Skip to main content
POST
/
api
/
v1
/
kms
/
keys
cURL
curl --request POST \
  --url https://us.infisical.com/api/v1/kms/keys \
  --header 'Content-Type: application/json' \
  --data '
{
  "projectId": "<string>",
  "name": "<string>",
  "description": "<string>",
  "keyUsage": "encrypt-decrypt",
  "encryptionAlgorithm": "aes-256-gcm",
  "isExportable": true
}
'
{
  "key": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "name": "<string>",
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z",
    "encryptionAlgorithm": "<string>",
    "description": "<string>",
    "isDisabled": false,
    "projectId": "<string>",
    "keyUsage": "encrypt-decrypt",
    "kmipMetadata": null,
    "isExportable": true,
    "version": 1
  }
}

Body

application/json
projectId
string
required

The ID of the project to create the key in.

name
string
required

The name of the key to be created. Must be slug-friendly.

Required string length: 1 - 32
description
string

An optional description of the key.

Maximum string length: 500
keyUsage
enum<string>
default:encrypt-decrypt

The type of key to be created, either encrypt-decrypt or sign-verify, based on your intended use for the key.

Available options:
encrypt-decrypt,
sign-verify
encryptionAlgorithm
enum<string>
default:aes-256-gcm

The algorithm to use when performing cryptographic operations with the key.

Available options:
aes-256-gcm,
aes-128-gcm,
RSA_4096,
ECC_NIST_P256,
ECC_NIST_P384,
ECC_NIST_P521,
ML_DSA_44,
ML_DSA_65,
ML_DSA_87
isExportable
boolean
default:true

Whether the raw key material can be exported after creation. When set to false, the key can never be exported regardless of permissions. This cannot be changed after creation.

Response

Default Response

key
object
required