From b43fa7704902dee7ca53707120f054fd647a96d1 Mon Sep 17 00:00:00 2001
From: Andy Balaam <andy.balaam@matrix.org>
Date: Thu, 12 Dec 2024 11:35:23 +0000
Subject: [PATCH] Explain that one-time keys must only be returned once.

---
 data/api/client-server/keys.yaml      | 4 ++++
 data/api/server-server/user_keys.yaml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/data/api/client-server/keys.yaml b/data/api/client-server/keys.yaml
index df3c5b85..de4501b3 100644
--- a/data/api/client-server/keys.yaml
+++ b/data/api/client-server/keys.yaml
@@ -300,6 +300,10 @@ paths:
         [/keys/upload](/client-server-api/#post_matrixclientv3keysupload). (All
         keys uploaded within a given call to `/keys/upload` are considered
         equivalent in this regard; no ordering is specified within them.)
+
+        Servers must ensure that each one-time key is returned at most once,
+        so when a key has been returned, no other request will ever return
+        the same key.
       operationId: claimKeys
       security:
         - accessTokenQuery: []
diff --git a/data/api/server-server/user_keys.yaml b/data/api/server-server/user_keys.yaml
index 6df29473..059dcae4 100644
--- a/data/api/server-server/user_keys.yaml
+++ b/data/api/server-server/user_keys.yaml
@@ -32,6 +32,10 @@ paths:
         [/keys/upload](/client-server-api/#post_matrixclientv3keysupload). (All
         keys uploaded within a given call to `/keys/upload` are considered
         equivalent in this regard; no ordering is specified within them.)
+
+        Servers must ensure that each one-time key is returned at most once,
+        so when a key has been returned, no other request will ever return
+        the same key.
       operationId: claimUserEncryptionKeys
       security:
         - signedRequest: []