unlockPassphraseSession
Verifies the passphrase and caches the Argon2id-derived KEK in memory for the calling user + org. TTL is dictated by the org's strictness mode (convenience=24h, standard=1h, strict / airgapped=0=no caching). Returns the resulting session status. Emits passphrase.session.unlocked on success; the underlying verify call emits its own orgsettings.passphrase.verify event (with result=denied) on wrong input. Authorization is intentionally view-trust-policy — the passphrase IS the auth check.
unlockPassphraseSession(
orgID: String!
passphrase: String!
): PassphraseSessionStatus!
Arguments
unlockPassphraseSession.orgID ● String! non-null scalar
Keycloak organization alias.
unlockPassphraseSession.passphrase ● String! non-null scalar
Passphrase attempt. Never logged.
Type
PassphraseSessionStatus object
PassphraseSessionStatus reports whether the caller has a cached Argon2id-derived KEK for an organization, when it expires, and the org's current strictness mode (which dictates the TTL).