> ## Documentation Index
> Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Commit Migration

> Write all approved migration items into live KnoxCall secrets in a single atomic transaction.

## POST /admin/migrations/:id/commit

Write all `approved` items into live KnoxCall secrets. Each item creates or updates a secret and one `secret_environment_config` row per target environment. After commit the item's encrypted value is zeroed and its status becomes `committed`.

**Auth**: `migration_reviewer` permission + **5-minute step-up**

The migration must be in `awaiting_review` status. If any item fails to write, the entire commit is rolled back and the migration reverts to `awaiting_review` so the operator can investigate and retry.

A `migration.commit` entry is written to `audit_log_critical` after a successful commit.

### Response

```json theme={"dark"}
{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "status": "completed",
  "committed_count": 30
}
```

Returns `409` if the migration is not in `awaiting_review` status, or if there are no approved items to commit.

```bash theme={"dark"}
# /admin/* lives on the dashboard host (admin.knoxcall.com / any
# knoxcall.com host), gated by your admin session JWT + X-Tenant-ID.
# This route also requires a recent (within 5 min) step-up
# verification — perform a step-up (e.g. POST /auth/passkey/verify-step-up
# or /auth/2fa/verify-step-up) on the same session first, or this call
# returns 403 with requires_step_up: true.
curl -X POST https://admin.knoxcall.com/admin/migrations/550e8400.../commit \
  -H "Authorization: Bearer $KC_SESSION_JWT" \
  -H "X-Tenant-ID: $KC_TENANT_ID"
```
