Skip to main content

StepUpCredentialInput

Credential the user supplies to obtain a step-up grant. Exactly one field must be populated — the resolver rejects the request if both or neither is set. Future credential types (passkey signature) will add additional optional fields here without breaking the contract.

input StepUpCredentialInput {
passphrase: String
oidcIdToken: String
}

Fields

StepUpCredentialInput.passphrase ● String scalar

Org passphrase verify path. Available when the org uses passphrase encryption (orgsettings.DerivedBackend resolves to "passphrase" — i.e. Features.PassphraseEncryption=true AND an org KW exists). Server runs the same Argon2id verifier as setOrgPassphrase / verifyOrgPassphrase.

StepUpCredentialInput.oidcIdToken ● String scalar

OIDC re-auth path. Dashboard sends the ID token returned by Keycloak after a prompt=login&max_age=0 round-trip; the server verifies the signature AND checks that auth_time is fresh enough to satisfy the policy TTL.

Member Of

requestStepUp mutation