Skip to main content

POST /keys

Generate a new key

Generates a new key and returns its ttag (base64 hidden-link handle). The caller becomes the key OWNER. The request body is empty ({}).

Authentication

Requires the X-Session header (the opaque session id from POST /login). See Authentication.

Request

Empty JSON body ({}).

Responses

200

Key generated; caller is owner.

FieldTypeRequiredDescription
ttagstring (base64)yesBase64 of the key's "hidden link" buffer — the opaque handle for the newly generated key. The caller becomes the key OWNER. Pass this ttag to export/grant/revoke.

Example

{
"ttag": "dGFnLWJhc2U2NC1leGFtcGxl"
}

400

Validation error: missing fields, invalid JSON, or body > 1 MB.

401

Authentication required. Two shapes share this status: a session-layer 401 (a plain Error, no reauth flag) means a missing or unknown/expired X-Session — re-login for a new session id; a token-layer 401 (ReauthError with reauth: true) means the server-held token expired — re-run POST /login and retry.

500

Other kS operation error.

Error handling

This endpoint can return the statuses below. For request bodies and the client action per status, see the full error contract.

StatusMeaning
400Validation error: missing fields, invalid JSON, or body > 1 MB.
401Authentication required. Two shapes share this status: a session-layer 401 (a plain Error, no reauth flag) means a missing or unknown/expired X-Session — re-login for a new session id; a token-layer 401 (ReauthError with reauth: true) means the server-held token expired — re-run POST /login and retry.
500Other kS operation error.
Distinguish 401-reauth from 403

A 401 with { "reauth": true } means the server-held token expired — re-run POST /login and retry. A 403 is a real authorization denial — surface it; retrying will not help.