Rotate Key

Generate a New Data Encryption Key (DEK)

curl --request POST \
  --url https://api.customer.com/sarvam/byok/v1/rotate-key \
  --header 'Authorization: Bearer <token>' \
  --header 'x-request-id: <x-request-id>' \
  --header 'x-request-timestamp: <x-request-timestamp>'

{
  "data": {
    "encrypted_dek": "byok:v1:CiBBRAND+NEW/ENCRYPTED+DATA+STRING",
    "key_alias": "samvaad-prod-master-key-01",
    "plaintext_dek": "VGhpcyBJcyBBIERlY3J5cHRlZCBLZXkgRm9yIFRlc3Rpbmc="
  }
}

POST

rotate-key

Generate a New Data Encryption Key (DEK)

curl --request POST \
  --url https://api.customer.com/sarvam/byok/v1/rotate-key \
  --header 'Authorization: Bearer <token>' \
  --header 'x-request-id: <x-request-id>' \
  --header 'x-request-timestamp: <x-request-timestamp>'

{
  "data": {
    "encrypted_dek": "byok:v1:CiBBRAND+NEW/ENCRYPTED+DATA+STRING",
    "key_alias": "samvaad-prod-master-key-01",
    "plaintext_dek": "VGhpcyBJcyBBIERlY3J5cHRlZCBLZXkgRm9yIFRlc3Rpbmc="
  }
}

Authorizations

Authorization

string

header

required

A token sent in the Authorization header.

This can be one of two types:

A short-lived JWT obtained from the /auth endpoint.
A long-lived, static API Key provided during setup.

In both cases, the header format is Authorization: Bearer <token>.

Headers

x-request-id

string<uuid>

required

A unique identifier for this specific API call, generated by the client (Samvaad).

x-trace-id

string<uuid>

An identifier to trace a single request across multiple services.

x-request-timestamp

string<date-time>

required

The ISO 8601 timestamp of when the client sent the request.

Response

New DEK successfully generated. Returns the new encrypted and plaintext DEK.

data

object

required

The response payload containing the new DEK in both plaintext and encrypted forms.

Show child attributes

Decrypt Key

Instant Outbound

Analytics

BYOK (Bring Your Own Key) API

Authorizations

Headers

Response