specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/keys.json

{
  "swagger": "2.0",
  "info": {
    "title": "KeyVaultClient",
    "description": "The key vault client performs cryptographic key operations and vault operations against the Key Vault service.",
    "version": "7.3-preview"
  },
  "x-ms-parameterized-host": {
    "hostTemplate": "{vaultBaseUrl}",
    "useSchemePrefix": false,
    "positionInOperation": "first",
    "parameters": [
      {
        "name": "vaultBaseUrl",
        "description": "The vault name, for example https://myvault.vault.azure.net.",
        "required": true,
        "type": "string",
        "in": "path",
        "x-ms-skip-url-encoding": true
      }
    ]
  },
  "consumes": [
    "application/json"
  ],
  "produces": [
    "application/json"
  ],
  "paths": {
    "/keys/{key-name}/create": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "CreateKey",
        "summary": "Creates a new key, stores it, then returns key parameters and attributes to the client.",
        "description": "The create key operation can be used to create any key type in Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "pattern": "^[0-9a-zA-Z-]+$",
            "description": "The name for the new key. The system will generate the version name for the new key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyCreateParameters"
            },
            "description": "The parameters to create a key."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A key bundle containing the result of the create key request.",
            "schema": {
              "$ref": "#/definitions/KeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Create key": {
            "$ref": "./examples/CreateKey-example.json"
          }
        }
      }
    },
    "/keys/{key-name}": {
      "put": {
        "tags": [
          "Keys"
        ],
        "operationId": "ImportKey",
        "summary": "Imports an externally created key, stores it, and returns key parameters and attributes to the client.",
        "description": "The import key operation may be used to import any key type into an Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "pattern": "^[0-9a-zA-Z-]+$",
            "description": "Name for the imported key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyImportParameters"
            },
            "description": "The parameters to import a key."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "Imported key bundle to the vault.",
            "schema": {
              "$ref": "#/definitions/KeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Import key": {
            "$ref": "./examples/ImportKey-example.json"
          }
        }
      },
      "delete": {
        "tags": [
          "Keys"
        ],
        "operationId": "DeleteKey",
        "summary": "Deletes a key of any type from storage in Azure Key Vault.",
        "description": "The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key to delete."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The public part of the deleted key and deletion information on when the key will be purged.",
            "schema": {
              "$ref": "#/definitions/DeletedKeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Delete key": {
            "$ref": "./examples/DeleteKey-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}": {
      "patch": {
        "tags": [
          "Keys"
        ],
        "operationId": "UpdateKey",
        "summary": "The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.",
        "description": "In order to perform this operation, the key must already exist in the Key Vault. Note: The cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of key to update."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The version of the key to update."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyUpdateParameters"
            },
            "description": "The parameters of the key to update."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The updated key.",
            "schema": {
              "$ref": "#/definitions/KeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Update key": {
            "$ref": "./examples/UpdateKey-example.json"
          }
        }
      },
      "get": {
        "tags": [
          "Keys"
        ],
        "operationId": "GetKey",
        "summary": "Gets the public part of a stored key.",
        "description": "The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key to get."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "Adding the version parameter retrieves a specific version of a key. This URI fragment is optional. If not specified, the latest version of the key is returned."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A key bundle containing the key and its attributes.",
            "schema": {
              "$ref": "#/definitions/KeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Get key": {
            "$ref": "./examples/GetKey-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/versions": {
      "get": {
        "tags": [
          "Keys"
        ],
        "operationId": "GetKeyVersions",
        "summary": "Retrieves a list of individual key versions with the same key name.",
        "description": "The full key identifier, attributes, and tags are provided in the response. This operation requires the keys/list permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "name": "maxresults",
            "in": "query",
            "required": false,
            "type": "integer",
            "format": "int32",
            "minimum": 1,
            "maximum": 25,
            "description": "Maximum number of results to return in a page. If not specified the service will return up to 25 results."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A response message containing a list of keys along with a link to the next page of keys.",
            "schema": {
              "$ref": "#/definitions/KeyListResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-pageable": {
          "nextLinkName": "nextLink"
        },
        "x-ms-examples": {
          "GetKeyVersions": {
            "$ref": "./examples/GetKeyVersions-example.json"
          }
        }
      }
    },
    "/keys": {
      "get": {
        "tags": [
          "Keys"
        ],
        "operationId": "GetKeys",
        "summary": "List keys in the specified vault.",
        "description": "Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission.",
        "parameters": [
          {
            "name": "maxresults",
            "in": "query",
            "required": false,
            "type": "integer",
            "format": "int32",
            "minimum": 1,
            "maximum": 25,
            "description": "Maximum number of results to return in a page. If not specified the service will return up to 25 results."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A response message containing a list of keys in the vault along with a link to the next page of keys.",
            "schema": {
              "$ref": "#/definitions/KeyListResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-pageable": {
          "nextLinkName": "nextLink"
        },
        "x-ms-examples": {
          "GetKeys": {
            "$ref": "./examples/GetKeys-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/backup": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "BackupKey",
        "summary": "Requests that a backup of the specified key be downloaded to the client.",
        "description": "The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does NOT return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to GENERATE a key in one Azure Key Vault instance, BACKUP the key, and then RESTORE it into another Azure Key Vault instance. The BACKUP operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. BACKUP / RESTORE can be performed within geographical boundaries only; meaning that a BACKUP from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The backup blob containing the backed up key.",
            "schema": {
              "$ref": "#/definitions/BackupKeyResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "BackupKey": {
            "$ref": "./examples/BackupKey-example.json"
          }
        }
      }
    },
    "/keys/restore": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "RestoreKey",
        "summary": "Restores a backed up key to a vault.",
        "description": "Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The RESTORE operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the RESTORE operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The RESTORE operation is subject to security constraints: The target Key Vault must be owned by the same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission.",
        "parameters": [
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyRestoreParameters"
            },
            "description": "The parameters to restore the key."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "Restored key bundle in the vault.",
            "schema": {
              "$ref": "#/definitions/KeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "RestoreKey": {
            "$ref": "./examples/RestoreKey-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/encrypt": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "encrypt",
        "summary": "Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault.",
        "description": "The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used. The ENCRYPT operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The version of the key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyOperationsParameters"
            },
            "description": "The parameters for the encryption operation."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The encryption result.",
            "schema": {
              "$ref": "#/definitions/KeyOperationResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Encrypt example": {
            "$ref": "./examples/encrypt-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/decrypt": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "decrypt",
        "summary": "Decrypts a single block of encrypted data.",
        "description": "The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The version of the key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyOperationsParameters"
            },
            "description": "The parameters for the decryption operation."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The decryption result.",
            "schema": {
              "$ref": "#/definitions/KeyOperationResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Decrypt example": {
            "$ref": "./examples/decrypt-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/sign": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "sign",
        "summary": "Creates a signature from a digest using the specified key.",
        "description": "The SIGN operation is applicable to asymmetric and symmetric keys stored in Azure Key Vault since this operation uses the private portion of the key. This operation requires the keys/sign permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The version of the key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeySignParameters"
            },
            "description": "The parameters for the signing operation."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The signature value.",
            "schema": {
              "$ref": "#/definitions/KeyOperationResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Sign": {
            "$ref": "./examples/sign-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/verify": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "verify",
        "summary": "Verifies a signature using a specified key.",
        "description": "The VERIFY operation is applicable to symmetric keys stored in Azure Key Vault. VERIFY is not strictly necessary for asymmetric keys stored in Azure Key Vault since signature verification can be performed using the public portion of the key but this operation is supported as a convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The version of the key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyVerifyParameters"
            },
            "description": "The parameters for verify operations."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The verification result.",
            "schema": {
              "$ref": "#/definitions/KeyVerifyResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Verify": {
            "$ref": "./examples/verify-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/wrapkey": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "wrapKey",
        "summary": "Wraps a symmetric key using a specified key.",
        "description": "The WRAP operation supports encryption of a symmetric key using a key encryption key that has previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using the public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The version of the key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyOperationsParameters"
            },
            "description": "The parameters for wrap operation."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The wrapped symmetric key.",
            "schema": {
              "$ref": "#/definitions/KeyOperationResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Wrapkey": {
            "$ref": "./examples/wrapKey-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/unwrapkey": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "unwrapKey",
        "summary": "Unwraps a symmetric key using the specified key that was initially used for wrapping that key.",
        "description": "The UNWRAP operation supports decryption of a symmetric key using the target key encryption key. This operation is the reverse of the WRAP operation. The UNWRAP operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "name": "key-version",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The version of the key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyOperationsParameters"
            },
            "description": "The parameters for the key operation."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The unwrapped symmetric key.",
            "schema": {
              "$ref": "#/definitions/KeyOperationResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Unwrapkey": {
            "$ref": "./examples/unwrapKey-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/export": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "export",
        "summary": "Exports a key.",
        "description": "The export key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/export permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key to get."
          },
          {
            "name": "key-version",
            "required": true,
            "in": "path",
            "type": "string",
            "description": "Adding the version parameter retrieves a specific version of a key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyExportParameters"
            },
            "description": "The parameters for the key export operation."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A key bundle containing the key and its attributes.",
            "schema": {
              "$ref": "#/definitions/KeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Export": {
            "$ref": "./examples/export-example.json"
          }
        }
      }
    },
    "/keys/{key-name}/{key-version}/release": {
      "post": {
        "tags": [
          "Keys"
        ],
        "operationId": "release",
        "summary": "Releases a key.",
        "description": "The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key to get."
          },
          {
            "name": "key-version",
            "required": true,
            "in": "path",
            "type": "string",
            "description": "Adding the version parameter retrieves a specific version of a key."
          },
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/KeyReleaseParameters"
            },
            "description": "The parameters for the key release operation."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A key bundle containing the key and its attributes.",
            "schema": {
              "$ref": "#/definitions/KeyReleaseResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "Release": {
            "$ref": "./examples/release-example.json"
          }
        }
      }
    },
    "/deletedkeys": {
      "get": {
        "tags": [
          "DeletedKeys"
        ],
        "operationId": "GetDeletedKeys",
        "summary": "Lists the deleted keys in the specified vault.",
        "description": "Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a deleted key. This operation includes deletion-specific information. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/list permission.",
        "parameters": [
          {
            "name": "maxresults",
            "in": "query",
            "required": false,
            "type": "integer",
            "format": "int32",
            "minimum": 1,
            "maximum": 25,
            "description": "Maximum number of results to return in a page. If not specified the service will return up to 25 results."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A response message containing a list of deleted keys in the vault along with a link to the next page of deleted keys.",
            "schema": {
              "$ref": "#/definitions/DeletedKeyListResult"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-pageable": {
          "nextLinkName": "nextLink"
        },
        "x-ms-examples": {
          "GetDeletedKeys": {
            "$ref": "./examples/GetDeletedKeys-example.json"
          }
        }
      }
    },
    "/deletedkeys/{key-name}": {
      "get": {
        "tags": [
          "DeletedKeys"
        ],
        "operationId": "GetDeletedKey",
        "summary": "Gets the public part of a deleted key.",
        "description": "The Get Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/get permission. ",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A DeletedKeyBundle consisting of a WebKey plus its Attributes and deletion information.",
            "schema": {
              "$ref": "#/definitions/DeletedKeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "GetDeletedKey": {
            "$ref": "./examples/GetDeletedKey-example.json"
          }
        }
      },
      "delete": {
        "tags": [
          "DeletedKeys"
        ],
        "operationId": "PurgeDeletedKey",
        "summary": "Permanently deletes the specified key.",
        "description": "The Purge Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/purge permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the key"
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "204": {
            "description": "No content, signaling that the key was permanently purged."
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "PurgeDeletedKey": {
            "$ref": "./examples/PurgeDeletedKey-example.json"
          }
        }
      }
    },
    "/deletedkeys/{key-name}/recover": {
      "post": {
        "tags": [
          "DeletedKeys"
        ],
        "operationId": "RecoverDeletedKey",
        "summary": "Recovers the deleted key to its latest version.",
        "description": "The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled vaults. It recovers the deleted key back to its latest version under /keys. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission.",
        "parameters": [
          {
            "name": "key-name",
            "in": "path",
            "required": true,
            "type": "string",
            "description": "The name of the deleted key."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "A Key bundle of the original key and its attributes",
            "schema": {
              "$ref": "#/definitions/KeyBundle"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "RecoverDeletedKey": {
            "$ref": "./examples/RecoverDeletedKey-example.json"
          }
        }
      }
    },
    "/randomnumbers": {
      "post": {
        "tags": [
          "RandomNumbers"
        ],
        "operationId": "getRandomNumbers",
        "summary": "Get the requested number of bytes containing random values.",
        "description": "Get the requested number of bytes containing random values from a managed HSM.",
        "parameters": [
          {
            "name": "parameters",
            "in": "body",
            "required": true,
            "x-ms-client-flatten": true,
            "schema": {
              "$ref": "#/definitions/GetRandomNumbersRequest"
            },
            "description": "The request object to get random numbers."
          },
          {
            "$ref": "#/parameters/ApiVersionParameter"
          }
        ],
        "responses": {
          "200": {
            "description": "The bytes encoded as a base64url string.",
            "schema": {
              "$ref": "#/definitions/GetRandomNumbersResponse"
            }
          },
          "default": {
            "description": "Key Vault error response describing why the operation failed.",
            "schema": {
              "$ref": "common.json#/definitions/KeyVaultError"
            }
          }
        },
        "x-ms-examples": {
          "GetRandomNumbers": {
            "$ref": "./examples/RandomNumbers-example.json"
          }
        }
      }
    }
  },
  "definitions": {
    "GetRandomNumbersRequest": {
      "properties": {
        "bytesLength": {
          "type": "integer",
          "format": "int32",
          "minimum": 1,
          "maximum": 128,
          "description": "The requested number of random bytes."
        }
      },
      "description": "The get random numbers request object.",
      "required": [
        "bytesLength"
      ]
    },
    "GetRandomNumbersResponse": {
      "properties": {
        "value": {
          "type": "string",
          "format": "base64url",
          "description": "The bytes encoded as a base64url string."
        }
      },
      "description": "The get random numbers response object containing the bytes."
    },
    "KeyReleasePolicy": {
      "properties": {
        "contentType": {
          "description": "Content type and version of key release policy",
          "type": "string",
          "default": "application/json; charset=utf-8; version=1.0"
        },
        "data": {
          "description": "Blob encoding the policy rules under which the key can be released.",
          "type": "string",
          "format": "base64url"
        }
      }
    },
    "JsonWebKey": {
      "properties": {
        "kid": {
          "type": "string",
          "description": "Key identifier."
        },
        "kty": {
          "type": "string",
          "description": "JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.",
          "enum": [
            "EC",
            "EC-HSM",
            "RSA",
            "RSA-HSM",
            "oct",
            "oct-HSM"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeyType",
            "modelAsString": true,
            "values": [
              {
                "value": "EC",
                "description": "Elliptic Curve."
              },
              {
                "value": "EC-HSM",
                "description": "Elliptic Curve with a private key which is stored in the HSM."
              },
              {
                "value": "RSA",
                "description": "RSA (https://tools.ietf.org/html/rfc3447)"
              },
              {
                "value": "RSA-HSM",
                "description": "RSA with a private key which is stored in the HSM."
              },
              {
                "value": "oct",
                "description": "Octet sequence (used to represent symmetric keys)"
              },
              {
                "value": "oct-HSM",
                "description": "Octet sequence (used to represent symmetric keys) which is stored the HSM."
              }
            ]
          }
        },
        "key_ops": {
          "type": "array",
          "items": {
            "type": "string",
            "description": "Supported key operations."
          }
        },
        "n": {
          "type": "string",
          "format": "base64url",
          "description": "RSA modulus."
        },
        "e": {
          "type": "string",
          "format": "base64url",
          "description": "RSA public exponent."
        },
        "d": {
          "type": "string",
          "format": "base64url",
          "description": "RSA private exponent, or the D component of an EC private key."
        },
        "dp": {
          "x-ms-client-name": "DP",
          "type": "string",
          "format": "base64url",
          "description": "RSA private key parameter."
        },
        "dq": {
          "x-ms-client-name": "DQ",
          "type": "string",
          "format": "base64url",
          "description": "RSA private key parameter."
        },
        "qi": {
          "x-ms-client-name": "QI",
          "type": "string",
          "format": "base64url",
          "description": "RSA private key parameter."
        },
        "p": {
          "type": "string",
          "format": "base64url",
          "description": "RSA secret prime."
        },
        "q": {
          "type": "string",
          "format": "base64url",
          "description": "RSA secret prime, with p < q."
        },
        "k": {
          "type": "string",
          "format": "base64url",
          "description": "Symmetric key."
        },
        "key_hsm": {
          "x-ms-client-name": "t",
          "type": "string",
          "format": "base64url",
          "description": "Protected Key, used with 'Bring Your Own Key'."
        },
        "crv": {
          "type": "string",
          "description": "Elliptic curve name. For valid values, see JsonWebKeyCurveName.",
          "enum": [
            "P-256",
            "P-384",
            "P-521",
            "P-256K"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeyCurveName",
            "modelAsString": true,
            "values": [
              {
                "value": "P-256",
                "description": "The NIST P-256 elliptic curve, AKA SECG curve SECP256R1."
              },
              {
                "value": "P-384",
                "description": "The NIST P-384 elliptic curve, AKA SECG curve SECP384R1."
              },
              {
                "value": "P-521",
                "description": "The NIST P-521 elliptic curve, AKA SECG curve SECP521R1."
              },
              {
                "value": "P-256K",
                "description": "The SECG SECP256K1 elliptic curve."
              }
            ]
          }
        },
        "x": {
          "type": "string",
          "format": "base64url",
          "description": "X component of an EC public key."
        },
        "y": {
          "type": "string",
          "format": "base64url",
          "description": "Y component of an EC public key."
        }
      },
      "description": "As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18"
    },
    "KeyAttributes": {
      "allOf": [
        {
          "$ref": "common.json#/definitions/Attributes"
        }
      ],
      "properties": {
        "recoverableDays": {
          "type": "integer",
          "format": "int32",
          "readOnly": true,
          "description": "softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0."
        },
        "recoveryLevel": {
          "type": "string",
          "description": "Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.",
          "enum": [
            "Purgeable",
            "Recoverable+Purgeable",
            "Recoverable",
            "Recoverable+ProtectedSubscription",
            "CustomizedRecoverable+Purgeable",
            "CustomizedRecoverable",
            "CustomizedRecoverable+ProtectedSubscription"
          ],
          "x-ms-enum": {
            "name": "DeletionRecoveryLevel",
            "modelAsString": true,
            "values": [
              {
                "value": "Purgeable",
                "description": "Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.)"
              },
              {
                "value": "Recoverable+Purgeable",
                "description": "Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered"
              },
              {
                "value": "Recoverable",
                "description": "Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered"
              },
              {
                "value": "Recoverable+ProtectedSubscription",
                "description": "Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself  cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered"
              },
              {
                "value": "CustomizedRecoverable+Purgeable",
                "description": "Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled."
              },
              {
                "value": "CustomizedRecoverable",
                "description": "Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available."
              },
              {
                "value": "CustomizedRecoverable+ProtectedSubscription",
                "description": "Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7<= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled."
              }
            ]
          },
          "readOnly": true,
          "x-nullable": false
        },
        "exportable": {
          "type": "boolean",
          "description": "Indicates if the private key can be exported."
        }
      },
      "description": "The attributes of a key managed by the key vault service."
    },
    "KeyBundle": {
      "properties": {
        "key": {
          "$ref": "#/definitions/JsonWebKey",
          "description": "The Json web key."
        },
        "attributes": {
          "$ref": "#/definitions/KeyAttributes",
          "description": "The key management attributes."
        },
        "tags": {
          "type": "object",
          "additionalProperties": {
            "type": "string"
          },
          "description": "Application specific metadata in the form of key-value pairs."
        },
        "managed": {
          "type": "boolean",
          "readOnly": true,
          "description": "True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true."
        },
        "release_policy": {
          "$ref": "#/definitions/KeyReleasePolicy",
          "description": "The policy rules under which the key can be exported."
        }
      },
      "description": "A KeyBundle consisting of a WebKey plus its attributes."
    },
    "KeyItem": {
      "properties": {
        "kid": {
          "type": "string",
          "description": "Key identifier."
        },
        "attributes": {
          "$ref": "#/definitions/KeyAttributes",
          "description": "The key management attributes."
        },
        "tags": {
          "type": "object",
          "additionalProperties": {
            "type": "string"
          },
          "description": "Application specific metadata in the form of key-value pairs."
        },
        "managed": {
          "type": "boolean",
          "readOnly": true,
          "description": "True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true."
        }
      },
      "description": "The key item containing key metadata."
    },
    "DeletedKeyBundle": {
      "allOf": [
        {
          "$ref": "#/definitions/KeyBundle"
        }
      ],
      "properties": {
        "recoveryId": {
          "type": "string",
          "description": "The url of the recovery object, used to identify and recover the deleted key."
        },
        "scheduledPurgeDate": {
          "type": "integer",
          "format": "unixtime",
          "readOnly": true,
          "description": "The time when the key is scheduled to be purged, in UTC"
        },
        "deletedDate": {
          "type": "integer",
          "format": "unixtime",
          "readOnly": true,
          "description": "The time when the key was deleted, in UTC"
        }
      },
      "description": "A DeletedKeyBundle consisting of a WebKey plus its Attributes and deletion info"
    },
    "DeletedKeyItem": {
      "allOf": [
        {
          "$ref": "#/definitions/KeyItem"
        }
      ],
      "properties": {
        "recoveryId": {
          "type": "string",
          "description": "The url of the recovery object, used to identify and recover the deleted key."
        },
        "scheduledPurgeDate": {
          "type": "integer",
          "format": "unixtime",
          "readOnly": true,
          "description": "The time when the key is scheduled to be purged, in UTC"
        },
        "deletedDate": {
          "type": "integer",
          "format": "unixtime",
          "readOnly": true,
          "description": "The time when the key was deleted, in UTC"
        }
      },
      "description": "The deleted key item containing the deleted key metadata and information about deletion."
    },
    "KeyProperties": {
      "properties": {
        "exportable": {
          "type": "boolean",
          "description": "Indicates if the private key can be exported."
        },
        "kty": {
          "x-ms-client-name": "keyType",
          "type": "string",
          "description": "The type of key pair to be used for the certificate.",
          "enum": [
            "EC",
            "EC-HSM",
            "RSA",
            "RSA-HSM",
            "oct",
            "oct-HSM"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeyType",
            "modelAsString": true
          }
        },
        "key_size": {
          "type": "integer",
          "format": "int32",
          "description": "The key size in bits. For example: 2048, 3072, or 4096 for RSA."
        },
        "reuse_key": {
          "type": "boolean",
          "description": "Indicates if the same key pair will be used on certificate renewal."
        },
        "crv": {
          "x-ms-client-name": "curve",
          "type": "string",
          "description": "Elliptic curve name. For valid values, see JsonWebKeyCurveName.",
          "enum": [
            "P-256",
            "P-384",
            "P-521",
            "P-256K"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeyCurveName",
            "modelAsString": true
          }
        }
      },
      "description": "Properties of the key pair backing a certificate."
    },
    "KeyCreateParameters": {
      "properties": {
        "kty": {
          "type": "string",
          "minLength": 1,
          "description": "The type of key to create. For valid values, see JsonWebKeyType.",
          "enum": [
            "EC",
            "EC-HSM",
            "RSA",
            "RSA-HSM",
            "oct",
            "oct-HSM"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeyType",
            "modelAsString": true
          }
        },
        "key_size": {
          "type": "integer",
          "format": "int32",
          "description": "The key size in bits. For example: 2048, 3072, or 4096 for RSA."
        },
        "public_exponent": {
          "type": "integer",
          "format": "int32",
          "description": "The public exponent for a RSA key."
        },
        "key_ops": {
          "type": "array",
          "items": {
            "type": "string",
            "description": "JSON web key operations. For more information, see JsonWebKeyOperation.",
            "enum": [
              "encrypt",
              "decrypt",
              "sign",
              "verify",
              "wrapKey",
              "unwrapKey",
              "import",
              "export"
            ],
            "x-ms-enum": {
              "name": "JsonWebKeyOperation",
              "modelAsString": true
            }
          }
        },
        "attributes": {
          "x-ms-client-name": "keyAttributes",
          "$ref": "#/definitions/KeyAttributes"
        },
        "tags": {
          "type": "object",
          "additionalProperties": {
            "type": "string"
          },
          "description": "Application specific metadata in the form of key-value pairs."
        },
        "crv": {
          "x-ms-client-name": "curve",
          "type": "string",
          "description": "Elliptic curve name. For valid values, see JsonWebKeyCurveName.",
          "enum": [
            "P-256",
            "P-384",
            "P-521",
            "P-256K"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeyCurveName",
            "modelAsString": true
          }
        },
        "release_policy": {
          "$ref": "#/definitions/KeyReleasePolicy",
          "description": "The policy rules under which the key can be exported."
        }
      },
      "description": "The key create parameters.",
      "required": [
        "kty"
      ]
    },
    "KeyImportParameters": {
      "properties": {
        "Hsm": {
          "type": "boolean",
          "description": "Whether to import as a hardware key (HSM) or software key."
        },
        "key": {
          "$ref": "#/definitions/JsonWebKey",
          "description": "The Json web key"
        },
        "attributes": {
          "x-ms-client-name": "keyAttributes",
          "$ref": "#/definitions/KeyAttributes",
          "description": "The key management attributes."
        },
        "tags": {
          "type": "object",
          "additionalProperties": {
            "type": "string"
          },
          "description": "Application specific metadata in the form of key-value pairs."
        },
        "release_policy": {
          "$ref": "#/definitions/KeyReleasePolicy",
          "description": "The policy rules under which the key can be exported."
        }
      },
      "description": "The key import parameters.",
      "required": [
        "key"
      ]
    },
    "KeyExportParameters": {
      "properties": {
        "kek": {
          "$ref": "#/definitions/JsonWebKey",
          "description": "The export key encryption Json web key. This key MUST be a RSA key that supports encryption."
        }
      },
      "description": "The export key parameters.",
      "required": [
        "kek"
      ]
    },
    "KeyReleaseParameters": {
      "properties": {
        "env": {
          "x-ms-client-name": "environment",
          "type": "string",
          "minLength": 1,
          "description": "The target environment assertion."
        }
      },
      "description": "The release key parameters.",
      "required": [
        "env"
      ]
    },
    "KeyOperationsParameters": {
      "properties": {
        "alg": {
          "x-ms-client-name": "algorithm",
          "type": "string",
          "minLength": 1,
          "description": "algorithm identifier",
          "enum": [
            "RSA-OAEP",
            "RSA-OAEP-256",
            "RSA1_5",
            "A128GCM",
            "A192GCM",
            "A256GCM",
            "A128KW",
            "A192KW",
            "A256KW",
            "A128CBC",
            "A192CBC",
            "A256CBC",
            "A128CBCPAD",
            "A192CBCPAD",
            "A256CBCPAD"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeyEncryptionAlgorithm",
            "modelAsString": true
          }
        },
        "value": {
          "type": "string",
          "format": "base64url"
        },
        "iv": {
          "type": "string",
          "format": "base64url",
          "description": "Initialization vector for symmetric algorithms."
        },
        "aad": {
          "type": "string",
          "format": "base64url",
          "description": "Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms."
        },
        "tag": {
          "type": "string",
          "format": "base64url",
          "description": "The tag to authenticate when performing decryption with an authenticated algorithm."
        }
      },
      "description": "The key operations parameters.",
      "required": [
        "alg",
        "value"
      ]
    },
    "KeySignParameters": {
      "properties": {
        "alg": {
          "x-ms-client-name": "algorithm",
          "type": "string",
          "minLength": 1,
          "description": "The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm.",
          "enum": [
            "PS256",
            "PS384",
            "PS512",
            "RS256",
            "RS384",
            "RS512",
            "RSNULL",
            "ES256",
            "ES384",
            "ES512",
            "ES256K"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeySignatureAlgorithm",
            "modelAsString": true,
            "values": [
              {
                "value": "PS256",
                "description": "RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "PS384",
                "description": "RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "PS512",
                "description": "RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "RS256",
                "description": "RSASSA-PKCS1-v1_5 using SHA-256, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "RS384",
                "description": "RSASSA-PKCS1-v1_5 using SHA-384, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "RS512",
                "description": "RSASSA-PKCS1-v1_5 using SHA-512, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "RSNULL",
                "description": "Reserved"
              },
              {
                "value": "ES256",
                "description": "ECDSA using P-256 and SHA-256, as described in https://tools.ietf.org/html/rfc7518."
              },
              {
                "value": "ES384",
                "description": "ECDSA using P-384 and SHA-384, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "ES512",
                "description": "ECDSA using P-521 and SHA-512, as described in https://tools.ietf.org/html/rfc7518"
              },
              {
                "value": "ES256K",
                "description": "ECDSA using P-256K and SHA-256, as described in https://tools.ietf.org/html/rfc7518"
              }
            ]
          }
        },
        "value": {
          "type": "string",
          "format": "base64url"
        }
      },
      "description": "The key operations parameters.",
      "required": [
        "alg",
        "value"
      ]
    },
    "KeyVerifyParameters": {
      "properties": {
        "alg": {
          "x-ms-client-name": "algorithm",
          "type": "string",
          "minLength": 1,
          "description": "The signing/verification algorithm. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm.",
          "enum": [
            "PS256",
            "PS384",
            "PS512",
            "RS256",
            "RS384",
            "RS512",
            "RSNULL",
            "ES256",
            "ES384",
            "ES512",
            "ES256K"
          ],
          "x-ms-enum": {
            "name": "JsonWebKeySignatureAlgorithm",
            "modelAsString": true
          }
        },
        "digest": {
          "type": "string",
          "format": "base64url",
          "description": "The digest used for signing."
        },
        "value": {
          "x-ms-client-name": "signature",
          "type": "string",
          "format": "base64url",
          "description": "The signature to be verified."
        }
      },
      "description": "The key verify parameters.",
      "required": [
        "alg",
        "digest",
        "value"
      ]
    },
    "KeyUpdateParameters": {
      "properties": {
        "key_ops": {
          "type": "array",
          "items": {
            "type": "string",
            "description": "JSON web key operations. For more information, see JsonWebKeyOperation.",
            "enum": [
              "encrypt",
              "decrypt",
              "sign",
              "verify",
              "wrapKey",
              "unwrapKey",
              "import",
              "export"
            ],
            "x-ms-enum": {
              "name": "JsonWebKeyOperation",
              "modelAsString": true
            }
          },
          "description": "Json web key operations. For more information on possible key operations, see JsonWebKeyOperation."
        },
        "attributes": {
          "x-ms-client-name": "keyAttributes",
          "$ref": "#/definitions/KeyAttributes"
        },
        "tags": {
          "type": "object",
          "additionalProperties": {
            "type": "string"
          },
          "description": "Application specific metadata in the form of key-value pairs."
        },
        "release_policy": {
          "$ref": "#/definitions/KeyReleasePolicy",
          "description": "The policy rules under which the key can be exported."
        }
      },
      "description": "The key update parameters."
    },
    "KeyRestoreParameters": {
      "properties": {
        "value": {
          "type": "string",
          "x-ms-client-name": "keyBundleBackup",
          "format": "base64url",
          "description": "The backup blob associated with a key bundle."
        }
      },
      "description": "The key restore parameters.",
      "required": [
        "value"
      ]
    },
    "KeyOperationResult": {
      "properties": {
        "kid": {
          "type": "string",
          "description": "Key identifier",
          "readOnly": true
        },
        "value": {
          "x-ms-client-name": "result",
          "type": "string",
          "format": "base64url",
          "readOnly": true
        },
        "iv": {
          "type": "string",
          "format": "base64url",
          "readOnly": true
        },
        "tag": {
          "type": "string",
          "x-ms-client-name": "authenticationTag",
          "format": "base64url",
          "readOnly": true
        },
        "aad": {
          "type": "string",
          "x-ms-client-name": "additionalAuthenticatedData",
          "format": "base64url",
          "readOnly": true
        }
      },
      "description": "The key operation result."
    },
    "KeyVerifyResult": {
      "properties": {
        "value": {
          "type": "boolean",
          "readOnly": true,
          "description": "True if the signature is verified, otherwise false."
        }
      },
      "description": "The key verify result."
    },
    "KeyListResult": {
      "properties": {
        "value": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/KeyItem"
          },
          "readOnly": true,
          "description": "A response message containing a list of keys in the key vault along with a link to the next page of keys."
        },
        "nextLink": {
          "type": "string",
          "readOnly": true,
          "description": "The URL to get the next set of keys."
        }
      },
      "description": "The key list result."
    },
    "DeletedKeyListResult": {
      "properties": {
        "value": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/DeletedKeyItem"
          },
          "readOnly": true,
          "description": "A response message containing a list of deleted keys in the vault along with a link to the next page of deleted keys"
        },
        "nextLink": {
          "type": "string",
          "readOnly": true,
          "description": "The URL to get the next set of deleted keys."
        }
      },
      "description": "A list of keys that have been deleted in this vault."
    },
    "BackupKeyResult": {
      "properties": {
        "value": {
          "type": "string",
          "format": "base64url",
          "readOnly": true,
          "description": "The backup blob containing the backed up key."
        }
      },
      "description": "The backup key result, containing the backup blob."
    },
    "KeyReleaseResult": {
      "properties": {
        "value": {
          "type": "string",
          "format": "base64url",
          "readOnly": true,
          "description": "The blob containing the released key."
        }
      },
      "description": "The release result, containing the released key blob."
    }
  },
  "parameters": {
    "ApiVersionParameter": {
      "name": "api-version",
      "in": "query",
      "required": true,
      "type": "string",
      "description": "Client API version."
    }
  }
}