Skip to main content

POST /admin/tenant-kms/unseal

Force an immediate unseal attempt after restoring KMS access. This is not idempotent — once the tenant is unsealed, calling it again returns 409 not_sealed. Auth: served on the admin host with a session Authorization: Bearer <jwt> plus the X-Tenant-ID header (owner/admin role). This action also requires a recent step-up verification within a 2-minute window — enforced server-side against the authenticated user. No step-up header or token is sent on this request; instead the signed-in user must have re-authenticated shortly beforehand via POST /auth/2fa/verify-step-up (TOTP), POST /auth/passkey/verify-step-up (passkey), or the email fallback (POST /auth/step-up/email-challenge then POST /auth/step-up/verify-email). If no recent verification exists, the endpoint returns 403 { "error": "Recent step-up verification required for this action", "requires_step_up": true, "max_age_minutes": 2 }. Omitting X-Tenant-ID returns 400. Manual unseal forces immediate recovery rather than waiting for the next BYOK bundle-renewal cycle.

Response

Error codes

unseal_failed includes a reason field: "access_denied" (IAM grant still missing) or "unreachable" (network issue).