FruxonDocs
ApiTenantbyok

Stage or re-stage a customer KMS key for BYOK.

Staging records intent only. It does not move the tenant DEK until `:activate` succeeds.

POST
/v1/tenants/{tenant}/byok:stage

Authorization

Bearer
AuthorizationBearer <token>

JWT Authorization header using the Bearer scheme. Enter 'Bearer' [space] and then your token.

In: header

Path Parameters

tenant*string

The tenant identifier

Request Body

provider?string

Cloud KMS provider that holds a BYOK tenant's customer-owned KEK. Only Fruxon.Model.Encryption.Byok.ByokKmsProvider.Gcp is wired today; Fruxon.Model.Encryption.Byok.ByokKmsProvider.Aws reserves the enum slot so the resolver / factory dispatch can grow an AWS implementation without reworking callers (see docs/design/byok-credential-encryption.md §3.2).

Value in"UNSPECIFIED" | "GCP" | "AWS"
kmsKeyResourceName?string|null
authMode?string

How Fruxon authenticates to a BYOK tenant's customer-owned KMS. The preferred mode stores no secret at rest (see docs/design/byok-credential-encryption.md §3.3).

Value in"UNSPECIFIED" | "GCP_ADC_IAM_BINDING" | "GCP_SERVICE_ACCOUNT_KEY_SECRET"
authSecretRef?string|null
[key: string]?never

Response Body

curl -X POST "https://api.fruxon.com/v1/tenants/string/byok:stage" \  -H "Content-Type: application/json" \  -d '{}'
{
  "configured": false,
  "config": {
    "id": "00000000-0000-0000-0000-000000000000",
    "provider": "GCP",
    "kmsKeyResourceName": "string",
    "authMode": "GCP_ADC_IAM_BINDING",
    "authSecretRef": "string",
    "status": "PENDING_VALIDATION",
    "configVersion": 0,
    "lastValidatedAt": 0,
    "lastValidationError": "string",
    "createdAt": 0,
    "modifiedAt": 0
  }
}
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}
Empty
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}