ApiTenantbyok
Offboard BYOK by re-wrapping the tenant DEK back under the Fruxon baseline KEK.
Reverses `:activate`: re-wraps the tenant DEK under the Fruxon-managed baseline KEK so the customer key is no longer in the decryption path, then marks the config disabled. Requires the customer key to still be usable — a tenant whose key is already revoked cannot offboard until the key is restored.
Authorization
Bearer AuthorizationBearer <token>
JWT Authorization header using the Bearer scheme. Enter 'Bearer' [space] and then your token.
In: header
Path Parameters
tenant*string
The tenant identifier
Response Body
curl -X POST "https://api.fruxon.com/v1/tenants/string/byok:offboard"{
"configured": false,
"config": {
"id": "00000000-0000-0000-0000-000000000000",
"provider": "GCP",
"kmsKeyResourceName": "string",
"authMode": "GCP_ADC_IAM_BINDING",
"authSecretRef": "string",
"status": "PENDING_VALIDATION",
"configVersion": 0,
"lastValidatedAt": 0,
"lastValidationError": "string",
"createdAt": 0,
"modifiedAt": 0
}
}Empty
{
"type": "string",
"title": "string",
"status": 0,
"detail": "string",
"instance": "string",
"property1": null,
"property2": null
}{
"type": "string",
"title": "string",
"status": 0,
"detail": "string",
"instance": "string",
"property1": null,
"property2": null
}{
"type": "string",
"title": "string",
"status": 0,
"detail": "string",
"instance": "string",
"property1": null,
"property2": null
}