Skip to main content

setStrategyWrappedDEKs

Sets the full envelope set for one Strategy. Idempotent: passing the same envelopes twice is a no-op. Requires:

  1. edit scope on the Strategy (parent @hasScope).
  2. The org's plan includes the passkeyE2EE feature.
  3. Every passkeyEncryptionKeyID names an active (non-revoked) row owned by the strategy's owner OR by a user the resource has been shared with (T2.4 wires the latter; PR-2 enforces owner-only).

Returns the resulting envelope list.

setStrategyWrappedDEKs(
id: ID!
input: SetStrategyWrappedDEKsInput!
): [WrappedDEK!]!

Arguments

setStrategyWrappedDEKs.id ● ID! non-null scalar

setStrategyWrappedDEKs.input ● SetStrategyWrappedDEKsInput! non-null input

Type

WrappedDEK object

A single envelope of a per-resource Data Encryption Key (DEK) wrapped to one passkey-bound X25519 public key. Multiple WrappedDEK rows can exist per resource — one per active passkey of the owner, plus recipient passkeys when the resource is shared (T2.4) and admin escrow keys (T2.5). The browser unwraps with the X25519 priv derived from the WebAuthn PRF output, then AES-GCM-decrypts the resource's ciphertext with the recovered DEK.

Wire shape mirrors console/src/crypto/passkey/wrap.ts: ephemeral sender pubkey + AES-GCM nonce + AES-GCM ciphertext, all base64- standard. The ENT row stores raw bytes; this resolver layer encodes.