Skip to main content

unlockPassphraseSession

Verifies the passphrase and caches the Argon2id-derived KEK in memory for the calling user + org. TTL is dictated by the org's strictness mode (convenience=24h, standard=1h, strict / airgapped=0=no caching). Returns the resulting session status. Emits passphrase.session.unlocked on success; the underlying verify call emits its own orgsettings.passphrase.verify event (with result=denied) on wrong input. Authorization is intentionally view-trust-policy — the passphrase IS the auth check.

unlockPassphraseSession(
orgID: String!
passphrase: String!
): PassphraseSessionStatus!

Arguments

unlockPassphraseSession.orgID ● String! non-null scalar

Keycloak organization alias.

unlockPassphraseSession.passphrase ● String! non-null scalar

Passphrase attempt. Never logged.

Type

PassphraseSessionStatus object

PassphraseSessionStatus reports whether the caller has a cached Argon2id-derived KEK for an organization, when it expires, and the org's current strictness mode (which dictates the TTL).