Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt

Use this file to discover all available pages before exploring further.

POST /admin/tenant-kms/rotate

Rotate the tenant master key. Creates a new 32-byte master key wrapped under your customer KMS key, sets it as the active version, and retires the current active version. A background rewrap job immediately begins re-encrypting existing tenant data under the new version. Auth: Authorization: Bearer <token> + X-KnoxCall-StepUp with a 5-minute window.
Rotation is non-reversible. The old version becomes retired and cannot be made active again. Data encrypted under the old version remains decryptable until you explicitly revoke it (cryptographic erasure). Revocation is permanent — use it only for security incidents, not routine rotation.
Cannot be called while the tenant is sealed — unseal first.

Response

{
  "rotated": true,
  "new_version": 2,
  "rewrap_lease_id": 42
}
rewrap_lease_id identifies the background rewrap job. This job processes 100 rows per batch at 5-second intervals, re-encrypting all existing tenant secrets under new_version. The old version remains available for decryption until explicitly revoked. rewrap_lease_id is null if the rewrap lease failed to issue (the rotation itself succeeded — contact support to trigger rewrap manually). 
curl -X POST https://api.knoxcall.com/admin/tenant-kms/rotate \
  -H "Authorization: Bearer $KC_ADMIN_JWT" \
  -H "X-KnoxCall-StepUp: $STEPUP_TOKEN"