Skip to content
qibdo qibdo
v1
API version
  • v1
Theme
Book a demo

Create Crypto Key

POST
/vault/v1/workspaces/{workspace}/engines/qibdo/cryptoKeys
curl --request POST \
--url https://example.com/vault/v1/workspaces/example/engines/qibdo/cryptoKeys \
--header 'Content-Type: application/json' \
--data '{ "name": "example", "purpose": "CRYPTO_KEY_PURPOSE_UNSPECIFIED", "algorithm": "CRYPTO_ALGORITHM_UNSPECIFIED", "protection_level": "PROTECTION_LEVEL_UNSPECIFIED", "minimum_decryptable_version": "example", "rotation_period": "example", "tags": [ { "key": "example", "value": "example", "type": "VAULT_TAG_TYPE_UNSPECIFIED", "description": "example" } ] }'

Creates a new crypto key under a workspace and provisions the initial key version (v1) in the engine. Name is unique within the workspace.

workspace
required
string

The workspace to create the crypto key in.

location_id
string

Optional weak reference to a topology Location where the crypto key resides. Defaults to the global location when omitted; immutable after creation. Only the global location is available in this release.

Media type application/json

QibdoCryptoKey resource — a workspace-scoped, versioned cryptographic key managed by the Qibdo vault engine. The relational database stores key metadata only; key material lives exclusively in the engine.

object
id

The unique identifier of the crypto key (UUID)

stringOutput only
workspace_id

The workspace this crypto key belongs to (UUID, weak reference to taxonomy)

stringOutput only
name
required

Human-readable name of the crypto key, unique within the workspace (3–256 chars, lowercase alphanumerics plus / - _).

string
purpose
required

Intended use of the crypto key (encrypt/decrypt, sign/verify, MAC, wrap).

string format: enum
Allowed values: CRYPTO_KEY_PURPOSE_UNSPECIFIED CRYPTO_KEY_PURPOSE_ENCRYPT_DECRYPT CRYPTO_KEY_PURPOSE_SIGN_VERIFY CRYPTO_KEY_PURPOSE_MAC CRYPTO_KEY_PURPOSE_WRAP
algorithm
required

Cryptographic algorithm of the key. Must be compatible with the purpose.

string format: enum
Allowed values: CRYPTO_ALGORITHM_UNSPECIFIED CRYPTO_ALGORITHM_AES_256_GCM CRYPTO_ALGORITHM_CHACHA20_POLY1305 CRYPTO_ALGORITHM_RSA_2048 CRYPTO_ALGORITHM_RSA_3072 CRYPTO_ALGORITHM_RSA_4096 CRYPTO_ALGORITHM_EC_P256 CRYPTO_ALGORITHM_EC_P384 CRYPTO_ALGORITHM_EC_P521 CRYPTO_ALGORITHM_ED25519 CRYPTO_ALGORITHM_HMAC_SHA256 CRYPTO_ALGORITHM_HMAC_SHA384 CRYPTO_ALGORITHM_HMAC_SHA512
protection_level

Where key material is protected: in software (default) or in an HSM.

string format: enum
Allowed values: PROTECTION_LEVEL_UNSPECIFIED PROTECTION_LEVEL_SOFTWARE PROTECTION_LEVEL_HSM
minimum_decryptable_version

Lowest version number still allowed to decrypt (>= 1).

string
rotation_period

Optional automatic rotation period; null means no auto-rotation.

string
/^-?(?:0|[1-9][0-9]{0,11})(?:\.[0-9]{1,9})?s$/
tags

User-defined tags (key/value pairs) attached to the crypto key.

Array<object>

Vault Tag

A key-value pair used to label and categorize vault resources such as secrets, crypto keys, leases, certificate authorities, certificates, and access policies.

object
key
required

Tag Key

Tag key (1–63 chars, lowercase letters/digits/dashes/underscores).

string
value
required

Tag Value

Tag value (free-form, up to 255 chars).

string
type

Tag Type

Whether the tag is system-managed or user-defined.

string format: enum
Allowed values: VAULT_TAG_TYPE_UNSPECIFIED VAULT_TAG_TYPE_SYSTEM VAULT_TAG_TYPE_USER
description

Tag Description

Optional description.

string
created

Timestamp when the crypto key metadata was created (server-managed).

string format: date-time Output only
updated

Timestamp when the crypto key metadata was last updated (server-managed).

string format: date-time Output only
location_id

Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.

stringOutput only

OK

Media type application/json

Vault Operation

Tracks the result of a vault command (secret, crypto key, lease, certificate authority, certificate, access policy, or vault-level lifecycle action).

object
id

Operation ID

Unique identifier of the operation.

stringOutput only
workspace_id

Workspace ID

The workspace in whose namespace the operation was executed.

stringOutput only
resource_id

Resource ID

ID of the affected resource (nullable for vault-level lifecycle ops such as snapshot).

stringOutput only
resource_type

Resource Type

URN of the affected resource type (e.g., “com.qibdo.cloud.vault:secret”).

stringOutput only
operation_type

Operation Type

The action performed (CREATE, ROTATE, REVOKE, ENCRYPT, …).

stringOutput only
status

Status

The operation status (PENDING, RUNNING, DONE, FAILED).

stringOutput only
insert_time

Insert Time

When the operation was created.

string format: date-time Output only
start_time

Start Time

When execution started (nullable).

string format: date-time Output only
end_time

End Time

When execution completed (nullable).

string format: date-time Output only
progress

Progress

Progress percentage (0–100).

integer format: int32 Output only
warnings

Warnings

Non-fatal notices emitted during the operation.

Array<object>Output only

Vault Warning

A non-fatal notice emitted by a vault operation. The operation still completed; the warning surfaces unsupported features or capability gaps in the underlying engine.

Warning codes follow the S_SSS_EEE convention:

  • Millions digit: service (9 = vault)
  • Thousands: group
  • Units: specific warning
object
code

Warning Code

Numeric identifier of the warning type.

integer format: uint32 Output only
description

Description

Human-readable explanation of what was ignored or degraded.

stringOutput only
Example generated
{}

Default error response

Media type application/json

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

object
code

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

integer format: int32
message

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

string
details

A list of messages that carry the error details. There is a common set of message types for APIs to use.

Array<object>

Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.

object
@type

The type of the serialized message.

string
key
additional properties
any
Example generated
{
"code": 1,
"message": "example",
"details": [
{
"@type": "example"
}
]
}