Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.knoxcall.com/llms.txt

Use this file to discover all available pages before exploring further.

POST /admin/tenant-kms/unseal

Force an immediate unseal attempt after restoring KMS access. Idempotent — calling it when the tenant is already unsealed returns 409 not_sealed. Auth: Authorization: Bearer <token> + X-KnoxCall-StepUp with a 2-minute window. KnoxCall also polls automatically every 30 seconds after a seal event. Manual unseal forces immediate recovery rather than waiting for the next poll cycle.

Response

{ "unsealed": true }

Error codes

StatusCodeMeaning
404no_kms_configNo customer KMS configured for this tenant
409not_sealedTenant is not currently sealed
502unseal_failedUnseal attempt failed — KMS still unreachable or access still denied
unseal_failed includes a reason field: "access_denied" (IAM grant still missing) or "unreachable" (network issue). 
curl -X POST https://api.knoxcall.com/admin/tenant-kms/unseal \
  -H "Authorization: Bearer $KC_ADMIN_JWT" \
  -H "X-KnoxCall-StepUp: $STEPUP_TOKEN"