Skip to main content

setOrgPassphrase

Installs the organization's first passphrase. Hashes via Argon2id and stores only the verifier — the passphrase itself is never persisted. Emits a passphrase_set SecurityAuditEvent. Returns true on success, error if a passphrase already exists (use changeOrgPassphrase, coming in a follow-up, to rotate). Requires manage-trust-policy because installing the passphrase changes the org's encryption posture.

setOrgPassphrase(
orgID: String!
passphrase: String!
): Boolean!

Arguments

setOrgPassphrase.orgID ● String! non-null scalar

Keycloak organization alias.

setOrgPassphrase.passphrase ● String! non-null scalar

Plain-text passphrase — minimum 12 characters enforced server-side. Never logged.

Type

Boolean scalar

The Boolean scalar type represents true or false.