Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt

Use this file to discover all available pages before exploring further.

POST /admin/tenant-kms

Onboard a customer KMS provider. KnoxCall performs a live wrap + unwrap round-trip on a 32-byte test payload before committing — if the IAM/RBAC grant isn’t working, the request fails immediately and nothing is stored. Calling this endpoint when a KMS configuration already exists replaces it (UPSERT). The probe runs first; if it fails, the existing config is unchanged. Auth: Authorization: Bearer <token> — no step-up required.

Request body

provideraws | gcp | azure kms_key_ref — The provider-specific key identifier:
  • AWS: full key ARN (arn:aws:kms:REGION:ACCOUNT:key/KEY-ID or .../alias/ALIAS)
  • GCP: full resource path (projects/P/locations/L/keyRings/R/cryptoKeys/K)
  • Azure: vault key URL (https://VAULT.vault.azure.net/keys/KEY-NAME)
config — Provider-specific authentication references. Static long-lived credentials (access keys, service account JSON, client secrets) are rejected at the API level.
ProviderRequiredOptional
awsregion, role_arnexternal_id
gcpimpersonate_service_accountproject_id
azurevault_urlazure_tenant_id, client_id, client_secret_env_var
curl -X POST https://api.knoxcall.com/admin/tenant-kms \
  -H "Authorization: Bearer $KC_ADMIN_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "aws",
    "kms_key_ref": "arn:aws:kms:us-east-1:111122223333:key/abcd-1234",
    "config": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::111122223333:role/KnoxCallKMSAccess",
      "external_id": "550e8400-e29b-41d4-a716-446655440000"
    }
  }'

Response

{
  "ok": true,
  "provider": "aws",
  "kms_key_ref": "arn:aws:kms:us-east-1:111122223333:key/abcd-1234",
  "new_key_version": 1,
  "new_key_id": "d290f1ee-6c54-4b01-90e6-d701748f0851",
  "rewrap_status": "enqueued",
  "note": "A background rewrap pass will re-encrypt existing secrets under the new master key. In-flight sessions remain valid for up to 5 minutes (BYOK TTL)."
}
rewrap_status is always "enqueued" — KnoxCall unconditionally issues a background rewrap lease after onboarding.