decryptExchangeConfigOnce
Strict / airgapped strictness only. Verifies the supplied passphrase
against the org's stored verifier, derives the KEK in-process,
decrypts every exchange.SecretConfigPaths leaf in the row's config,
zeros the KEK, emits a secrets.passphrase.decrypt_once audit event,
and returns the decrypted config map.
Returns errors:
- STRICTNESS_DOES_NOT_REQUIRE_PER_ACTION — caller's org is on convenience or standard strictness; dashboard should fall back to UnlockModal.
- NO_PASSPHRASE_VERIFIER — the org has no passphrase configured.
- WRONG_PASSPHRASE — the supplied passphrase does not match.
decryptExchangeConfigOnce(
exchangeID: ID!
passphrase: String!
): DecryptedExchange!
Arguments
decryptExchangeConfigOnce.exchangeID ● ID! non-null scalar
Exchange ID to decrypt.
decryptExchangeConfigOnce.passphrase ● String! non-null scalar
Plaintext passphrase. Never logged. Zeroed after the operation.
Type
DecryptedExchange object
Plaintext payload returned by decryptExchangeConfigOnce. Mirrors the row's config column shape so the dashboard re-uses the same form schema it does for the regular exchange edit flow, just with plaintext already populated.