redeemEnrollmentToken
Redeem a single-use enrollment token (P3). The authenticated caller redeems the token issued FOR THEM with their OWN chosen newPassphrase, which mints their own per-user passphrase credential + an envelope wrapping the shared org KW under that passphrase. No special scope is required — the single-use token is cryptographically bound to the caller's user id, so it cannot be redeemed by anyone else: the token IS the authorization. The server never sets or sees the caller's passphrase beyond deriving their key from it in-process. Single-use: the token is consumed on success and a replay is rejected.
redeemEnrollmentToken(
orgID: String!
token: String!
newPassphrase: String!
): Boolean!
Arguments
redeemEnrollmentToken.orgID ● String! non-null scalar
Keycloak organization alias.
redeemEnrollmentToken.token ● String! non-null scalar
The opaque enrollment token handed to the caller out-of-band.
redeemEnrollmentToken.newPassphrase ● String! non-null scalar
The caller's own self-chosen passphrase. Never leaves the request.
Type
Boolean scalar
The Boolean scalar type represents true or false.