Authorization tokens

Bearer token (JWT: RFC 7516) issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.

To prevent abuse, the Key Access Control List Service (KACLS) should verify that the caller is authorized to encrypt the object (file or document) before wrapping the key and to decrypt it before unwrapping the DEK.

Authorization token for Docs & Drive, Calendar and Meet client-side encryption (CSE)

JSON representation
{ "aud": string, "email": string, "email_type": string, "exp": string, "iat": string, "iss": string, "kacls_url": string, "perimeter_id": string, "resource_name": string, "role": string }

Fields
`aud`	`string` The audience, as identified by Google. Should be checked against the local configuration.
`email`	`string (UTF-8)` The user's email address.
`email_type`	`string` Contains one of the follow values: `google`: This email belongs to a Google Account. `google-visitor`: This email doesn't belong to a Google Account, but was PIN-code verified by Google. `customer-idp`: This email doesn't belong to a Google Account, but the user's email was extracted using a customer-configured IdP. The claim can be unset; in that case the default value is `google`.
`exp`	`string` Expiration time.
`iat`	`string` Issuance time.
`iss`	`string` The token issuer. Should be validated against the trusted set of authentication issuers.
`kacls_url`	`string` The configured base KACLS URL, used to prevent person-in-the-middle (PITM) attacks.
`perimeter_id`	`string (UTF-8)` (Optional) A value tied to the document location that can be used to choose which perimeter will be checked when unwrapping. Maximum size: 128 bytes.
`resource_name`	`string (UTF-8)` An identifier for the object encrypted by the DEK. Maximum size: 128 bytes.
`role`	`string` Contains one of the follow values: `reader`: Allowed to call `unwrap` only. `writer`: Allowed to call both `wrap` and `unwrap`

Authorization token for Gmail CSE

JSON representation
{ "aud": string, "email": string, "exp": string, "iat": string, "message_id": string, "iss": string, "kacls_url": string, "perimeter_id": string, "resource_name": string, "role": string, "spki_hash": string, "spki_hash_algorithm": string }

JSON representation

{
  "aud": string,
  "email": string,
  "exp": string,
  "iat": string,
  "message_id": string,
  "iss": string,
  "kacls_url": string,
  "perimeter_id": string,
  "resource_name": string,
  "role": string,
  "spki_hash": string,
  "spki_hash_algorithm": string
}

Fields
`aud`	`string` The audience, as identified by Google. Should be checked against the local configuration.
`email`	`string (UTF-8)` The user's email address.
`exp`	`string` Expiration time.
`iat`	`string` Issuance time.
`message_id`	`string` An identifier for the message on which the decryption or signing is performed. Used as client reason for auditing purposes.
`iss`	`string` The token issuer. Should be validated against the trusted set of authentication issuers.
`kacls_url`	`string` The configured base KACLS URL, used to prevent person-in-the-middle (PITM) attacks.
`perimeter_id`	`string (UTF-8)` (Optional) A value tied to the document location that can be used to choose which perimeter is checked when unwrapping. Maximum size: 128 bytes.
`resource_name`	`string (UTF-8)` An identifier for the object encrypted by the DEK. Maximum size: 512 bytes.
`role`	`string` Contains one of the follow values: `decrypter`: Can decrypt. `signer`: Can sign.
`spki_hash`	`string` Standard base64-encoded digest of the DER-encoded `SubjectPublicKeyInfo` of the private key being accessed.
`spki_hash_algorithm`	`string` Algorithm used to produce `spki_hash`. Can be `SHA-256`.

Authorization token for KACLS migration service

JSON representation
{ "aud": string, "email": string, "exp": string, "iat": string, "iss": string, "kacls_url": string, "resource_name": string, "role": string }

Fields
`aud`	`string` The audience, as identified by Google. Should be checked against the local configuration.
`email`	`string (UTF-8)` The user's email address.
`exp`	`string` Expiration time.
`iat`	`string` Issuance time.
`iss`	`string` The token issuer. Should be validated against the trusted set of authentication issuers.
`kacls_url`	`string` The configured base KACLS URL, used to prevent person-in-the-middle (PITM) attacks.
`role`	`string` Contains one of the follow values: `migrator`: Allowed to call `rewrap` only. `verifier`: Allowed to call `digest` only.