Skip to main content

changeOrgPassphrase

Rotates the organization's passphrase. Verifies oldPassphrase against the stored verifier, then atomically installs a new verifier derived from newPassphrase. Returns true on success; errors on wrong old passphrase, no passphrase configured, or infrastructure failure. Emits passphrase_verify + passphrase_changed audit events on success; passphrase_verify (denied) on wrong-old.

changeOrgPassphrase(
orgID: String!
oldPassphrase: String!
newPassphrase: String!
): Boolean!

Arguments

changeOrgPassphrase.orgID ● String! non-null scalar

Keycloak organization alias.

changeOrgPassphrase.oldPassphrase ● String! non-null scalar

Current passphrase. Never logged.

changeOrgPassphrase.newPassphrase ● String! non-null scalar

Replacement passphrase — minimum 12 characters enforced server-side. Never logged.

Type

Boolean scalar

The Boolean scalar type represents true or false.