Skip to main content

redeemOrgRecoveryCode

Redeems a one-time recovery code to reset the organization's passphrase. Verifies the code against the unused-code set, marks it used, and installs newPassphrase as the org's passphrase verifier (overwriting any existing one). Emits recovery_code_redeemed + passphrase_set audit events on success; recovery_code_redeemed (denied) on failure. Returns true on success.

Authorization is intentionally permissive (only requires view-trust-policy) — the recovery code IS the auth check, mirroring the semantics of verifyOrgPassphrase.

redeemOrgRecoveryCode(
orgID: String!
recoveryCode: String!
newPassphrase: String!
): Boolean!

Arguments

redeemOrgRecoveryCode.orgID ● String! non-null scalar

Keycloak organization alias.

redeemOrgRecoveryCode.recoveryCode ● String! non-null scalar

The plaintext recovery code (xxxx-xxxx-xxxx-xxxx format). Never logged.

redeemOrgRecoveryCode.newPassphrase ● String! non-null scalar

Replacement passphrase — minimum 12 characters enforced server-side. Never logged.

Type

Boolean scalar

The Boolean scalar type represents true or false.