agentIdentityBlueprint: addKey

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Add a key credential to an agentIdentityBlueprint. This method, along with removeKey, can be used to automate rolling its expiring keys.

Note

You should only provide the public key value when adding a certificate credential to your application. Adding a private key certificate to your application risks compromising the application.

As part of the request validation for this method, a proof of possession of an existing key is verified before the action can be performed.

Agent identity blueprints that don't have any existing valid certificates (no certificates have been added yet, or all certificates have expired), won't be able to use this service action. You can use the Update agent identity blueprint operation to perform an update instead.

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type	Least privileged permission	Higher privileged permissions
Delegated (work or school account)	AgentIdentityBlueprint.AddRemoveCreds.All	AgentIdentityBlueprint.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.	Not supported.
Application	AgentIdentityBlueprint.AddRemoveCreds.All	AgentIdentityBlueprint.ReadWrite.All, Directory.ReadWrite.All

Important

The AgentIdentity* permissions are currently unavailable for consent through the API permissions experience on the Microsoft Entra admin center. To use these permissions, you can consent to them through Microsoft Graph API calls as described in Grant or revoke API permissions programmatically. See Permissions for managing agent identities for more information about these permissions.

When using delegated permissions, the authenticated user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.

Agent ID Administrator.
Agent ID Developer - Create agent identity blueprints. The principal with this role is assigned ownership of the blueprint they create and can perform write operations on that blueprint.

HTTP request

POST /applications/{id}/microsoft.graph.agentIdentityBlueprint/addKey

Request headers

Name	Description
Authorization	Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type	application/json. Required.

Request body

In the request body, supply a JSON representation of the parameters. The following table lists the parameters that are required when you call this action.

Property	Type	Description
keyCredential	keyCredential	The new application key credential to add. The type, usage and key are required properties for this usage. Supported key types are: `AsymmetricX509Cert`: The usage must be `Verify`. `X509CertAndPassword`: The usage must be `Sign`
passwordCredential	passwordCredential	Only secretText is required to be set which should contain the password for the key. This property is required only for keys of type `X509CertAndPassword`. Set it to `null` otherwise.
proof	String	A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the application's existing valid certificates. The token should contain the following claims: aud: Audience needs to be `00000002-0000-0000-c000-000000000000`. iss: Issuer needs to be the ID of the application that initiates the request. nbf: Not before time. exp: Expiration time should be the value of nbf + 10 minutes. For steps to generate this proof of possession token, see Generating proof of possession tokens for rolling keys. For more information about the claim types, see Claims payload.

Response

If successful, this action returns a 200 OK response code and a keyCredential in the response body.

Examples

Request

The following example shows a request.

HTTP
JavaScript

POST https://graph.microsoft.com/beta/applications/{id}/microsoft.graph.agentIdentityBlueprint/addKey
Content-Type: application/json

{
  "keyCredential": {
    "@odata.type": "microsoft.graph.keyCredential"
  },
  "passwordCredential": {
    "@odata.type": "microsoft.graph.passwordCredential"
  },
  "proof": "String"
}


const options = {
	authProvider,
};

const client = Client.init(options);

const addKey = {
  keyCredential: {
    '@odata.type': 'microsoft.graph.keyCredential'
  },
  passwordCredential: {
    '@odata.type': 'microsoft.graph.passwordCredential'
  },
  proof: 'String'
};

await client.api('/applications/{id}/microsoft.graph.agentIdentityBlueprint/addKey')
	.version('beta')
	.post(addKey);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "value": {
    "@odata.type": "microsoft.graph.keyCredential"
  }
}

Feedback

Was this page helpful?

Last updated on 2025-11-18

Share via

agentIdentityBlueprint: addKey

Permissions

HTTP request

Request headers

Request body

Response

Examples

Request

Response

Feedback

Additional resources