setTrustPolicy
Replaces the trust policy for an organization. Validates the input, upserts the OrganizationSettings row, and emits a trust_policy_changed SecurityAuditEvent. Validation failures emit a trust_policy_update_rejected denied event before returning.
Once an organization opts into a stricter feature (e.g. passkeyE2EE), resources created from that point forward are stamped with the new encryption mode; existing rows continue using their original mode (the metadata mixin is immutable per §6.5).
setTrustPolicy(
orgID: String!
input: TrustPolicyInput!
): OrganizationSettings!
Arguments
setTrustPolicy.orgID ● String! non-null scalar
Keycloak organization alias (slug, e.g. "acme-corp").
setTrustPolicy.input ● TrustPolicyInput! non-null input
The complete replacement trust policy. Validate against TrustPolicy schema (spec §6.4) before submit.