Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt

Use this file to discover all available pages before exploring further.

GET /admin/tenant-kms

Retrieve the current BYOK KMS configuration, all key versions, seal status, and last KMS error. Auth: Authorization: Bearer <token> — no step-up required.

Response

{
  "config": {
    "provider": "customer_kms_aws",
    "kms_key_ref": "arn:aws:kms:us-east-1:111122223333:key/abcd-1234",
    "config": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::111122223333:role/KnoxCallKMSAccess"
    },
    "sealed_since": null,
    "last_verified_at": "2026-05-25T10:00:00Z",
    "last_verify_error": null
  },
  "keys": [
    {
      "id": "d290f1ee-6c54-4b01-90e6-d701748f0851",
      "version": 2,
      "wrap_method": "customer_kms",
      "status": "active",
      "created_at": "2026-05-25T10:00:00Z",
      "retired_at": null
    },
    {
      "id": "a7c1d8f3-2e4b-4c6a-8d9e-1f3b5a7c9d2e",
      "version": 1,
      "wrap_method": "customer_kms",
      "status": "retired",
      "created_at": "2026-01-01T00:00:00Z",
      "retired_at": "2026-05-25T10:00:00Z"
    }
  ]
}
config.provider in the GET response uses the internal format (customer_kms_aws, customer_kms_gcp, customer_kms_azure) — this is different from the short input form (aws, gcp, azure) used in the onboard request. Returns 404 if no customer KMS is configured for this tenant. 
curl https://api.knoxcall.com/admin/tenant-kms \
  -H "Authorization: Bearer $KC_ADMIN_JWT"