KMS API reference
The KMS API is part of the Thalassa Cloud platform API. Full OpenAPI definitions are available in the API reference.
Base path
/v1/kmsRequired headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer token or equivalent credential |
X-Organisation-Identity | Yes | Organisation identifier |
X-Project-Identity | No | Project identifier for project-scoped keys |
Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /v1/kms/summary | Feature status, per-region availability, and key counts |
GET | /v1/kms/{region}/keys | List keys in a region |
POST | /v1/kms/{region}/keys | Create a key |
GET | /v1/kms/{region}/keys/{id} | Get a key by identity or slug |
GET | /v1/kms/{region}/wrapping-key | BYOK wrapping key (RSA public key, PEM) |
GET | /v1/kms/{region}/keys/{id}/public-key | Export public key(s) by version |
POST | /v1/kms/{region}/keys/{id}/encrypt | Encrypt plaintext |
POST | /v1/kms/{region}/keys/{id}/decrypt | Decrypt ciphertext |
POST | /v1/kms/{region}/keys/{id}/sign | Sign data |
POST | /v1/kms/{region}/keys/{id}/verify | Verify signature |
POST | /v1/kms/{region}/keys/{id}/hmac | Generate HMAC |
POST | /v1/kms/{region}/keys/{id}/verify-hmac | Verify HMAC |
PATCH | /v1/kms/{region}/keys/{id}/rotation | Update automatic rotation settings |
POST | /v1/kms/{region}/keys/{id}/rotate | Manual rotation |
POST | /v1/kms/{region}/keys/{id}/export | Export key material |
POST | /v1/kms/{region}/keys/{id}/disable | Disable key |
POST | /v1/kms/{region}/keys/{id}/enable | Enable key |
DELETE | /v1/kms/{region}/keys/{id} | Schedule deletion |
DELETE | /v1/kms/{region}/keys/{id}/cancel-deletion | Cancel scheduled deletion |
Replace {region} with the target cloud region (for example, nl-01) and {id} with the key identity or slug.
List filters
GET /{region}/keys supports query parameters:
| Parameter | Description |
|---|---|
identity | Filter by key identity |
name | Filter by name |
slug | Filter by slug |
Regional paths
All key operations except /summary require a region in the path. Crypto calls must target the region where the key was created.
Common response codes
| HTTP status | Meaning |
|---|---|
403 | KMS not enabled for the organisation |
404 | Region or key not found, or insufficient IAM (masked) |
400 | Validation error; key disabled or pending deletion; unsupported operation |
409 | Duplicate key slug in scope |
503 | KMS not available in the region |
See FAQ for troubleshooting.
Documentation by topic
| Topic | Guide |
|---|---|
| Create keys | Creating keys |
| BYOK import | Bring your own key |
| Encrypt / decrypt | Encrypt and decrypt |
| Sign / HMAC | Sign, verify, and HMAC |
| Rotation | Rotation |
| Lifecycle | Key lifecycle |
| IAM | Access control |
Full specification
For request and response schemas, error models, and authentication details, refer to the platform OpenAPI specification in the API reference.