unseal

`user.security.unseal`

Loads the caller’s master key into the KMS cache for this process. Required before any encrypted read/write (documents, files, shared vaults, flow submissions, …).

Auth

Bearer JWT required.

Input

input VaultUnsealInput {
    pin: String  # 6-digit PIN
}

Tier 1 (Standard): omit pin. The master key is protected by a platform-held secret only.
Tier 2 (Enhanced) and above: pin is required. The PIN is combined (Shamir 2/2) with a platform secret to reconstruct the master key.

GraphQL

mutation UnsealTier2($pin: String!) {
  user {
    security {
      unseal(input: { pin: $pin })
    }
  }
}

Tier 1:

mutation { user { security { unseal(input: {}) } } }

Response

{ "data": { "user": { "security": { "unseal": true } } } }

true on success. Scope error (data.user: null) on failure — the errors array will say whether the PIN was wrong, missing, or the user has no encrypted key material yet.

curl (Tier 2, with PIN)

curl -X POST https://api.test.geena.eu/graphql \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "mutation($pin: String!) { user { security { unseal(input: { pin: $pin }) } } }",
    "variables": { "pin": "123456" }
  }'

Warning

The unsealed master key is held only in the server’s memory. A process restart re-seals every user; clients must be prepared to re-unseal on demand.