Create Key - Create Key
Creates a new key, stores it, then returns key parameters and attributes to the client.
The create key operation can be used to create any key type in Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.
POST {vaultBaseUrl}/keys/{key-name}/create?api-version=2025-07-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
key-name
|
path | True |
string pattern: ^[0-9a-zA-Z-]+$ |
The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. |
|
vault
|
path | True |
string (uri) |
|
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| kty | True |
The type of key to create. For valid values, see JsonWebKeyType. |
|
| attributes |
The attributes of a key managed by the key vault service. |
||
| crv |
Elliptic curve name. For valid values, see JsonWebKeyCurveName. |
||
| key_ops |
Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. |
||
| key_size |
integer (int32) |
The key size in bits. For example: 2048, 3072, or 4096 for RSA. |
|
| public_exponent |
integer (int32) |
The public exponent for a RSA key. |
|
| release_policy |
The policy rules under which the key can be exported. |
||
| tags |
object |
Application specific metadata in the form of key-value pairs. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
The request has succeeded. |
|
| Other Status Codes |
An unexpected error response. |
Security
OAuth2Auth
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| https://vault.azure.net/.default |
Examples
Create key
Sample request
POST https://myvault.vault.azure.net//keys/CreateSoftKeyTest/create?api-version=2025-07-01
{
"kty": "RSA",
"key_size": 2048,
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"attributes": {},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}
Sample response
{
"key": {
"kid": "https://myvault.vault.azure.net/keys/CreateSoftKeyTest/78deebed173b48e48f55abf87ed4cf71",
"kty": "RSA",
"key_ops": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"n": "2HJAE5fU3Cw2Rt9hEuq-F6XjINKGa-zskfISVqopqUy60GOs2eyhxbWbJBeUXNor_gf-tXtNeuqeBgitLeVa640UDvnEjYTKWjCniTxZRaU7ewY8BfTSk-7KxoDdLsPSpX_MX4rwlAx-_1UGk5t4sQgTbm9T6Fm2oqFd37dsz5-Gj27UP2GTAShfJPFD7MqU_zIgOI0pfqsbNL5xTQVM29K6rX4jSPtylZV3uWJtkoQIQnrIHhk1d0SC0KwlBV3V7R_LVYjiXLyIXsFzSNYgQ68ZjAwt8iL7I8Osa-ehQLM13DVvLASaf7Jnu3sC3CWl3Gyirgded6cfMmswJzY87w",
"e": "AQAB"
},
"attributes": {
"enabled": true,
"created": 1493942451,
"updated": 1493942451,
"recoveryLevel": "Recoverable+Purgeable"
},
"tags": {
"purpose": "unit test",
"test name ": "CreateGetDeleteKeyTest"
}
}Definitions
| Name | Description |
|---|---|
|
Deletion |
Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval. |
| Error | |
|
Json |
As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18 |
|
Json |
Elliptic curve name. For valid values, see JsonWebKeyCurveName. |
|
Json |
JSON web key operations. For more information, see JsonWebKeyOperation. |
|
Json |
JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. |
|
Key |
The key attestation information. |
|
Key |
The attributes of a key managed by the key vault service. |
|
Key |
A KeyBundle consisting of a WebKey plus its attributes. |
|
Key |
The key create parameters. |
|
Key |
The policy rules under which the key can be exported. |
|
Key |
The key vault error exception. |
DeletionRecoveryLevel
Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.
| Value | Description |
|---|---|
| Purgeable |
Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.) |
| Recoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered |
| Recoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered |
| Recoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered |
| CustomizedRecoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled. |
| CustomizedRecoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available. |
| CustomizedRecoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7 <= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled. |
Error
| Name | Type | Description |
|---|---|---|
| code |
string |
The error code. |
| innererror |
The key vault server error. |
|
| message |
string |
The error message. |
JsonWebKey
As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18
| Name | Type | Description |
|---|---|---|
| crv |
Elliptic curve name. For valid values, see JsonWebKeyCurveName. |
|
| d |
string (base64url) |
RSA private exponent, or the D component of an EC private key. |
| dp |
string (base64url) |
RSA private key parameter. |
| dq |
string (base64url) |
RSA private key parameter. |
| e |
string (base64url) |
RSA public exponent. |
| k |
string (base64url) |
Symmetric key. |
| key_hsm |
string (base64url) |
Protected Key, used with 'Bring Your Own Key'. |
| key_ops |
string[] |
Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. |
| kid |
string |
Key identifier. |
| kty |
JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. |
|
| n |
string (base64url) |
RSA modulus. |
| p |
string (base64url) |
RSA secret prime. |
| q |
string (base64url) |
RSA secret prime, with p < q. |
| qi |
string (base64url) |
RSA private key parameter. |
| x |
string (base64url) |
X component of an EC public key. |
| y |
string (base64url) |
Y component of an EC public key. |
JsonWebKeyCurveName
Elliptic curve name. For valid values, see JsonWebKeyCurveName.
| Value | Description |
|---|---|
| P-256 |
The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. |
| P-384 |
The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. |
| P-521 |
The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. |
| P-256K |
The SECG SECP256K1 elliptic curve. |
JsonWebKeyOperation
JSON web key operations. For more information, see JsonWebKeyOperation.
| Value | Description |
|---|---|
| encrypt |
Indicates that the key can be used to encrypt. |
| decrypt |
Indicates that the key can be used to decrypt. |
| sign |
Indicates that the key can be used to sign. |
| verify |
Indicates that the key can be used to verify. |
| wrapKey |
Indicates that the key can be used to wrap another key. |
| unwrapKey |
Indicates that the key can be used to unwrap another key. |
| import |
Indicates that the key can be imported during creation. |
| export |
Indicates that the private component of the key can be exported. |
JsonWebKeyType
JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40.
| Value | Description |
|---|---|
| EC |
Elliptic Curve. |
| EC-HSM |
Elliptic Curve with a private key which is stored in the HSM. |
| RSA | |
| RSA-HSM |
RSA with a private key which is stored in the HSM. |
| oct |
Octet sequence (used to represent symmetric keys) |
| oct-HSM |
Octet sequence (used to represent symmetric keys) which is stored the HSM. |
KeyAttestation
The key attestation information.
| Name | Type | Description |
|---|---|---|
| certificatePemFile |
string (base64url) |
A base64url-encoded string containing certificates in PEM format, used for attestation validation. |
| privateKeyAttestation |
string (base64url) |
The attestation blob bytes encoded as base64url string corresponding to a private key. |
| publicKeyAttestation |
string (base64url) |
The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. |
| version |
string |
The version of the attestation. |
KeyAttributes
The attributes of a key managed by the key vault service.
| Name | Type | Description |
|---|---|---|
| attestation |
The key or key version attestation information. |
|
| created |
integer (unixtime) |
Creation time in UTC. |
| enabled |
boolean |
Determines whether the object is enabled. |
| exp |
integer (unixtime) |
Expiry date in UTC. |
| exportable |
boolean |
Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. |
| hsmPlatform |
string |
The underlying HSM Platform. |
| nbf |
integer (unixtime) |
Not before date in UTC. |
| recoverableDays |
integer (int32) |
softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. |
| recoveryLevel |
Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval. |
|
| updated |
integer (unixtime) |
Last updated time in UTC. |
KeyBundle
A KeyBundle consisting of a WebKey plus its attributes.
| Name | Type | Description |
|---|---|---|
| attributes |
The key management attributes. |
|
| key |
The Json web key. |
|
| managed |
boolean |
True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. |
| release_policy |
The policy rules under which the key can be exported. |
|
| tags |
object |
Application specific metadata in the form of key-value pairs. |
KeyCreateParameters
The key create parameters.
| Name | Type | Description |
|---|---|---|
| attributes |
The attributes of a key managed by the key vault service. |
|
| crv |
Elliptic curve name. For valid values, see JsonWebKeyCurveName. |
|
| key_ops |
Json web key operations. For more information on possible key operations, see JsonWebKeyOperation. |
|
| key_size |
integer (int32) |
The key size in bits. For example: 2048, 3072, or 4096 for RSA. |
| kty |
The type of key to create. For valid values, see JsonWebKeyType. |
|
| public_exponent |
integer (int32) |
The public exponent for a RSA key. |
| release_policy |
The policy rules under which the key can be exported. |
|
| tags |
object |
Application specific metadata in the form of key-value pairs. |
KeyReleasePolicy
The policy rules under which the key can be exported.
| Name | Type | Default value | Description |
|---|---|---|---|
| contentType |
string |
application/json; charset=utf-8 |
Content type and version of key release policy |
| data |
string (base64url) |
Blob encoding the policy rules under which the key can be released. Blob must be base64 URL encoded. |
|
| immutable |
boolean |
Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset and the policy cannot be changed under any circumstances. |
KeyVaultError
The key vault error exception.
| Name | Type | Description |
|---|---|---|
| error |
The key vault server error. |