lockPassphraseSession
Explicitly clears the cached KEK for the calling user + org. Emits passphrase.session.locked. Idempotent — safe to call when no KEK is cached.
lockPassphraseSession(
orgID: String!
): PassphraseSessionStatus!
Arguments
lockPassphraseSession.orgID ● String! non-null scalar
Keycloak organization alias.
Type
PassphraseSessionStatus object
PassphraseSessionStatus reports whether the caller has a cached Argon2id-derived KEK for an organization, when it expires, and the org's current strictness mode (which dictates the TTL).