StepUpCredentialInput
Credential the user supplies to obtain a step-up grant. Exactly one field must be populated — the resolver rejects the request if both or neither is set. Future credential types (passkey signature) will add additional optional fields here without breaking the contract.
input StepUpCredentialInput {
passphrase: String
oidcIdToken: String
}
Fields
StepUpCredentialInput.passphrase ● String scalar
Org passphrase verify path. Available when the org uses passphrase encryption (orgsettings.DerivedBackend resolves to "passphrase" — i.e. Features.PassphraseEncryption=true AND an org KW exists). Server runs the same Argon2id verifier as setOrgPassphrase / verifyOrgPassphrase.
StepUpCredentialInput.oidcIdToken ● String scalar
OIDC re-auth path. Dashboard sends the ID token returned by Keycloak after a prompt=login&max_age=0 round-trip; the server verifies the signature AND checks that auth_time is fresh enough to satisfy the policy TTL.
Member Of
requestStepUp mutation