GPG Keys API

These endpoints are only relevant to private providers. When you publish a private provider to the Terraform Cloud private registry, you must upload the public key of the GPG keypair used to sign the release. Refer to Preparing and Adding a Signing Key for more details.

You need owners team or Manage Private Registry permissions to add, update, or delete GPG keys in a private registry.

List GPG Keys

GET /api/registry/:registry_name/v2/gpg-keys

Parameters

Parameter	Description
`:registry_name`	Must be `private`.

Query Parameters

This endpoint supports pagination with standard URL query parameters. Remember to percent-encode [ as %5B and ] as %5D if your tooling does not automatically encode URLs.

Parameter	Description
`filter[namespace]`	Required. A comma-separated list of one or more namespaces. The namespaces must be authorized TFC/TFE organization names.
`page[number]`	Optional. If omitted, the endpoint returns the first page.
`page[size]`	Optional. If omitted, the endpoint returns 20 GPG keys per page.

Gets a list of GPG keys belonging to the specified namespaces.

Status	Response	Reason
200	JSON API document (`type: "gpg-keys"`)	Successfully fetched GPG keys
400	JSON API error object	Error - missing namespaces in request
403	JSON API error object	Forbidden - no authorized namespaces specified in request

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  "https://app.terraform.io/api/registry/private/v2/gpg-keys?filter%5Bnamespace%5D=my-organization,my-other-organization"

Sample Response

{
  "data": [
    {
      "type": "gpg-keys",
      "id": "1",
      "attributes": {
        "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----...",
        "created-at": "2022-02-08T19:15:47Z",
        "key-id": "C4E5E6C66C79C778",
        "namespace": "my-other-organization",
        "source": "",
        "source-url": null,
        "trust-signature": "",
        "updated-at": "2022-02-08T19:15:47Z"
      },
      "links": {
        "self": "/v2/gpg-keys/1"
      }
    },
    {
      "type": "gpg-keys",
      "id": "140",
      "attributes": {
        "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----...",
        "created-at": "2022-04-28T21:32:11Z",
        "key-id": "C4E5E6C66C79C778",
        "namespace": "my-organization",
        "source": "",
        "source-url": null,
        "trust-signature": "",
        "updated-at": "2022-04-28T21:32:11Z"
      },
      "links": {
        "self": "/v2/gpg-keys/140"
      }
    }
  ],
  "links": {
    "first": "/v2/gpg-keys?filter%5Bnamespace%5D=my-organization%2Cmy-other-organization&page%5Bnumber%5D=1&page%5Bsize%5D=15",
    "last": "/v2/gpg-keys?filter%5Bnamespace%5D=my-organization%2Cmy-other-organization&page%5Bnumber%5D=1&page%5Bsize%5D=15",
    "next": null,
    "prev": null
  },
  "meta": {
    "pagination": {
      "page-size": 15,
      "current-page": 1,
      "next-page": null,
      "prev-page": null,
      "total-pages": 1,
      "total-count": 2
    }
  }
}

Add a GPG Key

POST /api/registry/:registry_name/v2/gpg-keys

Parameters

Parameter	Description
`:registry_name`	Must be `private`.

Uploads a GPG Key to a private registry scoped with a namespace. The response will provide a "key-id", which is required to Create a Provider Version.

Status	Response	Reason
201	JSON API document (`type: "gpg-keys"`)	Successfully uploads a GPG key to a private provider
422	JSON API error object	Malformed request body (missing attributes, wrong types, etc.)
403	JSON API error object	Forbidden - not available for public providers
404	JSON API error object	User not authorized

Request Body

This POST endpoint requires a JSON object with the following properties as a request payload.

Properties without a default value are required.

Key path	Type	Description
`data.type`	string	Must be `"gpg-keys"`.
`data.attributes.namespace`	string	The namespace of the provider. Must be the same as the `organization_name` for the provider.
`data.attributes.ascii-armor`	string	A valid gpg-key string.

Sample Payload

{
  "data": {
    "type": "gpg-keys",
    "attributes": {
      "namespace": "hashicorp",
      "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINB...=txfz\n-----END PGP PUBLIC KEY BLOCK-----\n"
    }  }
}

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request POST \
  --data @payload.json \
  https://app.terraform.io/api/registry/private/v2/gpg-keys

Sample Response

{
  "data": {
    "type": "gpg-keys",
    "id": "23",
    "attributes": {
      "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINB...=txfz\n-----END PGP PUBLIC KEY BLOCK-----\n",
      "created-at": "2022-02-11T19:16:59Z",
      "key-id": "32966F3FB5AC1129",
      "namespace": "hashicorp",
      "source": "",
      "source-url": null,
      "trust-signature": "",
      "updated-at": "2022-02-11T19:16:59Z"
    },
    "links": {
      "self": "/v2/gpg-keys/23"
    }
  }
}

Get GPG Key

GET /api/registry/:registry_name/v2/gpg-keys/:namespace/:key_id

Parameters

Parameter	Description
`:registry_name`	Must be `private`.
`:namespace`	The namespace of the provider scoped to the GPG key.
`:key_id`	The id of the GPG key.

Gets the content of a GPG key.

Status	Response	Reason
200	JSON API document (`type: "gpg-keys"`)	Successfully fetched GPG key
403	JSON API error object	Forbidden - not available for public providers
404	JSON API error object	GPG key not found or user not authorized

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request GET \
  https://app.terraform.io/api/registry/private/v2/gpg-keys/hashicorp/32966F3FB5AC1129

Sample Response

  "data": {
    "type": "gpg-keys",
    "id": "2",
    "attributes": {
      "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINB...=txfz\n-----END PGP PUBLIC KEY BLOCK-----\n",
      "created-at": "2022-02-24T17:07:25Z",
      "key-id": "32966F3FB5AC1129",
      "namespace": "hashicorp",
      "source": "",
      "source-url": null,
      "trust-signature": "",
      "updated-at": "2022-02-24T17:07:25Z"
    },
    "links": {
      "self": "/v2/gpg-keys/2"
    }
  }
}

Update a GPG Key

PATCH /api/registry/:registry_name/v2/gpg-keys/:namespace/:key_id

Parameters

Parameter	Description
`:registry_name`	Must be `private`.
`:namespace`	The namespace of the provider scoped to the GPG key.
`:key_id`	The id of the GPG key.

Updates the specified GPG key. Only the namespace attribute can be updated, and namespace has to match an organization the user has permission to access.

Status	Response	Reason
201	JSON API document (`type: "gpg-keys"`)	Successfully updates a GPG key
422	JSON API error object	Malformed request body (missing attributes, wrong types, etc.)
403	JSON API error object	Forbidden - not available for public providers
404	JSON API error object	GPG key not found or user not authorized

Request Body

This PATCH endpoint requires a JSON object with the following properties as a request payload.

Properties without a default value are required.

Key path	Type	Default	Description
`data.type`	string		Must be `"gpg-keys"`.
`data.attributes.namespace`	string		The namespace of the provider. Must be the same as the `organization_name` for the provider.

Sample Payload

{
  "data": {
    "type": "gpg-keys",
    "attributes": {
      "namespace": "new-namespace",
    }
  }
}

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request PATCH \
  --data @payload.json \
  https://app.terraform.io/api/registry/private/v2/gpg-keys/hashicorp/32966F3FB5AC1129

Sample Response

{
  "data": {
    "type": "gpg-keys",
    "id": "2",
    "attributes": {
      "ascii-armor": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINB...=txfz\n-----END PGP PUBLIC KEY BLOCK-----\n",
      "created-at": "2022-02-24T17:07:25Z",
      "key-id": "32966F3FB5AC1129",
      "namespace": "new-name",
      "source": "",
      "source-url": null,
      "trust-signature": "",
      "updated-at": "2022-02-24T17:12:10Z"
    },
    "links": {
      "self": "/v2/gpg-keys/2"
    }
  }
}

Delete a GPG Key

DELETE /api/registry/:registry_name/v2/gpg-keys/:namespace/:key_id

Parameters

Parameter	Description
`:registry_name`	Must be `private`.
`:namespace`	The namespace of the provider scoped to the GPG key.
`:key_id`	The id of the GPG key.

Status	Response	Reason
201	JSON API document (`type: "gpg-keys"`)	Successfully deletes a GPG key
422	JSON API error object	Malformed request body (missing attributes, wrong types, etc.)
403	JSON API error object	Forbidden - not available for public providers
404	JSON API error object	GPG key not found or user not authorized

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request DELETE \
  --data @payload.json \
  https://app.terraform.io/api/registry/private/v2/gpg-keys/hashicorp/32966F3FB5AC1129