> ## Documentation Index
> Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get KMS Status

> Retrieve the current BYOK KMS configuration, all key versions, seal status, and last KMS error.

## GET /admin/tenant-kms

Retrieve the current BYOK KMS configuration, all key versions, seal status, and last KMS error.

**Auth**: This is a control-plane endpoint on the admin host (e.g. `admin.knoxcall.com` / any `knoxcall.com` host). It is authenticated with a session JWT (`Authorization: Bearer <token>`) plus the `X-Tenant-ID` header and requires an owner or admin role — not an `api.knoxcall.com` API key. No step-up required.

### Response

```json theme={"dark"}
{
  "config": {
    "provider": "customer_kms_aws",
    "kms_key_ref": "arn:aws:kms:us-east-1:111122223333:key/abcd-1234",
    "config": {
      "region": "us-east-1",
      "role_arn": "arn:aws:iam::111122223333:role/KnoxCallKMSAccess"
    },
    "sealed_since": null,
    "last_verified_at": "2026-05-25T10:00:00Z",
    "last_verify_error": null
  },
  "keys": [
    {
      "id": "d290f1ee-6c54-4b01-90e6-d701748f0851",
      "version": 2,
      "wrap_method": "customer_kms",
      "status": "active",
      "created_at": "2026-05-25T10:00:00Z",
      "retired_at": null
    },
    {
      "id": "a7c1d8f3-2e4b-4c6a-8d9e-1f3b5a7c9d2e",
      "version": 1,
      "wrap_method": "customer_kms",
      "status": "retired",
      "created_at": "2026-01-01T00:00:00Z",
      "retired_at": "2026-05-25T10:00:00Z"
    }
  ]
}
```

`config.provider` in the GET response uses the internal format (`customer_kms_aws`, `customer_kms_gcp`, `customer_kms_azure`) — this is different from the short input form (`aws`, `gcp`, `azure`) used in the onboard request.

If no customer KMS is configured for this tenant, the endpoint still returns `200` with `config: null` (and `keys: []`).

<CodeGroup>
  ```bash cURL theme={"dark"}
  curl https://admin.knoxcall.com/admin/tenant-kms \
    -H "Authorization: Bearer $KC_ADMIN_JWT" \
    -H "X-Tenant-ID: $KC_TENANT_ID"
  ```

  ```python Python theme={"dark"}
  import requests

  resp = requests.get(
      "https://admin.knoxcall.com/admin/tenant-kms",
      headers={
          "Authorization": f"Bearer {KC_ADMIN_JWT}",
          "X-Tenant-ID": KC_TENANT_ID,
      },
  )
  resp.raise_for_status()
  data = resp.json()
  sealed = data["config"]["sealed_since"] is not None
  ```

  ```javascript Node.js theme={"dark"}
  const resp = await fetch("https://admin.knoxcall.com/admin/tenant-kms", {
    headers: {
      "Authorization": `Bearer ${KC_ADMIN_JWT}`,
      "X-Tenant-ID": KC_TENANT_ID,
    },
  });
  const { config, keys } = await resp.json();
  const isSealed = config.sealed_since !== null;
  ```
</CodeGroup>
