Skip to main content

redeemOrgRecoveryCodeAcceptingDataLoss

Destructive variant of redeemOrgRecoveryCode for the locked-out no-escrow case. Validates the recovery code, resets the passphrase to newPassphrase, and consumes the code EVEN THOUGH the org's existing encrypted secrets cannot be recovered (they become permanently inaccessible). When a recovery escrow DOES exist this behaves exactly like redeemOrgRecoveryCode (data recovered). Only call after an explicit user destructive confirmation.

redeemOrgRecoveryCodeAcceptingDataLoss(
orgID: String!
recoveryCode: String!
newPassphrase: String!
): Boolean!

Arguments

redeemOrgRecoveryCodeAcceptingDataLoss.orgID ● String! non-null scalar

Keycloak organization alias.

redeemOrgRecoveryCodeAcceptingDataLoss.recoveryCode ● String! non-null scalar

The plaintext recovery code (xxxx-xxxx-xxxx-xxxx format). Never logged.

redeemOrgRecoveryCodeAcceptingDataLoss.newPassphrase ● String! non-null scalar

Replacement passphrase — minimum 12 characters enforced server-side. Never logged.

Type

Boolean scalar

The Boolean scalar type represents true or false.