Thrive AI Health
Api reference

Mint a new taih-tenant-key for the caller's org

The raw `secret` is returned **exactly once** in this response — store it immediately. Subsequent `GET` reads return metadata only. For zero-downtime rotation of a single active key, prefer `POST /v1/auth/tenant-key/rotate` (Identity service); these CRUD endpoints support multi-key topologies (e.g. one key per backend service).

POST
/v1/admin/org/tenant-keys

Header Parameters

org-id?string|null
x-user-id?string|null
x-request-id?string|null
traceparent?string|null
Idempotency-Key?|null

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

curl -X POST "https://loading/v1/admin/org/tenant-keys" \  -H "Content-Type: application/json" \  -d '{    "name": "string"  }'
{
  "data": {
    "id": "string",
    "name": "string",
    "prefix": "string",
    "created_at": "2019-08-24T14:15:22Z",
    "last_used_at": "2019-08-24T14:15:22Z",
    "revoked_at": "2019-08-24T14:15:22Z",
    "expires_at": "2019-08-24T14:15:22Z",
    "is_current": true,
    "secret": "string"
  }
}
{
  "detail": [
    {
      "loc": [
        "string"
      ],
      "msg": "string",
      "type": "string"
    }
  ]
}

List tenant keys (metadata only — no secrets)

Paginated list of tenant keys. `include_revoked=true` includes revoked rows (default excludes them). `is_current=true` flags the key that authenticated the current request — partners use this to identify which key not to revoke.

Revoke a tenant key

Subsequent requests using the raw secret receive `401 unauthorized`. Revoking the key used to authenticate the current request returns `409 cannot_revoke_self` — mint a replacement and authenticate with it first, or use `POST /v1/auth/tenant-key/rotate` for grace-period rotation.