POST /keys
Generate a new key
Generates a new key and returns its ttag (base64 hidden-link handle). The caller becomes the key OWNER. The request body is empty ({}).
Authentication
Requires the X-Session header (the opaque session id from POST /login). See Authentication.
Request
Empty JSON body ({}).
Responses
200
Key generated; caller is owner.
| Field | Type | Required | Description |
|---|---|---|---|
ttag | string (base64) | yes | Base64 of the key's "hidden link" buffer — the opaque handle for the newly generated key. The caller becomes the key OWNER. Pass this ttag to export/grant/revoke. |
Example
{
"ttag": "dGFnLWJhc2U2NC1leGFtcGxl"
}
400
Validation error: missing fields, invalid JSON, or body > 1 MB.
401
Authentication required. Two shapes share this status: a session-layer 401 (a plain Error, no reauth flag) means a missing or unknown/expired X-Session — re-login for a new session id; a token-layer 401 (ReauthError with reauth: true) means the server-held token expired — re-run POST /login and retry.
500
Other kS operation error.
Error handling
This endpoint can return the statuses below. For request bodies and the client action per status, see the full error contract.
| Status | Meaning |
|---|---|
400 | Validation error: missing fields, invalid JSON, or body > 1 MB. |
401 | Authentication required. Two shapes share this status: a session-layer 401 (a plain Error, no reauth flag) means a missing or unknown/expired X-Session — re-login for a new session id; a token-layer 401 (ReauthError with reauth: true) means the server-held token expired — re-run POST /login and retry. |
500 | Other kS operation error. |
A 401 with { "reauth": true } means the server-held token expired — re-run POST /login and retry. A 403 is a real authorization denial — surface it; retrying will not help.