1 files changed, 45 insertions, 53 deletions

diff --git a/crates/iam/src/api.rs b/crates/iam/src/api.rs
index af175a7..c662e0c 100644
--- a/crates/iam/src/api.rs
+++ b/crates/iam/src/api.rs
@@ -97,6 +97,14 @@ pub enum Command {
         #[command(subcommand)]
         object: UpdateObject,
     },
+    #[command(
+        about = "Validate an IAM credential, optionally returning a session from the validation",
+        long_about = "Validate\n\nCredentials which have been created for identities may be validated and optionally exchanged for sessions."
+    )]
+    Validate {
+        #[command(subcommand)]
+        object: ValidateObject,
+    },
 }
 
 #[derive(Subcommand)]
@@ -248,11 +256,15 @@ pub enum DevObject {
 
 #[derive(Subcommand)]
 pub enum CredentialMethod {
-    /// A
+    ApiToken {
+        #[arg(long)]
+        expires_at: Option<i64>,
+    },
+    /// Unique username and passphrase credential. Each username may have at most one Passprhase credential.
     Passphrase {
-        /// B
+        /// The username associated with this credential
         username: String,
-        /// C
+        /// The secret passphrase for this credential
         passphrase: String,
     },
 }
@@ -274,60 +286,13 @@ pub enum ValidationMethod {
 
 #[derive(Subcommand)]
 pub enum GetObject {
-    ApiKey {
-        /// Public key associated with this api key set
-        public_key: String,
-    },
-    Group {
-        /// Unique group name
-        name: String,
-        /// Unique group id
-        #[arg(long, short)]
-        id: Option<Uuid>,
-    },
     Identity {
         /// The unique id corresponding to this identity.
         #[arg(long, short)]
         identity_id: Option<Uuid>,
-        /// Any session corresponding to this identity.
-        #[arg(long, short)]
-        session_token: Option<String>,
-    },
-    Permission {
-        /// Unique permission name
-        name: String,
-        /// Unique permission id
-        #[arg(long, short)]
-        id: Option<Uuid>,
-    },
-    Role {
-        /// Unique role name
-        name: String,
-        /// Unique role id
-        #[arg(long, short)]
-        id: Option<Uuid>,
-    },
-    Session {
-        /// The plaintext token which uniquely identifies the session
-        secret: String,
-    },
-    Service {
-        /// Unique service name
-        name: String,
-        /// Unique service id
-        #[arg(long, short)]
-        id: Option<Uuid>,
-    },
-    ServiceAction {
-        /// Unique service action name
-        name: String,
-        /// Unique service action id
-        #[arg(long, short)]
-        id: Option<Uuid>,
-    },
-    Validation {
-        /// Unique validation request id
-        id: Uuid,
+        /// The credential corresponding to this identity.
+        #[command(subcommand)]
+        credential: Option<ValidateObject>,
     },
 }
 
@@ -340,6 +305,33 @@ pub enum UpdateObject {
         #[arg(long, short)]
         metadata: Option<String>,
     },
+    Credential {
+        /// Unique identifier for this credential.
+        /// Note: You can validate the credential to find it's id.
+        id: Uuid,
+        /// Whether to revoke this credential. Once revoked, the credential may no longer be used
+        /// and may not be un-revoked.
+        #[arg(long, short, action)]
+        revoke: bool,
+    },
+}
+
+#[derive(Subcommand)]
+pub enum ValidateObject {
+    ApiToken {
+        /// Api token to validate
+        token: String,
+    },
+    Passphrase {
+        /// The username associated with this credential
+        username: String,
+        /// The secret passphrase for this credential
+        passphrase: String,
+    },
+    Session {
+        /// The secret token associated with this session.
+        token: String,
+    },
 }
 
 #[derive(Serialize, Deserialize)]