Skip to main content

requestStepUp

Establishes a step-up grant for the named scope using the supplied credential. Idempotent on success — multiple successful calls inside the TTL refresh the expiry. Failure (bad passphrase, stale OIDC) returns an access-denied error and emits an auth.step_up.denied audit event.

requestStepUp(
scope: String!
credential: StepUpCredentialInput!
): StepUpGrant!

Arguments

requestStepUp.scope ● String! non-null scalar

requestStepUp.credential ● StepUpCredentialInput! non-null input

Type

StepUpGrant object

Result of a successful requestStepUp. ExpiresAt is the absolute deadline; ConsumeOnFirstUse echoes the policy so the dashboard can decide whether to render the "Verified for Nm" chip (windowed) or just a transient toast (per-action).