Skip to main content

decryptBotConfigOnce

Strict / airgapped strictness only. Verifies the supplied passphrase against the org's stored verifier, derives the KEK in-process, decrypts every bot.SecretConfigPaths leaf in the row's secure_config, zeros the KEK, emits a secrets.passphrase.decrypt_once audit event, and returns the decrypted secure_config map.

Returns errors:

  • STRICTNESS_DOES_NOT_REQUIRE_PER_ACTION — caller's org is on convenience or standard strictness; dashboard should fall back to the regular UnlockModal.
  • NO_PASSPHRASE_VERIFIER — the org has no passphrase configured.
  • WRONG_PASSPHRASE — the supplied passphrase does not match.
decryptBotConfigOnce(
botID: ID!
passphrase: String!
): DecryptedBot!

Arguments

decryptBotConfigOnce.botID ● ID! non-null scalar

Bot ID to decrypt.

decryptBotConfigOnce.passphrase ● String! non-null scalar

Plaintext passphrase. Never logged. Zeroed after the operation.

Type

DecryptedBot object

Plaintext payload returned by decryptBotConfigOnce. Mirrors the row's own secure_config column shape — the dashboard re-uses the same form schema it does for the regular bot edit flow, just with plaintext already populated. The bot field carries the row's non-secret metadata so the dashboard doesn't need a second round-trip.