From 38fdc3a7047f500bc025c48b62f90f59a0b682c6 Mon Sep 17 00:00:00 2001
From: Graeme Mjehovich <59065536+gmjehovich@users.noreply.github.com>
Date: Mon, 6 Oct 2025 11:26:35 -0500
Subject: [PATCH 1/2] Add specification for certificate_identity field for
 cross-cluster api keys

---
 specification/security/_types/ApiKey.ts                  | 7 +++++++
 .../CreateCrossClusterApiKeyRequest.ts                   | 6 ++++++
 .../UpdateCrossClusterApiKeyRequest.ts                   | 9 +++++++++
 3 files changed, 22 insertions(+)

diff --git a/specification/security/_types/ApiKey.ts b/specification/security/_types/ApiKey.ts
index f3e783982e..51e8d04937 100644
--- a/specification/security/_types/ApiKey.ts
+++ b/specification/security/_types/ApiKey.ts
@@ -100,6 +100,13 @@ export class ApiKey {
    * @availability serverless
    */
   access?: Access
+    /**
+     * The certificate identity associated with a cross-cluster API key.
+     * Restricts the API key to connections authenticated by a specific TLS certificate.
+     * Only applicable to cross-cluster API keys.
+     * @availability stack since=9.3.0
+     */
+    certificate_identity?: string
   /**
    * The profile uid for the API key owner principal, if requested and if it exists
    * @availability stack since=8.14.0
diff --git a/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts b/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts
index 31b711b6cb..87d49830d0 100644
--- a/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts
+++ b/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts
@@ -76,5 +76,11 @@ export interface Request extends RequestBase {
     metadata?: Metadata
     /** Specifies the name for this API key. */
     name: Name
+    /**
+     * The certificate identity to associate with this API key.
+     * This field is used to restrict the API key to connections authenticated by a specific TLS certificate.
+     * The value should match the certificate's distinguished name (DN) pattern.
+     */
+    certificate_identity?: string
   }
 }
diff --git a/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts b/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts
index 0e3cf5143b..01592030d1 100644
--- a/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts
+++ b/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts
@@ -81,5 +81,14 @@ export interface Request extends RequestBase {
      * When specified, this information fully replaces metadata previously associated with the API key.
      */
     metadata?: Metadata
+    /**
+     * The certificate identity to associate with this API key.
+     * This field is used to restrict the API key to connections authenticated by a specific TLS certificate.
+     * The value should match the certificate's distinguished name (DN) pattern.
+     * When specified, this fully replaces any previously assigned certificate identity.
+     * To clear an existing certificate identity, explicitly set this field to `null`.
+     * When omitted, the existing certificate identity remains unchanged.
+     */
+    certificate_identity?: string
   }
 }

From 9de139fc0509e64679640cb1d0fd4667cc701eba Mon Sep 17 00:00:00 2001
From: Graeme Mjehovich <59065536+gmjehovich@users.noreply.github.com>
Date: Mon, 6 Oct 2025 11:49:51 -0500
Subject: [PATCH 2/2] run prettier

---
 specification/security/_types/ApiKey.ts | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/specification/security/_types/ApiKey.ts b/specification/security/_types/ApiKey.ts
index 51e8d04937..ef3881f3c6 100644
--- a/specification/security/_types/ApiKey.ts
+++ b/specification/security/_types/ApiKey.ts
@@ -100,13 +100,13 @@ export class ApiKey {
    * @availability serverless
    */
   access?: Access
-    /**
-     * The certificate identity associated with a cross-cluster API key.
-     * Restricts the API key to connections authenticated by a specific TLS certificate.
-     * Only applicable to cross-cluster API keys.
-     * @availability stack since=9.3.0
-     */
-    certificate_identity?: string
+  /**
+   * The certificate identity associated with a cross-cluster API key.
+   * Restricts the API key to connections authenticated by a specific TLS certificate.
+   * Only applicable to cross-cluster API keys.
+   * @availability stack since=9.3.0
+   */
+  certificate_identity?: string
   /**
    * The profile uid for the API key owner principal, if requested and if it exists
    * @availability stack since=8.14.0