Skip to content

Generate a new signing key pair

POST
/api/signing-keys

Generate an asymmetric key pair and persist the public side.

The private key is returned exactly once in the response body as private_key_pem. It is never stored server-side — if lost, a new key pair must be generated.

Authorizations

Parameters

Query Parameters

organization_id
required
string format: uuid

Request Body required

Request body for creating (generating) a new signing key pair.

The server generates the key pair; only the public half is persisted. The private key is returned once in SigningKeyCreateResponse.

object
algo
required

Key algorithm — RSA-4096 or ECDSA-P384

string
Allowed values: RSA-4096 ECDSA-P384
name
required

Human-readable key name

string
>= 1 characters <= 255 characters

Responses

201

Successful Response

Response returned once when a new key pair is generated.

Includes the PEM-encoded private key — this is the only time it is returned. The server does not persist private key material.

object
algo
required
string
created_at
required
string format: date-time
fingerprint
required
string
id
required
string format: uuid
is_active
required
boolean
name
required
string
private_key_pem
required

PEM-encoded private key — store securely; not recoverable after this response

string
revoked_at
Any of:
string format: date-time

422

Validation Error

object
detail
Array<object>
object
loc
required
Array
msg
required
string
type
required
string