BootstrapOrg is the first call you make against a fresh TeleQuick deployment for any new tenant. It creates the tenant record and mints the first admin service account — every subsequent admin call uses the JWT signed by that account.
No SDK wrapper. Issue via the raw RPC envelope. This is a one-shot — BootstrapOrg will refuse to run twice for the same tenant_id.

BootstrapOrg

Request (BootstrapOrgRequest):
FieldTypeNotes
bootstrap_secretstringOut-of-band secret distributed when the gateway was provisioned. Not a JWT.
tenant_idstringStable id (lowercase, dash-separated).
display_namestringHuman-readable tenant name.
regionstringOne of the gateway’s configured regions; routes default outbound trunks here.
admin_public_key_pemstringRSA public half of the keypair you generated for this tenant.
admin_private_key_idstringkid to associate with the public key.
Response (BootstrapOrgResponse):
FieldTypeNotes
statusstring"ok" or "error".
error_messagestringPopulated on error.
tenant_idstringEchoed for confirmation.
created_at_msint64Unix epoch ms.
After this returns successfully, the keypair you supplied is the admin service account for the tenant. Use the private half to sign the admin_token for every subsequent admin call.
  1. Generate an RSA-2048 keypair locally.
  2. Hold the bootstrap secret somewhere short-lived (CI vault, HSM, or one-shot env var).
  3. Call BootstrapOrg with the public half + a kid you choose.
  4. Drop the bootstrap secret. It cannot be reused; the gateway burns it on success.
  5. From now on, sign admin JWTs with the private half. The first thing most operators do is call PublishServiceAccount to create separate "sdk"-role keys for their applications.

Failure modes

error_message substringCause
bootstrap secret invalidWrong or already-consumed secret.
tenant_id already existsBootstrap already completed for this id.
public_key_pem invalidNot a valid PKCS#8/SPKI PEM RSA public key.
region unknownregion doesn’t match any configured region.