revokeUserPassphrase
Instantly, logically revoke targetUserID's per-user passphrase credential for the org (T1.6 P4). O(1) and metadata/envelope-only: it soft-deletes the target's credential and deletes ONLY their per-user org-KW envelope — the shared org KW and every encrypted resource are byte-unchanged, no data is re-encrypted. Sibling members and recovery codes are unaffected; a revoked member can re-enroll later via a fresh enrollment token. Admin-only via the manage-encryption org scope (mirrors issueEnrollmentToken). The actor (revoker) is derived from the auth context — you cannot revoke your own credential (CANNOT_SELF_REVOKE), and a revoke that would remove the LAST way back into the org's encrypted data (no other passphrase credential AND no recovery escrow) is refused (WOULD_LOCK_OUT_ORG), mutating nothing. Revoking a member with no active credential returns NO_CREDENTIAL_FOR_USER.
revokeUserPassphrase(
orgID: String!
targetUserID: String!
): Boolean!
Arguments
revokeUserPassphrase.orgID ● String! non-null scalar
Keycloak organization alias.
revokeUserPassphrase.targetUserID ● String! non-null scalar
The member whose per-user passphrase credential is revoked.
Type
Boolean scalar
The Boolean scalar type represents true or false.