Skip to content

Invalid Key State

URI: https://docs.ankatech.co/errors/invalid-key-state
HTTP Status: 422 Unprocessable Entity

When you see this

The requested cryptographic operation cannot be performed because the key is in an invalid state for the operation. The key exists but its current lifecycle state prevents the requested usage.

Common Causes

  • Expired key
    Attempting to use a key that has passed its expiration date for encryption or signing operations.

  • Revoked key
    Trying to perform operations with a key that has been explicitly revoked.

  • Suspended key
    The key has been temporarily suspended and cannot be used until reactivated.

  • Pre-activation key
    Attempting to use a key before its activation date has been reached.

  • Destroyed key material
    The key metadata exists but the cryptographic material has been destroyed.

  • Usage limit exceeded
    The key has reached its maximum usage count and cannot perform more operations.

  • Wrong operation for key state
    Attempting operations not allowed in the current state (e.g., trying to encrypt with a decrypt-only key in post-rotation state).

How to Resolve

  1. Check key status
  2. Query the key details endpoint to verify the current state.

  3. Review the key's lifecycle status: ACTIVE, SUSPENDED, EXPIRED, REVOKED, DESTROYED.

  4. For expired keys

  5. Generate a new key to replace the expired one.
  6. Use key rotation APIs to migrate from the expired key.

  7. Decryption may still be allowed for data recovery.

  8. For revoked keys

  9. Revocation is permanent; generate a new key.

  10. Historical decryption/verification may be permitted based on policy.

  11. For suspended keys

  12. Contact an administrator to reactivate the key.

  13. Investigate why the key was suspended (security incident, audit requirement).

  14. For usage-limited keys

  15. Check the current usage count against the limit.
  16. Request a limit increase or generate a new key.

  17. Implement key rotation before reaching limits.

  18. For pre-activation keys

  19. Wait until the activation date.
  20. Verify the activation timestamp is correctly set.

Response Example

{
  "error": {
    "code": "INVALID_KEY_STATE",
    "message": "Key cannot be used for the requested operation",
    "detail": "Key 'mykey-2024' is in EXPIRED state. Encryption operations are not allowed.",
    "timestamp": "2025-01-15T10:30:00Z",
    "traceId": "550e8400-e29b-41d4-a716-446655440000",
    "type": "https://docs.ankatech.co/errors/invalid-key-state"
  },
  "key_info": {
    "kid": "mykey-2024",
    "state": "EXPIRED",
    "expired_at": "2024-12-31T23:59:59Z",
    "allowed_operations": ["DECRYPT", "VERIFY"],
    "denied_operations": ["ENCRYPT", "SIGN"]
  }
}

Key Lifecycle States

State Allowed Operations Description
PRE_ACTIVE None Key created but not yet activated
ACTIVE All permitted operations Normal operational state
SUSPENDED None (configurable) Temporarily disabled
EXPIRED Decrypt/Verify only Past expiration date
REVOKED Decrypt/Verify (configurable) Permanently disabled
DESTROYED None Key material destroyed

For more information about key lifecycle management, see the Key Management API documentation.