GET /admin/tenant-kms
Retrieve the current BYOK KMS configuration, all key versions, seal status, and last KMS error. Auth: This is a control-plane endpoint on the admin host (e.g.admin.knoxcall.com / any knoxcall.com host). It is authenticated with a session JWT (Authorization: Bearer <token>) plus the X-Tenant-ID header and requires an owner or admin role — not an api.knoxcall.com API key. No step-up required.
Response
config.provider in the GET response uses the internal format (customer_kms_aws, customer_kms_gcp, customer_kms_azure) — this is different from the short input form (aws, gcp, azure) used in the onboard request.
If no customer KMS is configured for this tenant, the endpoint still returns 200 with config: null (and keys: []).