateKeyCtx:
+      type: object
+      properties:
+        keyId:
+          type: string
+          title: key_id
+          minLength: 1
+          description: Required Key ID for the symmetric key wrapping this key.
+        wrappedKey:
+          type: string
+          title: wrapped_key
+          description: Optional Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE.
+      title: PrivateKeyCtx
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.PublicKeyCtx:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          minLength: 1
+          description: Required Base64 encoded public key in PEM format
+      title: PublicKeyCtx
+      additionalProperties: false
+    policy.RegisteredResource:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        name:
+          type: string
+          title: name
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.RegisteredResourceValue'
+          title: values
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: RegisteredResource
+      additionalProperties: false
+    policy.RegisteredResourceValue:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        value:
+          type: string
+          title: value
+        resource:
+          title: resource
+          $ref: '#/components/schemas/policy.RegisteredResource'
+        actionAttributeValues:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.RegisteredResourceValue.ActionAttributeValue'
+          title: action_attribute_values
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: RegisteredResourceValue
+      additionalProperties: false
+    policy.RegisteredResourceValue.ActionAttributeValue:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        action:
+          title: action
+          $ref: '#/components/schemas/policy.Action'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ActionAttributeValue
+      additionalProperties: false
+    policy.ResourceMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        terms:
+          type: array
+          items:
+            type: string
+          title: terms
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: ResourceMapping
+      required:
+        - attributeValue
+      additionalProperties: false
+      description: |-
+        Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+        structures supporting the mapping of Resources and Attribute Values
+    policy.ResourceMappingGroup:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: the namespace containing the group of resource mappings
+        name:
+          type: string
+          title: name
+          description: |-
+            the common name for the group of resource mappings, which must be unique
+             per namespace
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ResourceMappingGroup
+      required:
+        - namespaceId
+        - name
+      additionalProperties: false
+      description: |-
+        Resource Mapping Groups are namespaced collections of Resource Mappings
+        associated under a common group name.
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.SubjectConditionSet:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectConditionSet
+      additionalProperties: false
+      description: |-
+        A container for multiple Subject Sets, each containing Condition Groups, each
+        containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+        evaluated with AND logic. As each Subject Mapping has only one Attribute
+        Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+        Attribute Values and is an independent unit.
+    policy.SubjectMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        attributeValue:
+          title: attribute_value
+          description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+          $ref: '#/components/schemas/policy.Value'
+        subjectConditionSet:
+          title: subject_condition_set
+          description: the reusable SubjectConditionSet mapped to the given Attribute Value
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: The actions permitted by subjects in this mapping
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectMapping
+      additionalProperties: false
+      description: |-
+        Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+        value + action(s) combination
+    policy.SubjectProperty:
+      type: object
+      properties:
+        externalSelectorValue:
+          type: string
+          title: external_selector_value
+          minLength: 1
+        externalValue:
+          type: string
+          title: external_value
+      title: SubjectProperty
+      required:
+        - externalSelectorValue
+      additionalProperties: false
+      description: |-
+        A property of a Subject/Entity as its selector expression -> value result
+        pair. This would mirror external user attributes retrieved from an
+        authoritative source such as an IDP (Identity Provider) or User Store.
+        Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must
+        contain both a selector expression & a resulting value.
+
+        The external_selector_value is a specifier to select a value from a flattened
+        external representation of an Entity (such as from idP/LDAP), and the
+        external_value is the value selected by the external_selector_value on that
+        Entity Representation (Subject Context). These mirror the Condition.
+    policy.SubjectSet:
+      type: object
+      properties:
+        conditionGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ConditionGroup'
+          title: condition_groups
+          minItems: 1
+          description: multiple Condition Groups are evaluated with AND logic
+      title: SubjectSet
+      additionalProperties: false
+      description: A collection of Condition Groups
+    policy.SymmetricKey:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        keyId:
+          type: string
+          title: key_id
+        keyStatus:
+          title: key_status
+          $ref: '#/components/schemas/policy.KeyStatus'
+        keyMode:
+          title: key_mode
+          description: Specifies how the key is managed (local or remote)
+          $ref: '#/components/schemas/policy.KeyMode'
+        keyCtx:
+          type: string
+          title: key_ctx
+          format: byte
+          description: Specific structure based on key provider implementation
+        providerConfig:
+          title: provider_config
+          description: Configuration for the key provider
+          $ref: '#/components/schemas/policy.KeyProviderConfig'
+        metadata:
+          title: metadata
+          description: Common metadata fields
+          $ref: '#/components/schemas/common.Metadata'
+      title: SymmetricKey
+      additionalProperties: false
+    policy.Value:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          type: string
+          title: value
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: |-
+            Deprecated
+             list of key access servers
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: subject mapping
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Value
+      additionalProperties: false
+security: []
diff --git a/docs/openapi/policy/objects.swagger.json b/docs/openapi/policy/objects.swagger.json
new file mode 100644
index 0000000000..efccb95b29
--- /dev/null
+++ b/docs/openapi/policy/objects.swagger.json
@@ -0,0 +1,46 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/objects.proto",
+    "version": "version not set"
+  },
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
new file mode 100644
index 0000000000..3f531841d5
--- /dev/null
+++ b/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
@@ -0,0 +1,1675 @@
+openapi: 3.1.0
+info:
+  title: policy.registeredresources
+paths:
+  /policy.registeredresources.RegisteredResourcesService/CreateRegisteredResource:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: CreateRegisteredResource
+      operationId: policy.registeredresources.RegisteredResourcesService.CreateRegisteredResource
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceResponse'
+  /policy.registeredresources.RegisteredResourcesService/GetRegisteredResource:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: GetRegisteredResource
+      operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResource
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceResponse'
+  /policy.registeredresources.RegisteredResourcesService/ListRegisteredResources:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: ListRegisteredResources
+      operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResources
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourcesResponse'
+  /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResource:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: UpdateRegisteredResource
+      operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResource
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceResponse'
+  /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResource:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: DeleteRegisteredResource
+      operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResource
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceResponse'
+  /policy.registeredresources.RegisteredResourcesService/CreateRegisteredResourceValue:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: CreateRegisteredResourceValue
+      operationId: policy.registeredresources.RegisteredResourcesService.CreateRegisteredResourceValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.CreateRegisteredResourceValueResponse'
+  /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValue:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: GetRegisteredResourceValue
+      operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValueResponse'
+  /policy.registeredresources.RegisteredResourcesService/GetRegisteredResourceValuesByFQNs:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: GetRegisteredResourceValuesByFQNs
+      operationId: policy.registeredresources.RegisteredResourcesService.GetRegisteredResourceValuesByFQNs
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse'
+  /policy.registeredresources.RegisteredResourcesService/ListRegisteredResourceValues:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: ListRegisteredResourceValues
+      operationId: policy.registeredresources.RegisteredResourcesService.ListRegisteredResourceValues
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.ListRegisteredResourceValuesResponse'
+  /policy.registeredresources.RegisteredResourcesService/UpdateRegisteredResourceValue:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: UpdateRegisteredResourceValue
+      operationId: policy.registeredresources.RegisteredResourcesService.UpdateRegisteredResourceValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.UpdateRegisteredResourceValueResponse'
+  /policy.registeredresources.RegisteredResourcesService/DeleteRegisteredResourceValue:
+    post:
+      tags:
+        - policy.registeredresources.RegisteredResourcesService
+      summary: DeleteRegisteredResourceValue
+      operationId: policy.registeredresources.RegisteredResourcesService.DeleteRegisteredResourceValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.registeredresources.DeleteRegisteredResourceValueResponse'
+components:
+  schemas:
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.AttributeRuleTypeEnum:
+      type: string
+      title: AttributeRuleTypeEnum
+      enum:
+        - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+        - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+    policy.ConditionBooleanTypeEnum:
+      type: string
+      title: ConditionBooleanTypeEnum
+      enum:
+        - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+        - CONDITION_BOOLEAN_TYPE_ENUM_AND
+        - CONDITION_BOOLEAN_TYPE_ENUM_OR
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    policy.SubjectMappingOperatorEnum:
+      type: string
+      title: SubjectMappingOperatorEnum
+      enum:
+        - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    policy.Attribute:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespace:
+          title: namespace
+          description: namespace of the attribute
+          $ref: '#/components/schemas/policy.Namespace'
+        name:
+          type: string
+          title: name
+          description: attribute name
+        rule:
+          title: rule
+          description: attribute rule enum
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: Deprecated
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys associated with the attribute
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Attribute
+      required:
+        - rule
+      additionalProperties: false
+    policy.Condition:
+      type: object
+      properties:
+        subjectExternalSelectorValue:
+          type: string
+          title: subject_external_selector_value
+          description: |-
+            a selector for a field value on a flattened Entity Representation (such as
+             from idP/LDAP)
+        operator:
+          title: operator
+          description: the evaluation operator of relation
+          $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+        subjectExternalValues:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: subject_external_values
+          minItems: 1
+          description: |-
+            list of comparison values for the result of applying the
+             subject_external_selector_value on a flattened Entity Representation
+             (Subject), evaluated by the operator
+      title: Condition
+      required:
+        - subjectExternalSelectorValue
+        - operator
+      additionalProperties: false
+      description: |-
+        *
+        A Condition defines a rule of <the value at the flattened 'selector value'
+        location> <operator> <subject external values>
+    policy.ConditionGroup:
+      type: object
+      properties:
+        conditions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Condition'
+          title: conditions
+          minItems: 1
+        booleanOperator:
+          title: boolean_operator
+          description: the boolean evaluation type across the conditions
+          $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+      title: ConditionGroup
+      required:
+        - booleanOperator
+      additionalProperties: false
+      description: A collection of Conditions evaluated by the boolean_operator provided
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.RegisteredResource:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        name:
+          type: string
+          title: name
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.RegisteredResourceValue'
+          title: values
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: RegisteredResource
+      additionalProperties: false
+    policy.RegisteredResourceValue:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        value:
+          type: string
+          title: value
+        resource:
+          title: resource
+          $ref: '#/components/schemas/policy.RegisteredResource'
+        actionAttributeValues:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.RegisteredResourceValue.ActionAttributeValue'
+          title: action_attribute_values
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: RegisteredResourceValue
+      additionalProperties: false
+    policy.RegisteredResourceValue.ActionAttributeValue:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        action:
+          title: action
+          $ref: '#/components/schemas/policy.Action'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ActionAttributeValue
+      additionalProperties: false
+    policy.ResourceMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        terms:
+          type: array
+          items:
+            type: string
+          title: terms
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: ResourceMapping
+      required:
+        - attributeValue
+      additionalProperties: false
+      description: |-
+        Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+        structures supporting the mapping of Resources and Attribute Values
+    policy.ResourceMappingGroup:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: the namespace containing the group of resource mappings
+        name:
+          type: string
+          title: name
+          description: |-
+            the common name for the group of resource mappings, which must be unique
+             per namespace
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ResourceMappingGroup
+      required:
+        - namespaceId
+        - name
+      additionalProperties: false
+      description: |-
+        Resource Mapping Groups are namespaced collections of Resource Mappings
+        associated under a common group name.
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.SubjectConditionSet:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectConditionSet
+      additionalProperties: false
+      description: |-
+        A container for multiple Subject Sets, each containing Condition Groups, each
+        containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+        evaluated with AND logic. As each Subject Mapping has only one Attribute
+        Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+        Attribute Values and is an independent unit.
+    policy.SubjectMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        attributeValue:
+          title: attribute_value
+          description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+          $ref: '#/components/schemas/policy.Value'
+        subjectConditionSet:
+          title: subject_condition_set
+          description: the reusable SubjectConditionSet mapped to the given Attribute Value
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: The actions permitted by subjects in this mapping
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectMapping
+      additionalProperties: false
+      description: |-
+        Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+        value + action(s) combination
+    policy.SubjectSet:
+      type: object
+      properties:
+        conditionGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ConditionGroup'
+          title: condition_groups
+          minItems: 1
+          description: multiple Condition Groups are evaluated with AND logic
+      title: SubjectSet
+      additionalProperties: false
+      description: A collection of Condition Groups
+    policy.Value:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          type: string
+          title: value
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: |-
+            Deprecated
+             list of key access servers
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: subject mapping
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Value
+      additionalProperties: false
+    policy.registeredresources.ActionAttributeValue:
+      type: object
+      allOf:
+        - oneOf:
+            - properties:
+                actionId:
+                  type: string
+                  title: action_id
+                  format: uuid
+              title: action_id
+              required:
+                - actionId
+            - properties:
+                actionName:
+                  type: string
+                  title: action_name
+                  maxLength: 253
+                  description: |+
+                    Action name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored action name will be normalized to lower case.:
+                    ```
+                    this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+                    ```
+
+              title: action_name
+              required:
+                - actionName
+        - oneOf:
+            - properties:
+                attributeValueFqn:
+                  type: string
+                  title: attribute_value_fqn
+                  minLength: 1
+                  format: uri
+              title: attribute_value_fqn
+              required:
+                - attributeValueFqn
+            - properties:
+                attributeValueId:
+                  type: string
+                  title: attribute_value_id
+                  format: uuid
+              title: attribute_value_id
+              required:
+                - attributeValueId
+      title: ActionAttributeValue
+      additionalProperties: false
+    policy.registeredresources.CreateRegisteredResourceRequest:
+      type: object
+      properties:
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Required
+            Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.:
+            ```
+            this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        values:
+          type: array
+          items:
+            type: string
+            maxLength: 253
+            pattern: ^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$
+            uniqueItems: true
+          title: values
+          uniqueItems: true
+          description: "Optional \n Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character.\n The stored value will be normalized to lower case."
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateRegisteredResourceRequest
+      required:
+        - name
+      additionalProperties: false
+    policy.registeredresources.CreateRegisteredResourceResponse:
+      type: object
+      properties:
+        resource:
+          title: resource
+          $ref: '#/components/schemas/policy.RegisteredResource'
+      title: CreateRegisteredResourceResponse
+      additionalProperties: false
+    policy.registeredresources.CreateRegisteredResourceValueRequest:
+      type: object
+      properties:
+        resourceId:
+          type: string
+          title: resource_id
+          format: uuid
+          description: Required
+        value:
+          type: string
+          title: value
+          maxLength: 253
+          description: |+
+            Required
+            Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.:
+            ```
+            this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        actionAttributeValues:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.registeredresources.ActionAttributeValue'
+          title: action_attribute_values
+          description: |-
+            Optional
+             The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning
+             (i.e. action read -> attribute value https://example.com/attr/department/value/marketing)
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateRegisteredResourceValueRequest
+      required:
+        - value
+      additionalProperties: false
+    policy.registeredresources.CreateRegisteredResourceValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.RegisteredResourceValue'
+      title: CreateRegisteredResourceValueResponse
+      additionalProperties: false
+    policy.registeredresources.DeleteRegisteredResourceRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteRegisteredResourceRequest
+      additionalProperties: false
+    policy.registeredresources.DeleteRegisteredResourceResponse:
+      type: object
+      properties:
+        resource:
+          title: resource
+          $ref: '#/components/schemas/policy.RegisteredResource'
+      title: DeleteRegisteredResourceResponse
+      additionalProperties: false
+    policy.registeredresources.DeleteRegisteredResourceValueRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteRegisteredResourceValueRequest
+      additionalProperties: false
+    policy.registeredresources.DeleteRegisteredResourceValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.RegisteredResourceValue'
+      title: DeleteRegisteredResourceValueResponse
+      additionalProperties: false
+    policy.registeredresources.GetRegisteredResourceRequest:
+      type: object
+      oneOf:
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+          title: id
+          required:
+            - id
+        - properties:
+            name:
+              type: string
+              title: name
+              maxLength: 253
+              description: |+
+                Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.:
+                ```
+                size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true
+                ```
+
+          title: name
+          required:
+            - name
+      title: GetRegisteredResourceRequest
+      additionalProperties: false
+    policy.registeredresources.GetRegisteredResourceResponse:
+      type: object
+      properties:
+        resource:
+          title: resource
+          $ref: '#/components/schemas/policy.RegisteredResource'
+      title: GetRegisteredResourceResponse
+      additionalProperties: false
+    policy.registeredresources.GetRegisteredResourceValueRequest:
+      type: object
+      oneOf:
+        - properties:
+            fqn:
+              type: string
+              title: fqn
+              minLength: 1
+              format: uri
+          title: fqn
+          required:
+            - fqn
+        - properties:
+            id:
+              type: string
+              title: id
+              format: uuid
+          title: id
+          required:
+            - id
+      title: GetRegisteredResourceValueRequest
+      additionalProperties: false
+    policy.registeredresources.GetRegisteredResourceValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.RegisteredResourceValue'
+      title: GetRegisteredResourceValueResponse
+      additionalProperties: false
+    policy.registeredresources.GetRegisteredResourceValuesByFQNsRequest:
+      type: object
+      properties:
+        fqns:
+          type: array
+          items:
+            type: string
+            minLength: 1
+            format: uri
+            minItems: 1
+            uniqueItems: true
+          title: fqns
+          minItems: 1
+          uniqueItems: true
+          description: Required
+      title: GetRegisteredResourceValuesByFQNsRequest
+      additionalProperties: false
+    policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse:
+      type: object
+      properties:
+        fqnValueMap:
+          type: object
+          title: fqn_value_map
+          additionalProperties:
+            title: value
+            $ref: '#/components/schemas/policy.RegisteredResourceValue'
+      title: GetRegisteredResourceValuesByFQNsResponse
+      additionalProperties: false
+    policy.registeredresources.GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.RegisteredResourceValue'
+      title: FqnValueMapEntry
+      additionalProperties: false
+    policy.registeredresources.ListRegisteredResourceValuesRequest:
+      type: object
+      properties:
+        resourceId:
+          type: string
+          title: resource_id
+          description: |+
+            Optional
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListRegisteredResourceValuesRequest
+      additionalProperties: false
+    policy.registeredresources.ListRegisteredResourceValuesResponse:
+      type: object
+      properties:
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.RegisteredResourceValue'
+          title: values
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListRegisteredResourceValuesResponse
+      additionalProperties: false
+    policy.registeredresources.ListRegisteredResourcesRequest:
+      type: object
+      properties:
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListRegisteredResourcesRequest
+      additionalProperties: false
+    policy.registeredresources.ListRegisteredResourcesResponse:
+      type: object
+      properties:
+        resources:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.RegisteredResource'
+          title: resources
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListRegisteredResourcesResponse
+      additionalProperties: false
+    policy.registeredresources.UpdateRegisteredResourceRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Optional
+            Registered Resource Name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored name will be normalized to lower case.:
+            ```
+            size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true
+            ```
+
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateRegisteredResourceRequest
+      additionalProperties: false
+    policy.registeredresources.UpdateRegisteredResourceResponse:
+      type: object
+      properties:
+        resource:
+          title: resource
+          $ref: '#/components/schemas/policy.RegisteredResource'
+      title: UpdateRegisteredResourceResponse
+      additionalProperties: false
+    policy.registeredresources.UpdateRegisteredResourceValueRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        value:
+          type: string
+          title: value
+          maxLength: 253
+          description: |+
+            Optional
+            Registered Resource Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored value will be normalized to lower case.:
+            ```
+            size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true
+            ```
+
+        actionAttributeValues:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.registeredresources.ActionAttributeValue'
+          title: action_attribute_values
+          description: |-
+            Optional
+             Action Attribute Values provided here will replace all existing records in the database. To delete all action attribute values, set this field to an empty list.
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateRegisteredResourceValueRequest
+      additionalProperties: false
+    policy.registeredresources.UpdateRegisteredResourceValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.RegisteredResourceValue'
+      title: UpdateRegisteredResourceValueResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.registeredresources.RegisteredResourcesService
+    description: Registered Resources
diff --git a/docs/openapi/policy/registeredresources/registered_resources.swagger.json b/docs/openapi/policy/registeredresources/registered_resources.swagger.json
new file mode 100644
index 0000000000..70307e2be1
--- /dev/null
+++ b/docs/openapi/policy/registeredresources/registered_resources.swagger.json
@@ -0,0 +1,823 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/registeredresources/registered_resources.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "RegisteredResourcesService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyAttribute": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace",
+          "title": "namespace of the attribute"
+        },
+        "name": {
+          "type": "string",
+          "title": "attribute name"
+        },
+        "rule": {
+          "$ref": "#/definitions/policyAttributeRuleTypeEnum",
+          "title": "attribute rule enum"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyValue"
+          }
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys associated with the attribute"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyAttributeRuleTypeEnum": {
+      "type": "string",
+      "enum": [
+        "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY"
+      ],
+      "default": "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyCondition": {
+      "type": "object",
+      "properties": {
+        "subjectExternalSelectorValue": {
+          "type": "string",
+          "title": "a selector for a field value on a flattened Entity Representation (such as\nfrom idP/LDAP)"
+        },
+        "operator": {
+          "$ref": "#/definitions/policySubjectMappingOperatorEnum",
+          "title": "the evaluation operator of relation"
+        },
+        "subjectExternalValues": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "title": "list of comparison values for the result of applying the\nsubject_external_selector_value on a flattened Entity Representation\n(Subject), evaluated by the operator"
+        }
+      },
+      "title": "*\nA Condition defines a rule of \u003cthe value at the flattened 'selector value'\nlocation\u003e \u003coperator\u003e \u003csubject external values\u003e"
+    },
+    "policyConditionBooleanTypeEnum": {
+      "type": "string",
+      "enum": [
+        "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED",
+        "CONDITION_BOOLEAN_TYPE_ENUM_AND",
+        "CONDITION_BOOLEAN_TYPE_ENUM_OR"
+      ],
+      "default": "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyConditionGroup": {
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyCondition"
+          }
+        },
+        "booleanOperator": {
+          "$ref": "#/definitions/policyConditionBooleanTypeEnum",
+          "title": "the boolean evaluation type across the conditions"
+        }
+      },
+      "title": "A collection of Conditions evaluated by the boolean_operator provided"
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyNamespace": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "name": {
+          "type": "string",
+          "title": "used to partition Attribute Definitions, support by namespace AuthN and\nenable federation"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "KAS grants for the namespace"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys for the namespace"
+        }
+      }
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policyRegisteredResource": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyRegisteredResourceValue"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyRegisteredResourceValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "value": {
+          "type": "string"
+        },
+        "resource": {
+          "$ref": "#/definitions/policyRegisteredResource"
+        },
+        "actionAttributeValues": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyRegisteredResourceValueActionAttributeValue"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyRegisteredResourceValueActionAttributeValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "action": {
+          "$ref": "#/definitions/policyAction"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyResourceMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue"
+        },
+        "terms": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "group": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      },
+      "title": "Resource Mappings (aka Access Control Resource Encodings aka ACRE) are\nstructures supporting the mapping of Resources and Attribute Values"
+    },
+    "policyResourceMappingGroup": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespaceId": {
+          "type": "string",
+          "title": "the namespace containing the group of resource mappings"
+        },
+        "name": {
+          "type": "string",
+          "title": "the common name for the group of resource mappings, which must be unique\nper namespace"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "policySubjectConditionSet": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "subjectSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectSet"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "description": "A container for multiple Subject Sets, each containing Condition Groups, each\ncontaining Conditions. Multiple Subject Sets in a SubjectConditionSet are\nevaluated with AND logic. As each Subject Mapping has only one Attribute\nValue, the SubjectConditionSet is reusable across multiple Subject Mappings /\nAttribute Values and is an independent unit."
+    },
+    "policySubjectMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue",
+          "title": "the Attribute Value mapped to; aka: \"The Entity Entitlement Attribute\""
+        },
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "the reusable SubjectConditionSet mapped to the given Attribute Value"
+        },
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          },
+          "title": "The actions permitted by subjects in this mapping"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute\nvalue + action(s) combination"
+    },
+    "policySubjectMappingOperatorEnum": {
+      "type": "string",
+      "enum": [
+        "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS"
+      ],
+      "default": "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+      "title": "- SUBJECT_MAPPING_OPERATOR_ENUM_IN: operator that returns true if a value in a list matches the string\n - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN: operator that returns true if a value is not in a list that is matched by\nstring\n - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: operator that returns true if a value in a list contains the substring"
+    },
+    "policySubjectSet": {
+      "type": "object",
+      "properties": {
+        "conditionGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyConditionGroup"
+          },
+          "title": "multiple Condition Groups are evaluated with AND logic"
+        }
+      },
+      "title": "A collection of Condition Groups"
+    },
+    "policyValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        },
+        "value": {
+          "type": "string"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated\nlist of key access servers"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "subject mapping"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          }
+        },
+        "resourceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyregisteredresourcesActionAttributeValue": {
+      "type": "object",
+      "properties": {
+        "actionId": {
+          "type": "string"
+        },
+        "actionName": {
+          "type": "string"
+        },
+        "attributeValueId": {
+          "type": "string"
+        },
+        "attributeValueFqn": {
+          "type": "string"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "registeredresourcesCreateRegisteredResourceResponse": {
+      "type": "object",
+      "properties": {
+        "resource": {
+          "$ref": "#/definitions/policyRegisteredResource"
+        }
+      }
+    },
+    "registeredresourcesCreateRegisteredResourceValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyRegisteredResourceValue"
+        }
+      }
+    },
+    "registeredresourcesDeleteRegisteredResourceResponse": {
+      "type": "object",
+      "properties": {
+        "resource": {
+          "$ref": "#/definitions/policyRegisteredResource"
+        }
+      }
+    },
+    "registeredresourcesDeleteRegisteredResourceValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyRegisteredResourceValue"
+        }
+      }
+    },
+    "registeredresourcesGetRegisteredResourceResponse": {
+      "type": "object",
+      "properties": {
+        "resource": {
+          "$ref": "#/definitions/policyRegisteredResource"
+        }
+      }
+    },
+    "registeredresourcesGetRegisteredResourceValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyRegisteredResourceValue"
+        }
+      }
+    },
+    "registeredresourcesGetRegisteredResourceValuesByFQNsResponse": {
+      "type": "object",
+      "properties": {
+        "fqnValueMap": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/policyRegisteredResourceValue"
+          }
+        }
+      }
+    },
+    "registeredresourcesListRegisteredResourceValuesResponse": {
+      "type": "object",
+      "properties": {
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyRegisteredResourceValue"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "registeredresourcesListRegisteredResourcesResponse": {
+      "type": "object",
+      "properties": {
+        "resources": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyRegisteredResource"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "registeredresourcesUpdateRegisteredResourceResponse": {
+      "type": "object",
+      "properties": {
+        "resource": {
+          "$ref": "#/definitions/policyRegisteredResource"
+        }
+      }
+    },
+    "registeredresourcesUpdateRegisteredResourceValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyRegisteredResourceValue"
+        }
+      }
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
new file mode 100644
index 0000000000..f8134a64a1
--- /dev/null
+++ b/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
@@ -0,0 +1,1559 @@
+openapi: 3.1.0
+info:
+  title: policy.resourcemapping
+paths:
+  /policy.resourcemapping.ResourceMappingService/ListResourceMappingGroups:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: ListResourceMappingGroups
+      operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingGroups
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingGroupsResponse'
+  /policy.resourcemapping.ResourceMappingService/GetResourceMappingGroup:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: GetResourceMappingGroup
+      operationId: policy.resourcemapping.ResourceMappingService.GetResourceMappingGroup
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingGroupResponse'
+  /policy.resourcemapping.ResourceMappingService/CreateResourceMappingGroup:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: CreateResourceMappingGroup
+      operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMappingGroup
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingGroupResponse'
+  /policy.resourcemapping.ResourceMappingService/UpdateResourceMappingGroup:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: UpdateResourceMappingGroup
+      operationId: policy.resourcemapping.ResourceMappingService.UpdateResourceMappingGroup
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingGroupResponse'
+  /policy.resourcemapping.ResourceMappingService/DeleteResourceMappingGroup:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: DeleteResourceMappingGroup
+      operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMappingGroup
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingGroupResponse'
+  /policy.resourcemapping.ResourceMappingService/ListResourceMappings:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: ListResourceMappings
+      operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappings
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsResponse'
+  /policy.resourcemapping.ResourceMappingService/ListResourceMappingsByGroupFqns:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: ListResourceMappingsByGroupFqns
+      operationId: policy.resourcemapping.ResourceMappingService.ListResourceMappingsByGroupFqns
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.ListResourceMappingsByGroupFqnsResponse'
+  /policy.resourcemapping.ResourceMappingService/GetResourceMapping:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: GetResourceMapping
+      operationId: policy.resourcemapping.ResourceMappingService.GetResourceMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.GetResourceMappingResponse'
+  /policy.resourcemapping.ResourceMappingService/CreateResourceMapping:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: CreateResourceMapping
+      operationId: policy.resourcemapping.ResourceMappingService.CreateResourceMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.CreateResourceMappingResponse'
+  /policy.resourcemapping.ResourceMappingService/UpdateResourceMapping:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: UpdateResourceMapping
+      operationId: policy.resourcemapping.ResourceMappingService.UpdateResourceMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.UpdateResourceMappingResponse'
+  /policy.resourcemapping.ResourceMappingService/DeleteResourceMapping:
+    post:
+      tags:
+        - policy.resourcemapping.ResourceMappingService
+      summary: DeleteResourceMapping
+      operationId: policy.resourcemapping.ResourceMappingService.DeleteResourceMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.resourcemapping.DeleteResourceMappingResponse'
+components:
+  schemas:
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.AttributeRuleTypeEnum:
+      type: string
+      title: AttributeRuleTypeEnum
+      enum:
+        - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+        - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+    policy.ConditionBooleanTypeEnum:
+      type: string
+      title: ConditionBooleanTypeEnum
+      enum:
+        - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+        - CONDITION_BOOLEAN_TYPE_ENUM_AND
+        - CONDITION_BOOLEAN_TYPE_ENUM_OR
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    policy.SubjectMappingOperatorEnum:
+      type: string
+      title: SubjectMappingOperatorEnum
+      enum:
+        - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    policy.Attribute:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespace:
+          title: namespace
+          description: namespace of the attribute
+          $ref: '#/components/schemas/policy.Namespace'
+        name:
+          type: string
+          title: name
+          description: attribute name
+        rule:
+          title: rule
+          description: attribute rule enum
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: Deprecated
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys associated with the attribute
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Attribute
+      required:
+        - rule
+      additionalProperties: false
+    policy.Condition:
+      type: object
+      properties:
+        subjectExternalSelectorValue:
+          type: string
+          title: subject_external_selector_value
+          description: |-
+            a selector for a field value on a flattened Entity Representation (such as
+             from idP/LDAP)
+        operator:
+          title: operator
+          description: the evaluation operator of relation
+          $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+        subjectExternalValues:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: subject_external_values
+          minItems: 1
+          description: |-
+            list of comparison values for the result of applying the
+             subject_external_selector_value on a flattened Entity Representation
+             (Subject), evaluated by the operator
+      title: Condition
+      required:
+        - subjectExternalSelectorValue
+        - operator
+      additionalProperties: false
+      description: |-
+        *
+        A Condition defines a rule of <the value at the flattened 'selector value'
+        location> <operator> <subject external values>
+    policy.ConditionGroup:
+      type: object
+      properties:
+        conditions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Condition'
+          title: conditions
+          minItems: 1
+        booleanOperator:
+          title: boolean_operator
+          description: the boolean evaluation type across the conditions
+          $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+      title: ConditionGroup
+      required:
+        - booleanOperator
+      additionalProperties: false
+      description: A collection of Conditions evaluated by the boolean_operator provided
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.ResourceMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        terms:
+          type: array
+          items:
+            type: string
+          title: terms
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: ResourceMapping
+      required:
+        - attributeValue
+      additionalProperties: false
+      description: |-
+        Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+        structures supporting the mapping of Resources and Attribute Values
+    policy.ResourceMappingGroup:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: the namespace containing the group of resource mappings
+        name:
+          type: string
+          title: name
+          description: |-
+            the common name for the group of resource mappings, which must be unique
+             per namespace
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ResourceMappingGroup
+      required:
+        - namespaceId
+        - name
+      additionalProperties: false
+      description: |-
+        Resource Mapping Groups are namespaced collections of Resource Mappings
+        associated under a common group name.
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.SubjectConditionSet:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectConditionSet
+      additionalProperties: false
+      description: |-
+        A container for multiple Subject Sets, each containing Condition Groups, each
+        containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+        evaluated with AND logic. As each Subject Mapping has only one Attribute
+        Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+        Attribute Values and is an independent unit.
+    policy.SubjectMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        attributeValue:
+          title: attribute_value
+          description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+          $ref: '#/components/schemas/policy.Value'
+        subjectConditionSet:
+          title: subject_condition_set
+          description: the reusable SubjectConditionSet mapped to the given Attribute Value
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: The actions permitted by subjects in this mapping
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectMapping
+      additionalProperties: false
+      description: |-
+        Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+        value + action(s) combination
+    policy.SubjectSet:
+      type: object
+      properties:
+        conditionGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ConditionGroup'
+          title: condition_groups
+          minItems: 1
+          description: multiple Condition Groups are evaluated with AND logic
+      title: SubjectSet
+      additionalProperties: false
+      description: A collection of Condition Groups
+    policy.Value:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          type: string
+          title: value
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: |-
+            Deprecated
+             list of key access servers
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: subject mapping
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Value
+      additionalProperties: false
+    policy.resourcemapping.CreateResourceMappingGroupRequest:
+      type: object
+      properties:
+        namespaceId:
+          type: string
+          title: namespace_id
+          format: uuid
+          description: Required
+        name:
+          type: string
+          title: name
+          description: Required
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateResourceMappingGroupRequest
+      required:
+        - name
+      additionalProperties: false
+    policy.resourcemapping.CreateResourceMappingGroupResponse:
+      type: object
+      properties:
+        resourceMappingGroup:
+          title: resource_mapping_group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: CreateResourceMappingGroupResponse
+      additionalProperties: false
+    policy.resourcemapping.CreateResourceMappingRequest:
+      type: object
+      properties:
+        attributeValueId:
+          type: string
+          title: attribute_value_id
+          format: uuid
+          description: Required
+        terms:
+          type: array
+          items:
+            type: string
+            maxItems: 1000
+            minItems: 1
+          title: terms
+          maxItems: 1000
+          minItems: 1
+          description: Required
+        groupId:
+          type: string
+          title: group_id
+          description: |+
+            Optional
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        metadata:
+          title: metadata
+          description: Optional
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateResourceMappingRequest
+      additionalProperties: false
+    policy.resourcemapping.CreateResourceMappingResponse:
+      type: object
+      properties:
+        resourceMapping:
+          title: resource_mapping
+          $ref: '#/components/schemas/policy.ResourceMapping'
+      title: CreateResourceMappingResponse
+      additionalProperties: false
+    policy.resourcemapping.DeleteResourceMappingGroupRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteResourceMappingGroupRequest
+      additionalProperties: false
+    policy.resourcemapping.DeleteResourceMappingGroupResponse:
+      type: object
+      properties:
+        resourceMappingGroup:
+          title: resource_mapping_group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: DeleteResourceMappingGroupResponse
+      additionalProperties: false
+    policy.resourcemapping.DeleteResourceMappingRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteResourceMappingRequest
+      additionalProperties: false
+    policy.resourcemapping.DeleteResourceMappingResponse:
+      type: object
+      properties:
+        resourceMapping:
+          title: resource_mapping
+          $ref: '#/components/schemas/policy.ResourceMapping'
+      title: DeleteResourceMappingResponse
+      additionalProperties: false
+    policy.resourcemapping.GetResourceMappingGroupRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: GetResourceMappingGroupRequest
+      additionalProperties: false
+    policy.resourcemapping.GetResourceMappingGroupResponse:
+      type: object
+      properties:
+        resourceMappingGroup:
+          title: resource_mapping_group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: GetResourceMappingGroupResponse
+      additionalProperties: false
+    policy.resourcemapping.GetResourceMappingRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: GetResourceMappingRequest
+      additionalProperties: false
+    policy.resourcemapping.GetResourceMappingResponse:
+      type: object
+      properties:
+        resourceMapping:
+          title: resource_mapping
+          $ref: '#/components/schemas/policy.ResourceMapping'
+      title: GetResourceMappingResponse
+      additionalProperties: false
+    policy.resourcemapping.ListResourceMappingGroupsRequest:
+      type: object
+      properties:
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: |+
+            Optional
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListResourceMappingGroupsRequest
+      additionalProperties: false
+    policy.resourcemapping.ListResourceMappingGroupsResponse:
+      type: object
+      properties:
+        resourceMappingGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMappingGroup'
+          title: resource_mapping_groups
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListResourceMappingGroupsResponse
+      additionalProperties: false
+    policy.resourcemapping.ListResourceMappingsByGroupFqnsRequest:
+      type: object
+      properties:
+        fqns:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: fqns
+          minItems: 1
+          description: |-
+            Required
+             Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>'
+      title: ListResourceMappingsByGroupFqnsRequest
+      additionalProperties: false
+    policy.resourcemapping.ListResourceMappingsByGroupFqnsResponse:
+      type: object
+      properties:
+        fqnResourceMappingGroups:
+          type: object
+          title: fqn_resource_mapping_groups
+          additionalProperties:
+            title: value
+            $ref: '#/components/schemas/policy.resourcemapping.ResourceMappingsByGroup'
+      title: ListResourceMappingsByGroupFqnsResponse
+      additionalProperties: false
+    policy.resourcemapping.ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.resourcemapping.ResourceMappingsByGroup'
+      title: FqnResourceMappingGroupsEntry
+      additionalProperties: false
+    policy.resourcemapping.ListResourceMappingsRequest:
+      type: object
+      properties:
+        groupId:
+          type: string
+          title: group_id
+          description: |+
+            Optional
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListResourceMappingsRequest
+      additionalProperties: false
+    policy.resourcemapping.ListResourceMappingsResponse:
+      type: object
+      properties:
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListResourceMappingsResponse
+      additionalProperties: false
+    policy.resourcemapping.ResourceMappingsByGroup:
+      type: object
+      properties:
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+        mappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: mappings
+      title: ResourceMappingsByGroup
+      additionalProperties: false
+    policy.resourcemapping.UpdateResourceMappingGroupRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: |+
+            Optional
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Optional
+            Optional field must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored group name will be normalized to lower case.:
+            ```
+            size(this) == 0 || this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateResourceMappingGroupRequest
+      additionalProperties: false
+    policy.resourcemapping.UpdateResourceMappingGroupResponse:
+      type: object
+      properties:
+        resourceMappingGroup:
+          title: resource_mapping_group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: UpdateResourceMappingGroupResponse
+      additionalProperties: false
+    policy.resourcemapping.UpdateResourceMappingRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        attributeValueId:
+          type: string
+          title: attribute_value_id
+          description: |+
+            Optional
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        terms:
+          type: array
+          items:
+            type: string
+            maxItems: 1000
+          title: terms
+          maxItems: 1000
+          description: Optional
+        groupId:
+          type: string
+          title: group_id
+          description: |+
+            Optional
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common Metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateResourceMappingRequest
+      additionalProperties: false
+    policy.resourcemapping.UpdateResourceMappingResponse:
+      type: object
+      properties:
+        resourceMapping:
+          title: resource_mapping
+          $ref: '#/components/schemas/policy.ResourceMapping'
+      title: UpdateResourceMappingResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.resourcemapping.ResourceMappingService
+    description: Resource Mapping Groups
diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
new file mode 100644
index 0000000000..c976295142
--- /dev/null
+++ b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json
@@ -0,0 +1,756 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/resourcemapping/resource_mapping.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "ResourceMappingService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyAttribute": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace",
+          "title": "namespace of the attribute"
+        },
+        "name": {
+          "type": "string",
+          "title": "attribute name"
+        },
+        "rule": {
+          "$ref": "#/definitions/policyAttributeRuleTypeEnum",
+          "title": "attribute rule enum"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyValue"
+          }
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys associated with the attribute"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyAttributeRuleTypeEnum": {
+      "type": "string",
+      "enum": [
+        "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY"
+      ],
+      "default": "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyCondition": {
+      "type": "object",
+      "properties": {
+        "subjectExternalSelectorValue": {
+          "type": "string",
+          "title": "a selector for a field value on a flattened Entity Representation (such as\nfrom idP/LDAP)"
+        },
+        "operator": {
+          "$ref": "#/definitions/policySubjectMappingOperatorEnum",
+          "title": "the evaluation operator of relation"
+        },
+        "subjectExternalValues": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "title": "list of comparison values for the result of applying the\nsubject_external_selector_value on a flattened Entity Representation\n(Subject), evaluated by the operator"
+        }
+      },
+      "title": "*\nA Condition defines a rule of \u003cthe value at the flattened 'selector value'\nlocation\u003e \u003coperator\u003e \u003csubject external values\u003e"
+    },
+    "policyConditionBooleanTypeEnum": {
+      "type": "string",
+      "enum": [
+        "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED",
+        "CONDITION_BOOLEAN_TYPE_ENUM_AND",
+        "CONDITION_BOOLEAN_TYPE_ENUM_OR"
+      ],
+      "default": "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyConditionGroup": {
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyCondition"
+          }
+        },
+        "booleanOperator": {
+          "$ref": "#/definitions/policyConditionBooleanTypeEnum",
+          "title": "the boolean evaluation type across the conditions"
+        }
+      },
+      "title": "A collection of Conditions evaluated by the boolean_operator provided"
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyNamespace": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "name": {
+          "type": "string",
+          "title": "used to partition Attribute Definitions, support by namespace AuthN and\nenable federation"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "KAS grants for the namespace"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys for the namespace"
+        }
+      }
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policyResourceMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue"
+        },
+        "terms": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "group": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      },
+      "title": "Resource Mappings (aka Access Control Resource Encodings aka ACRE) are\nstructures supporting the mapping of Resources and Attribute Values"
+    },
+    "policyResourceMappingGroup": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespaceId": {
+          "type": "string",
+          "title": "the namespace containing the group of resource mappings"
+        },
+        "name": {
+          "type": "string",
+          "title": "the common name for the group of resource mappings, which must be unique\nper namespace"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "policySubjectConditionSet": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "subjectSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectSet"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "description": "A container for multiple Subject Sets, each containing Condition Groups, each\ncontaining Conditions. Multiple Subject Sets in a SubjectConditionSet are\nevaluated with AND logic. As each Subject Mapping has only one Attribute\nValue, the SubjectConditionSet is reusable across multiple Subject Mappings /\nAttribute Values and is an independent unit."
+    },
+    "policySubjectMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue",
+          "title": "the Attribute Value mapped to; aka: \"The Entity Entitlement Attribute\""
+        },
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "the reusable SubjectConditionSet mapped to the given Attribute Value"
+        },
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          },
+          "title": "The actions permitted by subjects in this mapping"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute\nvalue + action(s) combination"
+    },
+    "policySubjectMappingOperatorEnum": {
+      "type": "string",
+      "enum": [
+        "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS"
+      ],
+      "default": "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+      "title": "- SUBJECT_MAPPING_OPERATOR_ENUM_IN: operator that returns true if a value in a list matches the string\n - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN: operator that returns true if a value is not in a list that is matched by\nstring\n - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: operator that returns true if a value in a list contains the substring"
+    },
+    "policySubjectSet": {
+      "type": "object",
+      "properties": {
+        "conditionGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyConditionGroup"
+          },
+          "title": "multiple Condition Groups are evaluated with AND logic"
+        }
+      },
+      "title": "A collection of Condition Groups"
+    },
+    "policyValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        },
+        "value": {
+          "type": "string"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated\nlist of key access servers"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "subject mapping"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          }
+        },
+        "resourceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "resourcemappingCreateResourceMappingGroupResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMappingGroup": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      }
+    },
+    "resourcemappingCreateResourceMappingResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMapping": {
+          "$ref": "#/definitions/policyResourceMapping"
+        }
+      }
+    },
+    "resourcemappingDeleteResourceMappingGroupResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMappingGroup": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      }
+    },
+    "resourcemappingDeleteResourceMappingResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMapping": {
+          "$ref": "#/definitions/policyResourceMapping"
+        }
+      }
+    },
+    "resourcemappingGetResourceMappingGroupResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMappingGroup": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      }
+    },
+    "resourcemappingGetResourceMappingResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMapping": {
+          "$ref": "#/definitions/policyResourceMapping"
+        }
+      }
+    },
+    "resourcemappingListResourceMappingGroupsResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMappingGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMappingGroup"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "resourcemappingListResourceMappingsByGroupFqnsResponse": {
+      "type": "object",
+      "properties": {
+        "fqnResourceMappingGroups": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/resourcemappingResourceMappingsByGroup"
+          }
+        }
+      }
+    },
+    "resourcemappingListResourceMappingsResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "resourcemappingResourceMappingsByGroup": {
+      "type": "object",
+      "properties": {
+        "group": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        },
+        "mappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        }
+      }
+    },
+    "resourcemappingUpdateResourceMappingGroupResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMappingGroup": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      }
+    },
+    "resourcemappingUpdateResourceMappingResponse": {
+      "type": "object",
+      "properties": {
+        "resourceMapping": {
+          "$ref": "#/definitions/policyResourceMapping"
+        }
+      }
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/selectors.openapi.yaml b/docs/openapi/policy/selectors.openapi.yaml
new file mode 100644
index 0000000000..a35d717fd8
--- /dev/null
+++ b/docs/openapi/policy/selectors.openapi.yaml
@@ -0,0 +1,146 @@
+openapi: 3.1.0
+info:
+  title: policy
+paths: {}
+components:
+  schemas:
+    policy.AttributeDefinitionSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withNamespace:
+          title: with_namespace
+          $ref: '#/components/schemas/policy.AttributeDefinitionSelector.NamespaceSelector'
+        withValues:
+          title: with_values
+          $ref: '#/components/schemas/policy.AttributeDefinitionSelector.ValueSelector'
+      title: AttributeDefinitionSelector
+      additionalProperties: false
+    policy.AttributeDefinitionSelector.NamespaceSelector:
+      type: object
+      title: NamespaceSelector
+      additionalProperties: false
+    policy.AttributeDefinitionSelector.ValueSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withSubjectMaps:
+          type: boolean
+          title: with_subject_maps
+        withResourceMaps:
+          type: boolean
+          title: with_resource_maps
+      title: ValueSelector
+      additionalProperties: false
+    policy.AttributeNamespaceSelector:
+      type: object
+      properties:
+        withAttributes:
+          title: with_attributes
+          $ref: '#/components/schemas/policy.AttributeNamespaceSelector.AttributeSelector'
+      title: AttributeNamespaceSelector
+      additionalProperties: false
+    policy.AttributeNamespaceSelector.AttributeSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withValues:
+          title: with_values
+          $ref: '#/components/schemas/policy.AttributeNamespaceSelector.AttributeSelector.ValueSelector'
+      title: AttributeSelector
+      additionalProperties: false
+    policy.AttributeNamespaceSelector.AttributeSelector.ValueSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withSubjectMaps:
+          type: boolean
+          title: with_subject_maps
+        withResourceMaps:
+          type: boolean
+          title: with_resource_maps
+      title: ValueSelector
+      additionalProperties: false
+    policy.AttributeValueSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withSubjectMaps:
+          type: boolean
+          title: with_subject_maps
+        withResourceMaps:
+          type: boolean
+          title: with_resource_maps
+        withAttribute:
+          title: with_attribute
+          $ref: '#/components/schemas/policy.AttributeValueSelector.AttributeSelector'
+      title: AttributeValueSelector
+      additionalProperties: false
+    policy.AttributeValueSelector.AttributeSelector:
+      type: object
+      properties:
+        withKeyAccessGrants:
+          type: boolean
+          title: with_key_access_grants
+        withNamespace:
+          title: with_namespace
+          $ref: '#/components/schemas/policy.AttributeValueSelector.AttributeSelector.NamespaceSelector'
+      title: AttributeSelector
+      additionalProperties: false
+    policy.AttributeValueSelector.AttributeSelector.NamespaceSelector:
+      type: object
+      title: NamespaceSelector
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+security: []
diff --git a/docs/openapi/policy/selectors.swagger.json b/docs/openapi/policy/selectors.swagger.json
new file mode 100644
index 0000000000..5e1366e0a6
--- /dev/null
+++ b/docs/openapi/policy/selectors.swagger.json
@@ -0,0 +1,46 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/selectors.proto",
+    "version": "version not set"
+  },
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
new file mode 100644
index 0000000000..ca1b88fbf5
--- /dev/null
+++ b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
@@ -0,0 +1,1599 @@
+openapi: 3.1.0
+info:
+  title: policy.subjectmapping
+paths:
+  /policy.subjectmapping.SubjectMappingService/MatchSubjectMappings:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: MatchSubjectMappings
+      description: Find matching Subject Mappings for a given Subject
+      operationId: policy.subjectmapping.SubjectMappingService.MatchSubjectMappings
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.MatchSubjectMappingsResponse'
+  /policy.subjectmapping.SubjectMappingService/ListSubjectMappings:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: ListSubjectMappings
+      operationId: policy.subjectmapping.SubjectMappingService.ListSubjectMappings
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.ListSubjectMappingsResponse'
+  /policy.subjectmapping.SubjectMappingService/GetSubjectMapping:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: GetSubjectMapping
+      operationId: policy.subjectmapping.SubjectMappingService.GetSubjectMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.GetSubjectMappingResponse'
+  /policy.subjectmapping.SubjectMappingService/CreateSubjectMapping:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: CreateSubjectMapping
+      operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectMappingResponse'
+  /policy.subjectmapping.SubjectMappingService/UpdateSubjectMapping:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: UpdateSubjectMapping
+      operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectMappingResponse'
+  /policy.subjectmapping.SubjectMappingService/DeleteSubjectMapping:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: DeleteSubjectMapping
+      operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectMapping
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectMappingResponse'
+  /policy.subjectmapping.SubjectMappingService/ListSubjectConditionSets:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: ListSubjectConditionSets
+      operationId: policy.subjectmapping.SubjectMappingService.ListSubjectConditionSets
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.ListSubjectConditionSetsResponse'
+  /policy.subjectmapping.SubjectMappingService/GetSubjectConditionSet:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: GetSubjectConditionSet
+      operationId: policy.subjectmapping.SubjectMappingService.GetSubjectConditionSet
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.GetSubjectConditionSetRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.GetSubjectConditionSetResponse'
+  /policy.subjectmapping.SubjectMappingService/CreateSubjectConditionSet:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: CreateSubjectConditionSet
+      operationId: policy.subjectmapping.SubjectMappingService.CreateSubjectConditionSet
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.CreateSubjectConditionSetResponse'
+  /policy.subjectmapping.SubjectMappingService/UpdateSubjectConditionSet:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: UpdateSubjectConditionSet
+      operationId: policy.subjectmapping.SubjectMappingService.UpdateSubjectConditionSet
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.UpdateSubjectConditionSetResponse'
+  /policy.subjectmapping.SubjectMappingService/DeleteSubjectConditionSet:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: DeleteSubjectConditionSet
+      operationId: policy.subjectmapping.SubjectMappingService.DeleteSubjectConditionSet
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.DeleteSubjectConditionSetResponse'
+  /policy.subjectmapping.SubjectMappingService/DeleteAllUnmappedSubjectConditionSets:
+    post:
+      tags:
+        - policy.subjectmapping.SubjectMappingService
+      summary: DeleteAllUnmappedSubjectConditionSets
+      operationId: policy.subjectmapping.SubjectMappingService.DeleteAllUnmappedSubjectConditionSets
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse'
+components:
+  schemas:
+    common.MetadataUpdateEnum:
+      type: string
+      title: MetadataUpdateEnum
+      enum:
+        - METADATA_UPDATE_ENUM_UNSPECIFIED
+        - METADATA_UPDATE_ENUM_EXTEND
+        - METADATA_UPDATE_ENUM_REPLACE
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.AttributeRuleTypeEnum:
+      type: string
+      title: AttributeRuleTypeEnum
+      enum:
+        - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+        - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+    policy.ConditionBooleanTypeEnum:
+      type: string
+      title: ConditionBooleanTypeEnum
+      enum:
+        - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+        - CONDITION_BOOLEAN_TYPE_ENUM_AND
+        - CONDITION_BOOLEAN_TYPE_ENUM_OR
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    policy.SubjectMappingOperatorEnum:
+      type: string
+      title: SubjectMappingOperatorEnum
+      enum:
+        - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    common.MetadataMutable:
+      type: object
+      properties:
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional labels
+      title: MetadataMutable
+      additionalProperties: false
+    common.MetadataMutable.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    policy.Attribute:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespace:
+          title: namespace
+          description: namespace of the attribute
+          $ref: '#/components/schemas/policy.Namespace'
+        name:
+          type: string
+          title: name
+          description: attribute name
+        rule:
+          title: rule
+          description: attribute rule enum
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: Deprecated
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys associated with the attribute
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Attribute
+      required:
+        - rule
+      additionalProperties: false
+    policy.Condition:
+      type: object
+      properties:
+        subjectExternalSelectorValue:
+          type: string
+          title: subject_external_selector_value
+          description: |-
+            a selector for a field value on a flattened Entity Representation (such as
+             from idP/LDAP)
+        operator:
+          title: operator
+          description: the evaluation operator of relation
+          $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+        subjectExternalValues:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: subject_external_values
+          minItems: 1
+          description: |-
+            list of comparison values for the result of applying the
+             subject_external_selector_value on a flattened Entity Representation
+             (Subject), evaluated by the operator
+      title: Condition
+      required:
+        - subjectExternalSelectorValue
+        - operator
+      additionalProperties: false
+      description: |-
+        *
+        A Condition defines a rule of <the value at the flattened 'selector value'
+        location> <operator> <subject external values>
+    policy.ConditionGroup:
+      type: object
+      properties:
+        conditions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Condition'
+          title: conditions
+          minItems: 1
+        booleanOperator:
+          title: boolean_operator
+          description: the boolean evaluation type across the conditions
+          $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+      title: ConditionGroup
+      required:
+        - booleanOperator
+      additionalProperties: false
+      description: A collection of Conditions evaluated by the boolean_operator provided
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PageRequest:
+      type: object
+      properties:
+        limit:
+          type: integer
+          title: limit
+          format: int32
+          description: |-
+            Optional
+             Set to configured default limit if not provided
+             Maximum limit set in platform config and enforced by services
+        offset:
+          type: integer
+          title: offset
+          format: int32
+          description: |-
+            Optional
+             Defaulted if not provided
+      title: PageRequest
+      additionalProperties: false
+    policy.PageResponse:
+      type: object
+      properties:
+        currentOffset:
+          type: integer
+          title: current_offset
+          format: int32
+          description: Requested pagination offset
+        nextOffset:
+          type: integer
+          title: next_offset
+          format: int32
+          description: |-
+            Calculated with request limit + offset or defaults
+             Empty when none remain after current page
+        total:
+          type: integer
+          title: total
+          format: int32
+          description: Total count of entire list
+      title: PageResponse
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.ResourceMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        terms:
+          type: array
+          items:
+            type: string
+          title: terms
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: ResourceMapping
+      required:
+        - attributeValue
+      additionalProperties: false
+      description: |-
+        Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+        structures supporting the mapping of Resources and Attribute Values
+    policy.ResourceMappingGroup:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: the namespace containing the group of resource mappings
+        name:
+          type: string
+          title: name
+          description: |-
+            the common name for the group of resource mappings, which must be unique
+             per namespace
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ResourceMappingGroup
+      required:
+        - namespaceId
+        - name
+      additionalProperties: false
+      description: |-
+        Resource Mapping Groups are namespaced collections of Resource Mappings
+        associated under a common group name.
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.SubjectConditionSet:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectConditionSet
+      additionalProperties: false
+      description: |-
+        A container for multiple Subject Sets, each containing Condition Groups, each
+        containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+        evaluated with AND logic. As each Subject Mapping has only one Attribute
+        Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+        Attribute Values and is an independent unit.
+    policy.SubjectMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        attributeValue:
+          title: attribute_value
+          description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+          $ref: '#/components/schemas/policy.Value'
+        subjectConditionSet:
+          title: subject_condition_set
+          description: the reusable SubjectConditionSet mapped to the given Attribute Value
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: The actions permitted by subjects in this mapping
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectMapping
+      additionalProperties: false
+      description: |-
+        Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+        value + action(s) combination
+    policy.SubjectProperty:
+      type: object
+      properties:
+        externalSelectorValue:
+          type: string
+          title: external_selector_value
+          minLength: 1
+        externalValue:
+          type: string
+          title: external_value
+      title: SubjectProperty
+      required:
+        - externalSelectorValue
+      additionalProperties: false
+      description: |-
+        A property of a Subject/Entity as its selector expression -> value result
+        pair. This would mirror external user attributes retrieved from an
+        authoritative source such as an IDP (Identity Provider) or User Store.
+        Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must
+        contain both a selector expression & a resulting value.
+
+        The external_selector_value is a specifier to select a value from a flattened
+        external representation of an Entity (such as from idP/LDAP), and the
+        external_value is the value selected by the external_selector_value on that
+        Entity Representation (Subject Context). These mirror the Condition.
+    policy.SubjectSet:
+      type: object
+      properties:
+        conditionGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ConditionGroup'
+          title: condition_groups
+          minItems: 1
+          description: multiple Condition Groups are evaluated with AND logic
+      title: SubjectSet
+      additionalProperties: false
+      description: A collection of Condition Groups
+    policy.Value:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          type: string
+          title: value
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: |-
+            Deprecated
+             list of key access servers
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: subject mapping
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Value
+      additionalProperties: false
+    policy.subjectmapping.CreateSubjectConditionSetRequest:
+      type: object
+      properties:
+        subjectConditionSet:
+          title: subject_condition_set
+          $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate'
+      title: CreateSubjectConditionSetRequest
+      required:
+        - subjectConditionSet
+      additionalProperties: false
+    policy.subjectmapping.CreateSubjectConditionSetResponse:
+      type: object
+      properties:
+        subjectConditionSet:
+          title: subject_condition_set
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+      title: CreateSubjectConditionSetResponse
+      additionalProperties: false
+    policy.subjectmapping.CreateSubjectMappingRequest:
+      type: object
+      properties:
+        attributeValueId:
+          type: string
+          title: attribute_value_id
+          format: uuid
+          description: |-
+            Required
+             Attribute Value to be mapped to
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          minItems: 1
+          description: |+
+            Required
+             The actions permitted by subjects in this mapping
+            Action name or ID must not be empty if provided:
+            ```
+            this.all(item, item.name != '' || item.id != '')
+            ```
+
+        existingSubjectConditionSetId:
+          type: string
+          title: existing_subject_condition_set_id
+          description: |+
+            Either of the following:
+             Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set)
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        newSubjectConditionSet:
+          title: new_subject_condition_set
+          description: 'Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided)'
+          $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate'
+        metadata:
+          title: metadata
+          description: Optional
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: CreateSubjectMappingRequest
+      additionalProperties: false
+    policy.subjectmapping.CreateSubjectMappingResponse:
+      type: object
+      properties:
+        subjectMapping:
+          title: subject_mapping
+          $ref: '#/components/schemas/policy.SubjectMapping'
+      title: CreateSubjectMappingResponse
+      additionalProperties: false
+    policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsRequest:
+      type: object
+      title: DeleteAllUnmappedSubjectConditionSetsRequest
+      additionalProperties: false
+      description: Prune any Subject Condition Sets not utilized within a Subject Mapping
+    policy.subjectmapping.DeleteAllUnmappedSubjectConditionSetsResponse:
+      type: object
+      properties:
+        subjectConditionSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectConditionSet'
+          title: subject_condition_sets
+          description: Only IDs of any deleted Subject Condition Set provided
+      title: DeleteAllUnmappedSubjectConditionSetsResponse
+      additionalProperties: false
+    policy.subjectmapping.DeleteSubjectConditionSetRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteSubjectConditionSetRequest
+      additionalProperties: false
+    policy.subjectmapping.DeleteSubjectConditionSetResponse:
+      type: object
+      properties:
+        subjectConditionSet:
+          title: subject_condition_set
+          description: Only ID of deleted Subject Condition Set provided
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+      title: DeleteSubjectConditionSetResponse
+      additionalProperties: false
+    policy.subjectmapping.DeleteSubjectMappingRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: DeleteSubjectMappingRequest
+      additionalProperties: false
+    policy.subjectmapping.DeleteSubjectMappingResponse:
+      type: object
+      properties:
+        subjectMapping:
+          title: subject_mapping
+          description: Only ID of the updated Subject Mapping provided
+          $ref: '#/components/schemas/policy.SubjectMapping'
+      title: DeleteSubjectMappingResponse
+      additionalProperties: false
+    policy.subjectmapping.GetSubjectConditionSetRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: GetSubjectConditionSetRequest
+      additionalProperties: false
+    policy.subjectmapping.GetSubjectConditionSetResponse:
+      type: object
+      properties:
+        subjectConditionSet:
+          title: subject_condition_set
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        associatedSubjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: associated_subject_mappings
+          description: contextualized Subject Mappings associated with this SubjectConditionSet
+      title: GetSubjectConditionSetResponse
+      additionalProperties: false
+    policy.subjectmapping.GetSubjectMappingRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: GetSubjectMappingRequest
+      additionalProperties: false
+    policy.subjectmapping.GetSubjectMappingResponse:
+      type: object
+      properties:
+        subjectMapping:
+          title: subject_mapping
+          $ref: '#/components/schemas/policy.SubjectMapping'
+      title: GetSubjectMappingResponse
+      additionalProperties: false
+    policy.subjectmapping.ListSubjectConditionSetsRequest:
+      type: object
+      properties:
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListSubjectConditionSetsRequest
+      additionalProperties: false
+    policy.subjectmapping.ListSubjectConditionSetsResponse:
+      type: object
+      properties:
+        subjectConditionSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectConditionSet'
+          title: subject_condition_sets
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListSubjectConditionSetsResponse
+      additionalProperties: false
+    policy.subjectmapping.ListSubjectMappingsRequest:
+      type: object
+      properties:
+        pagination:
+          title: pagination
+          description: Optional
+          $ref: '#/components/schemas/policy.PageRequest'
+      title: ListSubjectMappingsRequest
+      additionalProperties: false
+    policy.subjectmapping.ListSubjectMappingsResponse:
+      type: object
+      properties:
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+        pagination:
+          title: pagination
+          $ref: '#/components/schemas/policy.PageResponse'
+      title: ListSubjectMappingsResponse
+      additionalProperties: false
+    policy.subjectmapping.MatchSubjectMappingsRequest:
+      type: object
+      properties:
+        subjectProperties:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectProperty'
+          title: subject_properties
+          minItems: 1
+      title: MatchSubjectMappingsRequest
+      additionalProperties: false
+      description: |-
+        MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties.
+         The SubjectMappings are returned if an external selector field matches.
+    policy.subjectmapping.MatchSubjectMappingsResponse:
+      type: object
+      properties:
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+      title: MatchSubjectMappingsResponse
+      additionalProperties: false
+    policy.subjectmapping.SubjectConditionSetCreate:
+      type: object
+      properties:
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+          description: Required
+        metadata:
+          title: metadata
+          description: |-
+            Optional
+             Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+      title: SubjectConditionSetCreate
+      additionalProperties: false
+    policy.subjectmapping.UpdateSubjectConditionSetRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          description: |-
+            Optional
+             If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateSubjectConditionSetRequest
+      additionalProperties: false
+    policy.subjectmapping.UpdateSubjectConditionSetResponse:
+      type: object
+      properties:
+        subjectConditionSet:
+          title: subject_condition_set
+          description: Only ID of updated Subject Condition Set provided
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+      title: UpdateSubjectConditionSetResponse
+      additionalProperties: false
+    policy.subjectmapping.UpdateSubjectMappingRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        subjectConditionSetId:
+          type: string
+          title: subject_condition_set_id
+          description: |+
+            Optional
+             Replaces the existing SubjectConditionSet id with a new one
+            Optional field must be a valid UUID:
+            ```
+            size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
+            ```
+
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: |+
+            Optional
+             Replaces entire list of actions permitted by subjects
+            Action name or ID must not be empty if provided:
+            ```
+            this.size() == 0 || this.all(item, item.name != '' || item.id != '')
+            ```
+
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.MetadataMutable'
+        metadataUpdateBehavior:
+          title: metadata_update_behavior
+          $ref: '#/components/schemas/common.MetadataUpdateEnum'
+      title: UpdateSubjectMappingRequest
+      additionalProperties: false
+    policy.subjectmapping.UpdateSubjectMappingResponse:
+      type: object
+      properties:
+        subjectMapping:
+          title: subject_mapping
+          description: Only ID of the updated Subject Mapping provided
+          $ref: '#/components/schemas/policy.SubjectMapping'
+      title: UpdateSubjectMappingResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.subjectmapping.SubjectMappingService
diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
new file mode 100644
index 0000000000..d2e8d9fda8
--- /dev/null
+++ b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json
@@ -0,0 +1,796 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/subjectmapping/subject_mapping.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "SubjectMappingService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "commonMetadataMutable": {
+      "type": "object",
+      "properties": {
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional labels"
+        }
+      }
+    },
+    "commonMetadataUpdateEnum": {
+      "type": "string",
+      "enum": [
+        "METADATA_UPDATE_ENUM_UNSPECIFIED",
+        "METADATA_UPDATE_ENUM_EXTEND",
+        "METADATA_UPDATE_ENUM_REPLACE"
+      ],
+      "default": "METADATA_UPDATE_ENUM_UNSPECIFIED",
+      "title": "- METADATA_UPDATE_ENUM_UNSPECIFIED: unspecified update type\n - METADATA_UPDATE_ENUM_EXTEND: only update the fields that are provided\n - METADATA_UPDATE_ENUM_REPLACE: replace the entire metadata with the provided metadata"
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyAttribute": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace",
+          "title": "namespace of the attribute"
+        },
+        "name": {
+          "type": "string",
+          "title": "attribute name"
+        },
+        "rule": {
+          "$ref": "#/definitions/policyAttributeRuleTypeEnum",
+          "title": "attribute rule enum"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyValue"
+          }
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys associated with the attribute"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyAttributeRuleTypeEnum": {
+      "type": "string",
+      "enum": [
+        "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY"
+      ],
+      "default": "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyCondition": {
+      "type": "object",
+      "properties": {
+        "subjectExternalSelectorValue": {
+          "type": "string",
+          "title": "a selector for a field value on a flattened Entity Representation (such as\nfrom idP/LDAP)"
+        },
+        "operator": {
+          "$ref": "#/definitions/policySubjectMappingOperatorEnum",
+          "title": "the evaluation operator of relation"
+        },
+        "subjectExternalValues": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "title": "list of comparison values for the result of applying the\nsubject_external_selector_value on a flattened Entity Representation\n(Subject), evaluated by the operator"
+        }
+      },
+      "title": "*\nA Condition defines a rule of \u003cthe value at the flattened 'selector value'\nlocation\u003e \u003coperator\u003e \u003csubject external values\u003e"
+    },
+    "policyConditionBooleanTypeEnum": {
+      "type": "string",
+      "enum": [
+        "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED",
+        "CONDITION_BOOLEAN_TYPE_ENUM_AND",
+        "CONDITION_BOOLEAN_TYPE_ENUM_OR"
+      ],
+      "default": "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyConditionGroup": {
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyCondition"
+          }
+        },
+        "booleanOperator": {
+          "$ref": "#/definitions/policyConditionBooleanTypeEnum",
+          "title": "the boolean evaluation type across the conditions"
+        }
+      },
+      "title": "A collection of Conditions evaluated by the boolean_operator provided"
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyNamespace": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "name": {
+          "type": "string",
+          "title": "used to partition Attribute Definitions, support by namespace AuthN and\nenable federation"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "KAS grants for the namespace"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys for the namespace"
+        }
+      }
+    },
+    "policyPageRequest": {
+      "type": "object",
+      "properties": {
+        "limit": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nSet to configured default limit if not provided\nMaximum limit set in platform config and enforced by services"
+        },
+        "offset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Optional\nDefaulted if not provided"
+        }
+      }
+    },
+    "policyPageResponse": {
+      "type": "object",
+      "properties": {
+        "currentOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Requested pagination offset"
+        },
+        "nextOffset": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Calculated with request limit + offset or defaults\nEmpty when none remain after current page"
+        },
+        "total": {
+          "type": "integer",
+          "format": "int32",
+          "title": "Total count of entire list"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policyResourceMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue"
+        },
+        "terms": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "group": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      },
+      "title": "Resource Mappings (aka Access Control Resource Encodings aka ACRE) are\nstructures supporting the mapping of Resources and Attribute Values"
+    },
+    "policyResourceMappingGroup": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespaceId": {
+          "type": "string",
+          "title": "the namespace containing the group of resource mappings"
+        },
+        "name": {
+          "type": "string",
+          "title": "the common name for the group of resource mappings, which must be unique\nper namespace"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "policySubjectConditionSet": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "subjectSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectSet"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "description": "A container for multiple Subject Sets, each containing Condition Groups, each\ncontaining Conditions. Multiple Subject Sets in a SubjectConditionSet are\nevaluated with AND logic. As each Subject Mapping has only one Attribute\nValue, the SubjectConditionSet is reusable across multiple Subject Mappings /\nAttribute Values and is an independent unit."
+    },
+    "policySubjectMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue",
+          "title": "the Attribute Value mapped to; aka: \"The Entity Entitlement Attribute\""
+        },
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "the reusable SubjectConditionSet mapped to the given Attribute Value"
+        },
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          },
+          "title": "The actions permitted by subjects in this mapping"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute\nvalue + action(s) combination"
+    },
+    "policySubjectMappingOperatorEnum": {
+      "type": "string",
+      "enum": [
+        "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS"
+      ],
+      "default": "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+      "title": "- SUBJECT_MAPPING_OPERATOR_ENUM_IN: operator that returns true if a value in a list matches the string\n - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN: operator that returns true if a value is not in a list that is matched by\nstring\n - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: operator that returns true if a value in a list contains the substring"
+    },
+    "policySubjectProperty": {
+      "type": "object",
+      "properties": {
+        "externalSelectorValue": {
+          "type": "string"
+        },
+        "externalValue": {
+          "type": "string"
+        }
+      },
+      "description": "A property of a Subject/Entity as its selector expression -\u003e value result\npair. This would mirror external user attributes retrieved from an\nauthoritative source such as an IDP (Identity Provider) or User Store.\nExamples include such ADFS/LDAP, OKTA, etc. For now, a valid property must\ncontain both a selector expression \u0026 a resulting value.\n\nThe external_selector_value is a specifier to select a value from a flattened\nexternal representation of an Entity (such as from idP/LDAP), and the\nexternal_value is the value selected by the external_selector_value on that\nEntity Representation (Subject Context). These mirror the Condition."
+    },
+    "policySubjectSet": {
+      "type": "object",
+      "properties": {
+        "conditionGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyConditionGroup"
+          },
+          "title": "multiple Condition Groups are evaluated with AND logic"
+        }
+      },
+      "title": "A collection of Condition Groups"
+    },
+    "policyValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        },
+        "value": {
+          "type": "string"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated\nlist of key access servers"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "subject mapping"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          }
+        },
+        "resourceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    },
+    "subjectmappingCreateSubjectConditionSetResponse": {
+      "type": "object",
+      "properties": {
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet"
+        }
+      }
+    },
+    "subjectmappingCreateSubjectMappingResponse": {
+      "type": "object",
+      "properties": {
+        "subjectMapping": {
+          "$ref": "#/definitions/policySubjectMapping"
+        }
+      }
+    },
+    "subjectmappingDeleteAllUnmappedSubjectConditionSetsResponse": {
+      "type": "object",
+      "properties": {
+        "subjectConditionSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectConditionSet"
+          },
+          "title": "Only IDs of any deleted Subject Condition Set provided"
+        }
+      }
+    },
+    "subjectmappingDeleteSubjectConditionSetResponse": {
+      "type": "object",
+      "properties": {
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "Only ID of deleted Subject Condition Set provided"
+        }
+      }
+    },
+    "subjectmappingDeleteSubjectMappingResponse": {
+      "type": "object",
+      "properties": {
+        "subjectMapping": {
+          "$ref": "#/definitions/policySubjectMapping",
+          "title": "Only ID of the updated Subject Mapping provided"
+        }
+      }
+    },
+    "subjectmappingGetSubjectConditionSetResponse": {
+      "type": "object",
+      "properties": {
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet"
+        },
+        "associatedSubjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "contextualized Subject Mappings associated with this SubjectConditionSet"
+        }
+      }
+    },
+    "subjectmappingGetSubjectMappingResponse": {
+      "type": "object",
+      "properties": {
+        "subjectMapping": {
+          "$ref": "#/definitions/policySubjectMapping"
+        }
+      }
+    },
+    "subjectmappingListSubjectConditionSetsResponse": {
+      "type": "object",
+      "properties": {
+        "subjectConditionSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectConditionSet"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "subjectmappingListSubjectMappingsResponse": {
+      "type": "object",
+      "properties": {
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          }
+        },
+        "pagination": {
+          "$ref": "#/definitions/policyPageResponse"
+        }
+      }
+    },
+    "subjectmappingMatchSubjectMappingsResponse": {
+      "type": "object",
+      "properties": {
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          }
+        }
+      }
+    },
+    "subjectmappingSubjectConditionSetCreate": {
+      "type": "object",
+      "properties": {
+        "subjectSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectSet"
+          },
+          "title": "Required"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadataMutable",
+          "title": "Optional\nCommon metadata"
+        }
+      }
+    },
+    "subjectmappingUpdateSubjectConditionSetResponse": {
+      "type": "object",
+      "properties": {
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "Only ID of updated Subject Condition Set provided"
+        }
+      }
+    },
+    "subjectmappingUpdateSubjectMappingResponse": {
+      "type": "object",
+      "properties": {
+        "subjectMapping": {
+          "$ref": "#/definitions/policySubjectMapping",
+          "title": "Only ID of the updated Subject Mapping provided"
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/policy/unsafe/unsafe.openapi.yaml b/docs/openapi/policy/unsafe/unsafe.openapi.yaml
new file mode 100644
index 0000000000..875c41c555
--- /dev/null
+++ b/docs/openapi/policy/unsafe/unsafe.openapi.yaml
@@ -0,0 +1,1439 @@
+openapi: 3.1.0
+info:
+  title: policy.unsafe
+paths:
+  /policy.unsafe.UnsafeService/UnsafeUpdateNamespace:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeUpdateNamespace
+      description: |-
+        --------------------------------------*
+         Namespace RPCs
+        ---------------------------------------
+      operationId: policy.unsafe.UnsafeService.UnsafeUpdateNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateNamespaceResponse'
+  /policy.unsafe.UnsafeService/UnsafeReactivateNamespace:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeReactivateNamespace
+      operationId: policy.unsafe.UnsafeService.UnsafeReactivateNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateNamespaceResponse'
+  /policy.unsafe.UnsafeService/UnsafeDeleteNamespace:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeDeleteNamespace
+      operationId: policy.unsafe.UnsafeService.UnsafeDeleteNamespace
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteNamespaceResponse'
+  /policy.unsafe.UnsafeService/UnsafeUpdateAttribute:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeUpdateAttribute
+      description: |-
+        --------------------------------------*
+         Attribute RPCs
+        ---------------------------------------
+      operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeResponse'
+  /policy.unsafe.UnsafeService/UnsafeReactivateAttribute:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeReactivateAttribute
+      operationId: policy.unsafe.UnsafeService.UnsafeReactivateAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeResponse'
+  /policy.unsafe.UnsafeService/UnsafeDeleteAttribute:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeDeleteAttribute
+      operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttribute
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeResponse'
+  /policy.unsafe.UnsafeService/UnsafeUpdateAttributeValue:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeUpdateAttributeValue
+      description: |-
+        --------------------------------------*
+         Value RPCs
+        ---------------------------------------
+      operationId: policy.unsafe.UnsafeService.UnsafeUpdateAttributeValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeUpdateAttributeValueResponse'
+  /policy.unsafe.UnsafeService/UnsafeReactivateAttributeValue:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeReactivateAttributeValue
+      operationId: policy.unsafe.UnsafeService.UnsafeReactivateAttributeValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeReactivateAttributeValueResponse'
+  /policy.unsafe.UnsafeService/UnsafeDeleteAttributeValue:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeDeleteAttributeValue
+      operationId: policy.unsafe.UnsafeService.UnsafeDeleteAttributeValue
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteAttributeValueResponse'
+  /policy.unsafe.UnsafeService/UnsafeDeleteKasKey:
+    post:
+      tags:
+        - policy.unsafe.UnsafeService
+      summary: UnsafeDeleteKasKey
+      description: |-
+        --------------------------------------*
+         Kas Key RPCs
+        ---------------------------------------
+      operationId: policy.unsafe.UnsafeService.UnsafeDeleteKasKey
+      parameters:
+        - name: Connect-Protocol-Version
+          in: header
+          required: true
+          schema:
+            $ref: '#/components/schemas/connect-protocol-version'
+        - name: Connect-Timeout-Ms
+          in: header
+          schema:
+            $ref: '#/components/schemas/connect-timeout-header'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyRequest'
+        required: true
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/policy.unsafe.UnsafeDeleteKasKeyResponse'
+components:
+  schemas:
+    policy.Action.StandardAction:
+      type: string
+      title: StandardAction
+      enum:
+        - STANDARD_ACTION_UNSPECIFIED
+        - STANDARD_ACTION_DECRYPT
+        - STANDARD_ACTION_TRANSMIT
+    policy.Algorithm:
+      type: string
+      title: Algorithm
+      enum:
+        - ALGORITHM_UNSPECIFIED
+        - ALGORITHM_RSA_2048
+        - ALGORITHM_RSA_4096
+        - ALGORITHM_EC_P256
+        - ALGORITHM_EC_P384
+        - ALGORITHM_EC_P521
+      description: Supported key algorithms.
+    policy.AttributeRuleTypeEnum:
+      type: string
+      title: AttributeRuleTypeEnum
+      enum:
+        - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+        - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+        - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+    policy.ConditionBooleanTypeEnum:
+      type: string
+      title: ConditionBooleanTypeEnum
+      enum:
+        - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+        - CONDITION_BOOLEAN_TYPE_ENUM_AND
+        - CONDITION_BOOLEAN_TYPE_ENUM_OR
+    policy.KasPublicKeyAlgEnum:
+      type: string
+      title: KasPublicKeyAlgEnum
+      enum:
+        - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+        - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+        - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+    policy.SourceType:
+      type: string
+      title: SourceType
+      enum:
+        - SOURCE_TYPE_UNSPECIFIED
+        - SOURCE_TYPE_INTERNAL
+        - SOURCE_TYPE_EXTERNAL
+      description: |-
+        Describes whether this kas is managed by the organization or if they imported
+         the kas information from an external party. These two modes are necessary in order
+         to encrypt a tdf dek with an external parties kas public key.
+    policy.SubjectMappingOperatorEnum:
+      type: string
+      title: SubjectMappingOperatorEnum
+      enum:
+        - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+        - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+    common.Metadata:
+      type: object
+      properties:
+        createdAt:
+          title: created_at
+          description: created_at set by server (entity who created will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        updatedAt:
+          title: updated_at
+          description: updated_at set by server (entity who updated will recorded in an audit event)
+          $ref: '#/components/schemas/google.protobuf.Timestamp'
+        labels:
+          type: object
+          title: labels
+          additionalProperties:
+            type: string
+            title: value
+          description: optional short description
+      title: Metadata
+      additionalProperties: false
+      description: Struct to uniquely identify a resource with optional additional metadata
+    common.Metadata.LabelsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          type: string
+          title: value
+      title: LabelsEntry
+      additionalProperties: false
+    google.protobuf.BoolValue:
+      type: boolean
+      description: |-
+        Wrapper message for `bool`.
+
+         The JSON representation for `BoolValue` is JSON `true` and `false`.
+    google.protobuf.Timestamp:
+      type: string
+      format: date-time
+      description: |-
+        A Timestamp represents a point in time independent of any time zone or local
+         calendar, encoded as a count of seconds and fractions of seconds at
+         nanosecond resolution. The count is relative to an epoch at UTC midnight on
+         January 1, 1970, in the proleptic Gregorian calendar which extends the
+         Gregorian calendar backwards to year one.
+
+         All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+         second table is needed for interpretation, using a [24-hour linear
+         smear](https://developers.google.com/time/smear).
+
+         The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+         restricting to that range, we ensure that we can convert to and from [RFC
+         3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+         # Examples
+
+         Example 1: Compute Timestamp from POSIX `time()`.
+
+             Timestamp timestamp;
+             timestamp.set_seconds(time(NULL));
+             timestamp.set_nanos(0);
+
+         Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+             struct timeval tv;
+             gettimeofday(&tv, NULL);
+
+             Timestamp timestamp;
+             timestamp.set_seconds(tv.tv_sec);
+             timestamp.set_nanos(tv.tv_usec * 1000);
+
+         Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+             FILETIME ft;
+             GetSystemTimeAsFileTime(&ft);
+             UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+             // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+             // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+             Timestamp timestamp;
+             timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+             timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+         Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+             long millis = System.currentTimeMillis();
+
+             Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+                 .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+         Example 5: Compute Timestamp from Java `Instant.now()`.
+
+             Instant now = Instant.now();
+
+             Timestamp timestamp =
+                 Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+                     .setNanos(now.getNano()).build();
+
+         Example 6: Compute Timestamp from current time in Python.
+
+             timestamp = Timestamp()
+             timestamp.GetCurrentTime()
+
+         # JSON Mapping
+
+         In JSON format, the Timestamp type is encoded as a string in the
+         [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+         format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+         where {year} is always expressed using four digits while {month}, {day},
+         {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+         seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+         are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+         is required. A proto3 JSON serializer should always use UTC (as indicated by
+         "Z") when printing the Timestamp type and a proto3 JSON parser should be
+         able to accept both UTC and other timezones (as indicated by an offset).
+
+         For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+         01:30 UTC on January 15, 2017.
+
+         In JavaScript, one can convert a Date object to this format using the
+         standard
+         [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+         method. In Python, a standard `datetime.datetime` object can be converted
+         to this format using
+         [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+         the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+         the Joda Time's [`ISODateTimeFormat.dateTime()`](
+         http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+         ) to obtain a formatter capable of generating timestamps in this format.
+    policy.Action:
+      type: object
+      oneOf:
+        - properties:
+            custom:
+              type: string
+              title: custom
+              description: Deprecated
+          title: custom
+          required:
+            - custom
+        - properties:
+            standard:
+              title: standard
+              description: Deprecated
+              $ref: '#/components/schemas/policy.Action.StandardAction'
+          title: standard
+          required:
+            - standard
+      properties:
+        id:
+          type: string
+          title: id
+          description: Generated uuid in database
+        name:
+          type: string
+          title: name
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Action
+      additionalProperties: false
+      description: An action an entity can take
+    policy.Attribute:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespace:
+          title: namespace
+          description: namespace of the attribute
+          $ref: '#/components/schemas/policy.Namespace'
+        name:
+          type: string
+          title: name
+          description: attribute name
+        rule:
+          title: rule
+          description: attribute rule enum
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Value'
+          title: values
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: Deprecated
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys associated with the attribute
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Attribute
+      required:
+        - rule
+      additionalProperties: false
+    policy.Condition:
+      type: object
+      properties:
+        subjectExternalSelectorValue:
+          type: string
+          title: subject_external_selector_value
+          description: |-
+            a selector for a field value on a flattened Entity Representation (such as
+             from idP/LDAP)
+        operator:
+          title: operator
+          description: the evaluation operator of relation
+          $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+        subjectExternalValues:
+          type: array
+          items:
+            type: string
+            minItems: 1
+          title: subject_external_values
+          minItems: 1
+          description: |-
+            list of comparison values for the result of applying the
+             subject_external_selector_value on a flattened Entity Representation
+             (Subject), evaluated by the operator
+      title: Condition
+      required:
+        - subjectExternalSelectorValue
+        - operator
+      additionalProperties: false
+      description: |-
+        *
+        A Condition defines a rule of <the value at the flattened 'selector value'
+        location> <operator> <subject external values>
+    policy.ConditionGroup:
+      type: object
+      properties:
+        conditions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Condition'
+          title: conditions
+          minItems: 1
+        booleanOperator:
+          title: boolean_operator
+          description: the boolean evaluation type across the conditions
+          $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+      title: ConditionGroup
+      required:
+        - booleanOperator
+      additionalProperties: false
+      description: A collection of Conditions evaluated by the boolean_operator provided
+    policy.KasPublicKey:
+      type: object
+      properties:
+        pem:
+          type: string
+          title: pem
+          maxLength: 8192
+          minLength: 1
+          description: x509 ASN.1 content in PEM envelope, usually
+        kid:
+          type: string
+          title: kid
+          maxLength: 32
+          minLength: 1
+          description: A unique string identifier for this key
+        alg:
+          not:
+            enum:
+              - 0
+          title: alg
+          description: |-
+            A known algorithm type with any additional parameters encoded.
+             To start, these may be `rsa:2048` for encrypting ZTDF files and
+             `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+          $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+      title: KasPublicKey
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A KAS public key and some associated metadata for further identifcation
+    policy.KasPublicKeySet:
+      type: object
+      properties:
+        keys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KasPublicKey'
+          title: keys
+      title: KasPublicKeySet
+      additionalProperties: false
+      description: |-
+        Deprecated
+         A list of known KAS public keys
+    policy.Key:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: the database record ID, not the key ID (`kid`)
+        isActive:
+          title: is_active
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        wasMapped:
+          title: was_mapped
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        publicKey:
+          title: public_key
+          $ref: '#/components/schemas/policy.KasPublicKey'
+        kas:
+          title: kas
+          $ref: '#/components/schemas/policy.KeyAccessServer'
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Key
+      additionalProperties: false
+    policy.KeyAccessServer:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        uri:
+          type: string
+          title: uri
+          description: |+
+            Address of a KAS instance
+            URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+            ```
+            this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$')
+            ```
+
+        publicKey:
+          title: public_key
+          description: Deprecated
+          $ref: '#/components/schemas/policy.PublicKey'
+        sourceType:
+          title: source_type
+          description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+          $ref: '#/components/schemas/policy.SourceType'
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Kas keys associated with this KAS
+        name:
+          type: string
+          title: name
+          description: |-
+            Optional
+             Unique name of the KAS instance
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: KeyAccessServer
+      additionalProperties: false
+      description: Key Access Server Registry
+    policy.Namespace:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        name:
+          type: string
+          title: name
+          description: |-
+            used to partition Attribute Definitions, support by namespace AuthN and
+             enable federation
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: KAS grants for the namespace
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+          description: Keys for the namespace
+      title: Namespace
+      additionalProperties: false
+    policy.PublicKey:
+      type: object
+      oneOf:
+        - properties:
+            cached:
+              title: cached
+              description: public key with additional information. Current preferred version
+              $ref: '#/components/schemas/policy.KasPublicKeySet'
+          title: cached
+          required:
+            - cached
+        - properties:
+            remote:
+              type: string
+              title: remote
+              description: |+
+                kas public key url - optional since can also be retrieved via public key
+                URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.:
+                ```
+                this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')
+                ```
+
+          title: remote
+          required:
+            - remote
+      title: PublicKey
+      additionalProperties: false
+      description: Deprecated
+    policy.ResourceMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+        attributeValue:
+          title: attribute_value
+          $ref: '#/components/schemas/policy.Value'
+        terms:
+          type: array
+          items:
+            type: string
+          title: terms
+        group:
+          title: group
+          $ref: '#/components/schemas/policy.ResourceMappingGroup'
+      title: ResourceMapping
+      required:
+        - attributeValue
+      additionalProperties: false
+      description: |-
+        Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+        structures supporting the mapping of Resources and Attribute Values
+    policy.ResourceMappingGroup:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        namespaceId:
+          type: string
+          title: namespace_id
+          description: the namespace containing the group of resource mappings
+        name:
+          type: string
+          title: name
+          description: |-
+            the common name for the group of resource mappings, which must be unique
+             per namespace
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: ResourceMappingGroup
+      required:
+        - namespaceId
+        - name
+      additionalProperties: false
+      description: |-
+        Resource Mapping Groups are namespaced collections of Resource Mappings
+        associated under a common group name.
+    policy.SimpleKasKey:
+      type: object
+      properties:
+        kasUri:
+          type: string
+          title: kas_uri
+          description: The URL of the Key Access Server
+        publicKey:
+          title: public_key
+          description: The public key of the Key that belongs to the KAS
+          $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+        kasId:
+          type: string
+          title: kas_id
+          description: The ID of the Key Access Server
+      title: SimpleKasKey
+      additionalProperties: false
+    policy.SimpleKasPublicKey:
+      type: object
+      properties:
+        algorithm:
+          title: algorithm
+          $ref: '#/components/schemas/policy.Algorithm'
+        kid:
+          type: string
+          title: kid
+        pem:
+          type: string
+          title: pem
+      title: SimpleKasPublicKey
+      additionalProperties: false
+    policy.SubjectConditionSet:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        subjectSets:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectSet'
+          title: subject_sets
+          minItems: 1
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectConditionSet
+      additionalProperties: false
+      description: |-
+        A container for multiple Subject Sets, each containing Condition Groups, each
+        containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+        evaluated with AND logic. As each Subject Mapping has only one Attribute
+        Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+        Attribute Values and is an independent unit.
+    policy.SubjectMapping:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+        attributeValue:
+          title: attribute_value
+          description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+          $ref: '#/components/schemas/policy.Value'
+        subjectConditionSet:
+          title: subject_condition_set
+          description: the reusable SubjectConditionSet mapped to the given Attribute Value
+          $ref: '#/components/schemas/policy.SubjectConditionSet'
+        actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.Action'
+          title: actions
+          description: The actions permitted by subjects in this mapping
+        metadata:
+          title: metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: SubjectMapping
+      additionalProperties: false
+      description: |-
+        Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+        value + action(s) combination
+    policy.SubjectSet:
+      type: object
+      properties:
+        conditionGroups:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ConditionGroup'
+          title: condition_groups
+          minItems: 1
+          description: multiple Condition Groups are evaluated with AND logic
+      title: SubjectSet
+      additionalProperties: false
+      description: A collection of Condition Groups
+    policy.Value:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          description: generated uuid in database
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+        value:
+          type: string
+          title: value
+        grants:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.KeyAccessServer'
+          title: grants
+          description: |-
+            Deprecated
+             list of key access servers
+        fqn:
+          type: string
+          title: fqn
+        active:
+          title: active
+          description: active by default until explicitly deactivated
+          $ref: '#/components/schemas/google.protobuf.BoolValue'
+        subjectMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SubjectMapping'
+          title: subject_mappings
+          description: subject mapping
+        kasKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.SimpleKasKey'
+          title: kas_keys
+        resourceMappings:
+          type: array
+          items:
+            $ref: '#/components/schemas/policy.ResourceMapping'
+          title: resource_mappings
+        metadata:
+          title: metadata
+          description: Common metadata
+          $ref: '#/components/schemas/common.Metadata'
+      title: Value
+      additionalProperties: false
+    policy.unsafe.UnsafeDeleteAttributeRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: |-
+            Required
+             UUID of the Attribute
+        fqn:
+          type: string
+          title: fqn
+          description: |-
+            Required
+             Fully Qualified Name (FQN) of Attribute Definition (i.e. https://<namespace>/attr/<attribute name>), normalized to lower case.
+      title: UnsafeDeleteAttributeRequest
+      required:
+        - fqn
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Deleting an Attribute will free up the Attribute name for reuse, which can introduce an access path to existing TDFs containing the deleted Attribute name.
+         Values under this Attribute will be cascadingly deleted.
+         Any KAS Grants associated with this Attribute will be cascadingly deleted.
+    policy.unsafe.UnsafeDeleteAttributeResponse:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+      title: UnsafeDeleteAttributeResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeDeleteAttributeValueRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: |-
+            Required
+             UUID of the Attribute Value
+        fqn:
+          type: string
+          title: fqn
+          description: |-
+            Required
+             Fully Qualified Name (FQN) of Attribute Value (i.e. https://<namespace>/attr/<attribute name>/value/<value>), normalized to lower case.
+      title: UnsafeDeleteAttributeValueRequest
+      required:
+        - fqn
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Deleting an Attribute Value will free up the Attribute Value for reuse, which can introduce an access path to existing TDFs containing the deleted Attribute Value.
+         Any KAS Grants associated with this Attribute Value will be cascadingly deleted.
+    policy.unsafe.UnsafeDeleteAttributeValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: UnsafeDeleteAttributeValueResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeDeleteKasKeyRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: |-
+            Required
+             UUID of the Key
+      title: UnsafeDeleteKasKeyRequest
+      additionalProperties: false
+      description: WARNING!!
+    policy.unsafe.UnsafeDeleteKasKeyResponse:
+      type: object
+      properties:
+        key:
+          title: key
+          $ref: '#/components/schemas/policy.Key'
+      title: UnsafeDeleteKasKeyResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeDeleteNamespaceRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: |-
+            Required
+             UUID of the Namespace
+        fqn:
+          type: string
+          title: fqn
+          description: |-
+            Required
+             Fully Qualified Name (FQN) of Namespace (i.e. https://<namespace>), normalized to lower case.
+      title: UnsafeDeleteNamespaceRequest
+      required:
+        - fqn
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Deleting a Namespace will free up the Attribute Namespace, Definitions, and Values for reuse, which can introduce an access path to existing TDFs containing the deleted policy.
+         Definitions and their Values under this Namespace will be cascadingly deleted.
+    policy.unsafe.UnsafeDeleteNamespaceResponse:
+      type: object
+      properties:
+        namespace:
+          title: namespace
+          $ref: '#/components/schemas/policy.Namespace'
+      title: UnsafeDeleteNamespaceResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeReactivateAttributeRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: UnsafeReactivateAttributeRequest
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Reactivating an Attribute can potentially open up an access path to existing TDFs containing the Attribute name.
+         Active state of any Values under this Attribute Definition will NOT be changed.
+    policy.unsafe.UnsafeReactivateAttributeResponse:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+      title: UnsafeReactivateAttributeResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeReactivateAttributeValueRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: UnsafeReactivateAttributeValueRequest
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Reactivating an Attribute Value can potentially open up an access path to existing TDFs containing the Attribute Value.
+    policy.unsafe.UnsafeReactivateAttributeValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: UnsafeReactivateAttributeValueResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeReactivateNamespaceRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+      title: UnsafeReactivateNamespaceRequest
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Reactivating a Namespace can potentially open up an access path to existing TDFs containing any Attributes under the Namespace.
+         Active state of any Definitions and their Values under this Namespace will NOT be changed.
+    policy.unsafe.UnsafeReactivateNamespaceResponse:
+      type: object
+      properties:
+        namespace:
+          title: namespace
+          $ref: '#/components/schemas/policy.Namespace'
+      title: UnsafeReactivateNamespaceResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeUpdateAttributeRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Optional
+             WARNING!!
+             Updating the name of an Attribute will retroactively alter access to existing TDFs of the old and new Attribute name.
+            Attribute name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute name will be normalized to lower case.:
+            ```
+            size(this) > 0 ? this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$') : true
+            ```
+
+        rule:
+          title: rule
+          description: |-
+            Optional
+             WARNING!!
+             Updating the rule of an Attribute will retroactively alter access to existing TDFs of the Attribute name.
+          $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+        valuesOrder:
+          type: array
+          items:
+            type: string
+          title: values_order
+          description: |-
+            Optional
+             WARNING!!
+             Unsafe reordering requires the full list of values in the new order they should be stored. Updating the order of values in a HIERARCHY-rule Attribute Definition
+             will retroactively alter access to existing TDFs containing those values. Replacing values on an attribute in place is not supported; values can be unsafely deleted
+             deleted, created, and unsafely re-ordered as necessary.
+      title: UnsafeUpdateAttributeRequest
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Updating an Attribute can have dangerous consequences. Use with caution.
+    policy.unsafe.UnsafeUpdateAttributeResponse:
+      type: object
+      properties:
+        attribute:
+          title: attribute
+          $ref: '#/components/schemas/policy.Attribute'
+      title: UnsafeUpdateAttributeResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeUpdateAttributeValueRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        value:
+          type: string
+          title: value
+          maxLength: 253
+          description: |+
+            Required
+            Attribute Value must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored attribute value will be normalized to lower case.:
+            ```
+            this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')
+            ```
+
+      title: UnsafeUpdateAttributeValueRequest
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Updating an Attribute Value will retroactively alter access to existing TDFs containing the old and new Attribute Value.
+    policy.unsafe.UnsafeUpdateAttributeValueResponse:
+      type: object
+      properties:
+        value:
+          title: value
+          $ref: '#/components/schemas/policy.Value'
+      title: UnsafeUpdateAttributeValueResponse
+      additionalProperties: false
+    policy.unsafe.UnsafeUpdateNamespaceRequest:
+      type: object
+      properties:
+        id:
+          type: string
+          title: id
+          format: uuid
+          description: Required
+        name:
+          type: string
+          title: name
+          maxLength: 253
+          description: |+
+            Required
+            Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.:
+            ```
+            this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,}$')
+            ```
+
+      title: UnsafeUpdateNamespaceRequest
+      additionalProperties: false
+      description: |-
+        WARNING!!
+         Updating the Namespace of an Attribute will retroactively alter access to existing TDFs of the old and new Namespace name.
+         Existing Attribute Definitions and their Values under the Namespace will now be associated with the new Namespace name.
+    policy.unsafe.UnsafeUpdateNamespaceResponse:
+      type: object
+      properties:
+        namespace:
+          title: namespace
+          $ref: '#/components/schemas/policy.Namespace'
+      title: UnsafeUpdateNamespaceResponse
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: policy.unsafe.UnsafeService
+    description: |-
+      /
+      / Unsafe Service
+      /
diff --git a/docs/openapi/policy/unsafe/unsafe.swagger.json b/docs/openapi/policy/unsafe/unsafe.swagger.json
new file mode 100644
index 0000000000..2a81e583d2
--- /dev/null
+++ b/docs/openapi/policy/unsafe/unsafe.swagger.json
@@ -0,0 +1,684 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "policy/unsafe/unsafe.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "UnsafeService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {},
+  "definitions": {
+    "ActionStandardAction": {
+      "type": "string",
+      "enum": [
+        "STANDARD_ACTION_UNSPECIFIED",
+        "STANDARD_ACTION_DECRYPT",
+        "STANDARD_ACTION_TRANSMIT"
+      ],
+      "default": "STANDARD_ACTION_UNSPECIFIED",
+      "title": "- STANDARD_ACTION_DECRYPT: Deprecated\nMigrate to 'read' action name\n - STANDARD_ACTION_TRANSMIT: Deprecated\nMigrate to 'create' action name"
+    },
+    "commonMetadata": {
+      "type": "object",
+      "properties": {
+        "createdAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "created_at set by server (entity who created will recorded in an audit event)"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time",
+          "title": "updated_at set by server (entity who updated will recorded in an audit event)"
+        },
+        "labels": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "title": "optional short description"
+        }
+      },
+      "title": "Struct to uniquely identify a resource with optional additional metadata"
+    },
+    "policyAction": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "Generated uuid in database"
+        },
+        "standard": {
+          "$ref": "#/definitions/ActionStandardAction",
+          "title": "Deprecated"
+        },
+        "custom": {
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "name": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "An action an entity can take"
+    },
+    "policyAlgorithm": {
+      "type": "string",
+      "enum": [
+        "ALGORITHM_UNSPECIFIED",
+        "ALGORITHM_RSA_2048",
+        "ALGORITHM_RSA_4096",
+        "ALGORITHM_EC_P256",
+        "ALGORITHM_EC_P384",
+        "ALGORITHM_EC_P521"
+      ],
+      "default": "ALGORITHM_UNSPECIFIED",
+      "description": "Supported key algorithms."
+    },
+    "policyAttribute": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace",
+          "title": "namespace of the attribute"
+        },
+        "name": {
+          "type": "string",
+          "title": "attribute name"
+        },
+        "rule": {
+          "$ref": "#/definitions/policyAttributeRuleTypeEnum",
+          "title": "attribute rule enum"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyValue"
+          }
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys associated with the attribute"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyAttributeRuleTypeEnum": {
+      "type": "string",
+      "enum": [
+        "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF",
+        "ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY"
+      ],
+      "default": "ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyCondition": {
+      "type": "object",
+      "properties": {
+        "subjectExternalSelectorValue": {
+          "type": "string",
+          "title": "a selector for a field value on a flattened Entity Representation (such as\nfrom idP/LDAP)"
+        },
+        "operator": {
+          "$ref": "#/definitions/policySubjectMappingOperatorEnum",
+          "title": "the evaluation operator of relation"
+        },
+        "subjectExternalValues": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "title": "list of comparison values for the result of applying the\nsubject_external_selector_value on a flattened Entity Representation\n(Subject), evaluated by the operator"
+        }
+      },
+      "title": "*\nA Condition defines a rule of \u003cthe value at the flattened 'selector value'\nlocation\u003e \u003coperator\u003e \u003csubject external values\u003e"
+    },
+    "policyConditionBooleanTypeEnum": {
+      "type": "string",
+      "enum": [
+        "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED",
+        "CONDITION_BOOLEAN_TYPE_ENUM_AND",
+        "CONDITION_BOOLEAN_TYPE_ENUM_OR"
+      ],
+      "default": "CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED"
+    },
+    "policyConditionGroup": {
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyCondition"
+          }
+        },
+        "booleanOperator": {
+          "$ref": "#/definitions/policyConditionBooleanTypeEnum",
+          "title": "the boolean evaluation type across the conditions"
+        }
+      },
+      "title": "A collection of Conditions evaluated by the boolean_operator provided"
+    },
+    "policyKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "pem": {
+          "type": "string",
+          "title": "x509 ASN.1 content in PEM envelope, usually"
+        },
+        "kid": {
+          "type": "string",
+          "title": "A unique string identifier for this key"
+        },
+        "alg": {
+          "$ref": "#/definitions/policyKasPublicKeyAlgEnum",
+          "description": "A known algorithm type with any additional parameters encoded.\nTo start, these may be `rsa:2048` for encrypting ZTDF files and\n`ec:secp256r1` for nanoTDF, but more formats may be added as needed."
+        }
+      },
+      "title": "Deprecated\nA KAS public key and some associated metadata for further identifcation"
+    },
+    "policyKasPublicKeyAlgEnum": {
+      "type": "string",
+      "enum": [
+        "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048",
+        "KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1",
+        "KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1"
+      ],
+      "default": "KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED"
+    },
+    "policyKasPublicKeySet": {
+      "type": "object",
+      "properties": {
+        "keys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKasPublicKey"
+          }
+        }
+      },
+      "title": "Deprecated\nA list of known KAS public keys"
+    },
+    "policyKey": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "the database record ID, not the key ID (`kid`)"
+        },
+        "isActive": {
+          "type": "boolean"
+        },
+        "wasMapped": {
+          "type": "boolean"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyKasPublicKey"
+        },
+        "kas": {
+          "$ref": "#/definitions/policyKeyAccessServer"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "policyKeyAccessServer": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "string",
+          "title": "Address of a KAS instance"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policyPublicKey",
+          "title": "Deprecated"
+        },
+        "sourceType": {
+          "$ref": "#/definitions/policySourceType",
+          "title": "The source of the KAS: (INTERNAL, EXTERNAL)"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Kas keys associated with this KAS"
+        },
+        "name": {
+          "type": "string",
+          "title": "Optional\nUnique name of the KAS instance"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "title": "Key Access Server Registry"
+    },
+    "policyNamespace": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "name": {
+          "type": "string",
+          "title": "used to partition Attribute Definitions, support by namespace AuthN and\nenable federation"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "KAS grants for the namespace"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          },
+          "title": "Keys for the namespace"
+        }
+      }
+    },
+    "policyPublicKey": {
+      "type": "object",
+      "properties": {
+        "remote": {
+          "type": "string",
+          "title": "kas public key url - optional since can also be retrieved via public key"
+        },
+        "cached": {
+          "$ref": "#/definitions/policyKasPublicKeySet",
+          "title": "public key with additional information. Current preferred version"
+        }
+      },
+      "title": "Deprecated"
+    },
+    "policyResourceMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue"
+        },
+        "terms": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "group": {
+          "$ref": "#/definitions/policyResourceMappingGroup"
+        }
+      },
+      "title": "Resource Mappings (aka Access Control Resource Encodings aka ACRE) are\nstructures supporting the mapping of Resources and Attribute Values"
+    },
+    "policyResourceMappingGroup": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "namespaceId": {
+          "type": "string",
+          "title": "the namespace containing the group of resource mappings"
+        },
+        "name": {
+          "type": "string",
+          "title": "the common name for the group of resource mappings, which must be unique\nper namespace"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      },
+      "description": "Resource Mapping Groups are namespaced collections of Resource Mappings\nassociated under a common group name."
+    },
+    "policySimpleKasKey": {
+      "type": "object",
+      "properties": {
+        "kasUri": {
+          "type": "string",
+          "title": "The URL of the Key Access Server"
+        },
+        "publicKey": {
+          "$ref": "#/definitions/policySimpleKasPublicKey",
+          "title": "The public key of the Key that belongs to the KAS"
+        },
+        "kasId": {
+          "type": "string",
+          "title": "The ID of the Key Access Server"
+        }
+      }
+    },
+    "policySimpleKasPublicKey": {
+      "type": "object",
+      "properties": {
+        "algorithm": {
+          "$ref": "#/definitions/policyAlgorithm"
+        },
+        "kid": {
+          "type": "string"
+        },
+        "pem": {
+          "type": "string"
+        }
+      }
+    },
+    "policySourceType": {
+      "type": "string",
+      "enum": [
+        "SOURCE_TYPE_UNSPECIFIED",
+        "SOURCE_TYPE_INTERNAL",
+        "SOURCE_TYPE_EXTERNAL"
+      ],
+      "default": "SOURCE_TYPE_UNSPECIFIED",
+      "description": "Describes whether this kas is managed by the organization or if they imported\nthe kas information from an external party. These two modes are necessary in order\nto encrypt a tdf dek with an external parties kas public key.\n\n - SOURCE_TYPE_INTERNAL: The kas is managed by the organization.\n - SOURCE_TYPE_EXTERNAL: The kas is managed by an external party."
+    },
+    "policySubjectConditionSet": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "subjectSets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectSet"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "description": "A container for multiple Subject Sets, each containing Condition Groups, each\ncontaining Conditions. Multiple Subject Sets in a SubjectConditionSet are\nevaluated with AND logic. As each Subject Mapping has only one Attribute\nValue, the SubjectConditionSet is reusable across multiple Subject Mappings /\nAttribute Values and is an independent unit."
+    },
+    "policySubjectMapping": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "attributeValue": {
+          "$ref": "#/definitions/policyValue",
+          "title": "the Attribute Value mapped to; aka: \"The Entity Entitlement Attribute\""
+        },
+        "subjectConditionSet": {
+          "$ref": "#/definitions/policySubjectConditionSet",
+          "title": "the reusable SubjectConditionSet mapped to the given Attribute Value"
+        },
+        "actions": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyAction"
+          },
+          "title": "The actions permitted by subjects in this mapping"
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata"
+        }
+      },
+      "title": "Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute\nvalue + action(s) combination"
+    },
+    "policySubjectMappingOperatorEnum": {
+      "type": "string",
+      "enum": [
+        "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN",
+        "SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS"
+      ],
+      "default": "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
+      "title": "- SUBJECT_MAPPING_OPERATOR_ENUM_IN: operator that returns true if a value in a list matches the string\n - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN: operator that returns true if a value is not in a list that is matched by\nstring\n - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS: operator that returns true if a value in a list contains the substring"
+    },
+    "policySubjectSet": {
+      "type": "object",
+      "properties": {
+        "conditionGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyConditionGroup"
+          },
+          "title": "multiple Condition Groups are evaluated with AND logic"
+        }
+      },
+      "title": "A collection of Condition Groups"
+    },
+    "policyValue": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "title": "generated uuid in database"
+        },
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        },
+        "value": {
+          "type": "string"
+        },
+        "grants": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyKeyAccessServer"
+          },
+          "title": "Deprecated\nlist of key access servers"
+        },
+        "fqn": {
+          "type": "string"
+        },
+        "active": {
+          "type": "boolean",
+          "title": "active by default until explicitly deactivated"
+        },
+        "subjectMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySubjectMapping"
+          },
+          "title": "subject mapping"
+        },
+        "kasKeys": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policySimpleKasKey"
+          }
+        },
+        "resourceMappings": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/policyResourceMapping"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/commonMetadata",
+          "title": "Common metadata"
+        }
+      }
+    },
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    },
+    "unsafeUnsafeDeleteAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        }
+      }
+    },
+    "unsafeUnsafeDeleteAttributeValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "unsafeUnsafeDeleteKasKeyResponse": {
+      "type": "object",
+      "properties": {
+        "key": {
+          "$ref": "#/definitions/policyKey"
+        }
+      }
+    },
+    "unsafeUnsafeDeleteNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace"
+        }
+      }
+    },
+    "unsafeUnsafeReactivateAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        }
+      }
+    },
+    "unsafeUnsafeReactivateAttributeValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "unsafeUnsafeReactivateNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace"
+        }
+      }
+    },
+    "unsafeUnsafeUpdateAttributeResponse": {
+      "type": "object",
+      "properties": {
+        "attribute": {
+          "$ref": "#/definitions/policyAttribute"
+        }
+      }
+    },
+    "unsafeUnsafeUpdateAttributeValueResponse": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "$ref": "#/definitions/policyValue"
+        }
+      }
+    },
+    "unsafeUnsafeUpdateNamespaceResponse": {
+      "type": "object",
+      "properties": {
+        "namespace": {
+          "$ref": "#/definitions/policyNamespace"
+        }
+      }
+    }
+  }
+}
diff --git a/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml b/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml
new file mode 100644
index 0000000000..dcac72a437
--- /dev/null
+++ b/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml
@@ -0,0 +1,184 @@
+openapi: 3.1.0
+info:
+  title: wellknownconfiguration
+paths:
+  /.well-known/opentdf-configuration:
+    get:
+      tags:
+        - wellknownconfiguration.WellKnownService
+      summary: GetWellKnownConfiguration
+      operationId: wellknownconfiguration.WellKnownService.GetWellKnownConfiguration
+      responses:
+        default:
+          description: Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/connect.error'
+        "200":
+          description: Success
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/wellknownconfiguration.GetWellKnownConfigurationResponse'
+components:
+  schemas:
+    google.protobuf.NullValue:
+      type: string
+      title: NullValue
+      enum:
+        - NULL_VALUE
+      description: |-
+        `NullValue` is a singleton enumeration to represent the null value for the
+         `Value` type union.
+
+         The JSON representation for `NullValue` is JSON `null`.
+    google.protobuf.ListValue:
+      type: object
+      properties:
+        values:
+          type: array
+          items:
+            $ref: '#/components/schemas/google.protobuf.Value'
+          title: values
+          description: Repeated field of dynamically typed values.
+      title: ListValue
+      additionalProperties: false
+      description: |-
+        `ListValue` is a wrapper around a repeated field of values.
+
+         The JSON representation for `ListValue` is JSON array.
+    google.protobuf.Struct:
+      type: object
+      additionalProperties:
+        $ref: '#/components/schemas/google.protobuf.Value'
+      description: |-
+        `Struct` represents a structured data value, consisting of fields
+         which map to dynamically typed values. In some languages, `Struct`
+         might be supported by a native representation. For example, in
+         scripting languages like JS a struct is represented as an
+         object. The details of that representation are described together
+         with the proto support for the language.
+
+         The JSON representation for `Struct` is JSON object.
+    google.protobuf.Struct.FieldsEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/google.protobuf.Value'
+      title: FieldsEntry
+      additionalProperties: false
+    google.protobuf.Value:
+      oneOf:
+        - type: "null"
+        - type: number
+        - type: string
+        - type: boolean
+        - type: array
+        - type: object
+          additionalProperties: true
+      description: |-
+        `Value` represents a dynamically typed value which can be either
+         null, a number, a string, a boolean, a recursive struct value, or a
+         list of values. A producer of value is expected to set one of these
+         variants. Absence of any variant indicates an error.
+
+         The JSON representation for `Value` is JSON value.
+    wellknownconfiguration.GetWellKnownConfigurationRequest:
+      type: object
+      title: GetWellKnownConfigurationRequest
+      additionalProperties: false
+    wellknownconfiguration.GetWellKnownConfigurationResponse:
+      type: object
+      properties:
+        configuration:
+          title: configuration
+          $ref: '#/components/schemas/google.protobuf.Struct'
+      title: GetWellKnownConfigurationResponse
+      additionalProperties: false
+    wellknownconfiguration.WellKnownConfig:
+      type: object
+      properties:
+        configuration:
+          type: object
+          title: configuration
+          additionalProperties:
+            title: value
+            $ref: '#/components/schemas/google.protobuf.Struct'
+      title: WellKnownConfig
+      additionalProperties: false
+    wellknownconfiguration.WellKnownConfig.ConfigurationEntry:
+      type: object
+      properties:
+        key:
+          type: string
+          title: key
+        value:
+          title: value
+          $ref: '#/components/schemas/google.protobuf.Struct'
+      title: ConfigurationEntry
+      additionalProperties: false
+    connect-protocol-version:
+      type: number
+      title: Connect-Protocol-Version
+      enum:
+        - 1
+      description: Define the version of the Connect protocol
+      const: 1
+    connect-timeout-header:
+      type: number
+      title: Connect-Timeout-Ms
+      description: Define the timeout, in ms
+    connect.error:
+      type: object
+      properties:
+        code:
+          type: string
+          examples:
+            - not_found
+          enum:
+            - canceled
+            - unknown
+            - invalid_argument
+            - deadline_exceeded
+            - not_found
+            - already_exists
+            - permission_denied
+            - resource_exhausted
+            - failed_precondition
+            - aborted
+            - out_of_range
+            - unimplemented
+            - internal
+            - unavailable
+            - data_loss
+            - unauthenticated
+          description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+        message:
+          type: string
+          description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+        detail:
+          $ref: '#/components/schemas/google.protobuf.Any'
+      title: Connect Error
+      additionalProperties: true
+      description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+    google.protobuf.Any:
+      type: object
+      properties:
+        type:
+          type: string
+        value:
+          type: string
+          format: binary
+        debug:
+          type: object
+          additionalProperties: true
+      additionalProperties: true
+      description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
+security: []
+tags:
+  - name: wellknownconfiguration.WellKnownService
diff --git a/docs/openapi/wellknownconfiguration/wellknown_configuration.swagger.json b/docs/openapi/wellknownconfiguration/wellknown_configuration.swagger.json
new file mode 100644
index 0000000000..67a884d84b
--- /dev/null
+++ b/docs/openapi/wellknownconfiguration/wellknown_configuration.swagger.json
@@ -0,0 +1,90 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "wellknownconfiguration/wellknown_configuration.proto",
+    "version": "version not set"
+  },
+  "tags": [
+    {
+      "name": "WellKnownService"
+    }
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/.well-known/opentdf-configuration": {
+      "get": {
+        "operationId": "WellKnownService_GetWellKnownConfiguration",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/wellknownconfigurationGetWellKnownConfigurationResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "tags": [
+          "WellKnownService"
+        ]
+      }
+    }
+  },
+  "definitions": {
+    "protobufAny": {
+      "type": "object",
+      "properties": {
+        "@type": {
+          "type": "string",
+          "description": "A URL/resource name that uniquely identifies the type of the serialized\nprotocol buffer message. This string must contain at least\none \"/\" character. The last segment of the URL's path must represent\nthe fully qualified name of the type (as in\n`path/google.protobuf.Duration`). The name should be in a canonical form\n(e.g., leading \".\" is not accepted).\n\nIn practice, teams usually precompile into the binary all types that they\nexpect it to use in the context of Any. However, for URLs which use the\nscheme `http`, `https`, or no scheme, one can optionally set up a type\nserver that maps type URLs to message definitions as follows:\n\n* If no scheme is provided, `https` is assumed.\n* An HTTP GET on the URL must yield a [google.protobuf.Type][]\n  value in binary format, or produce an error.\n* Applications are allowed to cache lookup results based on the\n  URL, or have them precompiled into a binary to avoid any\n  lookup. Therefore, binary compatibility needs to be preserved\n  on changes to types. (Use versioned type names to manage\n  breaking changes.)\n\nNote: this functionality is not currently available in the official\nprotobuf release, and it is not used for type URLs beginning with\ntype.googleapis.com. As of May 2023, there are no widely used type server\nimplementations and no plans to implement one.\n\nSchemes other than `http`, `https` (or the empty scheme) might be\nused with implementation specific semantics."
+        }
+      },
+      "additionalProperties": {},
+      "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
+    },
+    "protobufNullValue": {
+      "type": "string",
+      "enum": [
+        "NULL_VALUE"
+      ],
+      "default": "NULL_VALUE",
+      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\nThe JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
+    },
+    "rpcStatus": {
+      "type": "object",
+      "properties": {
+        "code": {
+          "type": "integer",
+          "format": "int32"
+        },
+        "message": {
+          "type": "string"
+        },
+        "details": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/protobufAny"
+          }
+        }
+      }
+    },
+    "wellknownconfigurationGetWellKnownConfigurationResponse": {
+      "type": "object",
+      "properties": {
+        "configuration": {
+          "type": "object"
+        }
+      }
+    }
+  }
+}

From 5ad7d7b6b59f7684e2665a3a221564d263efb6e2 Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Wed, 4 Jun 2025 15:54:13 -0500
Subject: [PATCH 06/10] unremove changelog.

---
 protocol/go/CHANGELOG.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 protocol/go/CHANGELOG.md

diff --git a/protocol/go/CHANGELOG.md b/protocol/go/CHANGELOG.md
new file mode 100644
index 0000000000..e6abf60fd6
--- /dev/null
+++ b/protocol/go/CHANGELOG.md
@@ -0,0 +1,30 @@
+# Changelog
+
+## [0.3.6](https://github.com/opentdf/platform/compare/protocol/go/v0.3.5...protocol/go/v0.3.6) (2025-05-27)
+
+
+### Features
+
+* **policy:** Update key status's and UpdateKey rpc. ([#2315](https://github.com/opentdf/platform/issues/2315)) ([7908db9](https://github.com/opentdf/platform/commit/7908db9c2be5adeccd3fb9f177187aee53698ee8))
+* **policy** Rename key context structures. ([#2318](https://github.com/opentdf/platform/pull/2318))
+   ([4cb28a9](https://github.com/opentdf/platform/commit/4cb28a9216a208493086fc5d44d38270a9d6f3cc))
+
+## [0.3.5](https://github.com/opentdf/platform/compare/protocol/go/v0.3.4...protocol/go/v0.3.5) (2025-05-23)
+
+
+### Features
+
+* **policy:** Default Platform Keys ([#2254](https://github.com/opentdf/platform/issues/2254)) ([d7447fe](https://github.com/opentdf/platform/commit/d7447fe2604443b4c75c8e547acf414bf78af988))
+
+## [0.3.4](https://github.com/opentdf/platform/compare/protocol/go/v0.3.3...protocol/go/v0.3.4) (2025-05-20)
+
+
+### Features
+
+* **core:** v2 ERS with proto updates ([#2210](https://github.com/opentdf/platform/issues/2210)) ([a161ef8](https://github.com/opentdf/platform/commit/a161ef85d12600672ff695cc84b07579a70c5cac))
+* **policy:** Finish resource mapping groups ([#2224](https://github.com/opentdf/platform/issues/2224)) ([5ff754e](https://github.com/opentdf/platform/commit/5ff754e99189d09ec3698128d1bc51b6f7a90994))
+
+
+### Bug Fixes
+
+* update key_mode to provide more context ([#2226](https://github.com/opentdf/platform/issues/2226)) ([44d0805](https://github.com/opentdf/platform/commit/44d0805fb34d87098ada7b5f7c934f65365f77f1))

From bf08ebbc14061583ce5f9bde5683cdf6238e8d5d Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Wed, 4 Jun 2025 15:56:20 -0500
Subject: [PATCH 07/10] refactor.

---
 service/policy/db/attributes.go     | 1 -
 service/policy/db/grant_mappings.go | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/service/policy/db/attributes.go b/service/policy/db/attributes.go
index 6e95341044..82aff380e3 100644
--- a/service/policy/db/attributes.go
+++ b/service/policy/db/attributes.go
@@ -43,7 +43,6 @@ func attributesValuesProtojson(valuesJSON []byte) ([]*policy.Value, error) {
 		for _, r := range raw {
 			value := &policy.Value{}
 			err := protojson.Unmarshal(r, value)
-			// Need to format keys
 			if err != nil {
 				return nil, fmt.Errorf("error unmarshaling a value: %w", err)
 			}
diff --git a/service/policy/db/grant_mappings.go b/service/policy/db/grant_mappings.go
index 5e61859b1b..daf69d9e17 100644
--- a/service/policy/db/grant_mappings.go
+++ b/service/policy/db/grant_mappings.go
@@ -23,6 +23,8 @@ func mapAlgorithmToKasPublicKeyAlg(alg policy.Algorithm) policy.KasPublicKeyAlgE
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
 	case policy.Algorithm_ALGORITHM_EC_P521: // ALGORITHM_EC_P521 is an alias
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+	case policy.Algorithm_ALGORITHM_UNSPECIFIED:
+		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
 	default:
 		return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
 	}

From eb16781cf6437596957fafbd0ac38f90d4b608e2 Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Thu, 5 Jun 2025 08:11:18 -0500
Subject: [PATCH 08/10] linting.

---
 service/policy/db/grant_mappings.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/service/policy/db/grant_mappings.go b/service/policy/db/grant_mappings.go
index 0a3c7ed8dd..2ee3fc6b90 100644
--- a/service/policy/db/grant_mappings.go
+++ b/service/policy/db/grant_mappings.go
@@ -1,15 +1,14 @@
 package db
 
 import (
+	"errors"
 	"fmt"
 
 	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/service/logger"
 )
 
-var (
-	errKasInfoIncomplete = fmt.Errorf("kas information is incomplete")
-)
+var errKasInfoIncomplete = errors.New("kas information is incomplete")
 
 func mapAlgorithmToKasPublicKeyAlg(alg policy.Algorithm) policy.KasPublicKeyAlgEnum {
 	switch alg {
@@ -42,6 +41,7 @@ func mapKasKeysToGrants(keys []*policy.SimpleKasKey, existingGrants []*policy.Ke
 
 	for _, key := range keys {
 		if key == nil {
+			l.Debug("Skipping nil key when mapping keys to grants")
 			continue
 		}
 		if key.GetKasUri() == "" || key.GetKasId() == "" {

From e359f7b7014218f27a7479e15cd05f75b4ea5905 Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Thu, 5 Jun 2025 08:12:50 -0500
Subject: [PATCH 09/10] add changelog.

---
 protocol/go/CHANGELOG.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 protocol/go/CHANGELOG.md

diff --git a/protocol/go/CHANGELOG.md b/protocol/go/CHANGELOG.md
new file mode 100644
index 0000000000..e6abf60fd6
--- /dev/null
+++ b/protocol/go/CHANGELOG.md
@@ -0,0 +1,30 @@
+# Changelog
+
+## [0.3.6](https://github.com/opentdf/platform/compare/protocol/go/v0.3.5...protocol/go/v0.3.6) (2025-05-27)
+
+
+### Features
+
+* **policy:** Update key status's and UpdateKey rpc. ([#2315](https://github.com/opentdf/platform/issues/2315)) ([7908db9](https://github.com/opentdf/platform/commit/7908db9c2be5adeccd3fb9f177187aee53698ee8))
+* **policy** Rename key context structures. ([#2318](https://github.com/opentdf/platform/pull/2318))
+   ([4cb28a9](https://github.com/opentdf/platform/commit/4cb28a9216a208493086fc5d44d38270a9d6f3cc))
+
+## [0.3.5](https://github.com/opentdf/platform/compare/protocol/go/v0.3.4...protocol/go/v0.3.5) (2025-05-23)
+
+
+### Features
+
+* **policy:** Default Platform Keys ([#2254](https://github.com/opentdf/platform/issues/2254)) ([d7447fe](https://github.com/opentdf/platform/commit/d7447fe2604443b4c75c8e547acf414bf78af988))
+
+## [0.3.4](https://github.com/opentdf/platform/compare/protocol/go/v0.3.3...protocol/go/v0.3.4) (2025-05-20)
+
+
+### Features
+
+* **core:** v2 ERS with proto updates ([#2210](https://github.com/opentdf/platform/issues/2210)) ([a161ef8](https://github.com/opentdf/platform/commit/a161ef85d12600672ff695cc84b07579a70c5cac))
+* **policy:** Finish resource mapping groups ([#2224](https://github.com/opentdf/platform/issues/2224)) ([5ff754e](https://github.com/opentdf/platform/commit/5ff754e99189d09ec3698128d1bc51b6f7a90994))
+
+
+### Bug Fixes
+
+* update key_mode to provide more context ([#2226](https://github.com/opentdf/platform/issues/2226)) ([44d0805](https://github.com/opentdf/platform/commit/44d0805fb34d87098ada7b5f7c934f65365f77f1))

From 348676195b029a66d68d773cc4d8d236a0ed0098 Mon Sep 17 00:00:00 2001
From: Chris Reed <creed@virtru.com>
Date: Thu, 5 Jun 2025 08:21:14 -0500
Subject: [PATCH 10/10] fix tests.

---
 service/policy/db/grant_mappings_test.go | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/service/policy/db/grant_mappings_test.go b/service/policy/db/grant_mappings_test.go
index 25ee320521..9297d56864 100644
--- a/service/policy/db/grant_mappings_test.go
+++ b/service/policy/db/grant_mappings_test.go
@@ -101,15 +101,6 @@ func TestMapKasKeysToGrants(t *testing.T) {
 			},
 			wantErr: false,
 		},
-		{
-			name: "empty pem",
-			keys: []*policy.SimpleKasKey{
-				{KasId: "kas1", KasUri: "http://kas1.example.com", PublicKey: &policy.SimpleKasPublicKey{Kid: "kid1", Algorithm: policy.Algorithm_ALGORITHM_RSA_2048, Pem: ""}}, // Empty PEM
-			},
-			existingGrants: []*policy.KeyAccessServer{},
-			wantErr:        true,
-			errContains:    "kas key PEM is empty, kid kid1",
-		},
 		{
 			name: "nil key in keys slice",
 			keys: []*policy.SimpleKasKey{