Method: unwrap
Stay organized with collections
Save and categorize content based on your preferences.
Returns decrypted Data Encryption Key (DEK).
For more details, see Encrypt & decrypt data.
HTTP request
POST https://KACLS_URL/unwrap
Replace KACLS_URL with the Key Access Control List Service (KACLS)
URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
| JSON representation |
{
"authentication": string,
"authorization": string,
"reason": string,
"wrapped_key": string
}
|
| Fields |
authentication |
string
A JWT issued by the IdP asserting who the user is. See authentication tokens.
|
authorization |
string
A JWT asserting that the user is allowed to unwrap a key for resource_name. See authorization tokens.
|
reason |
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
|
wrapped_key |
string
The base64 binary object returned by wrap.
|
Response body
If successful, this method returns the document encryption key.
If the operation fails, a
structured error reply
should be returned.
| JSON representation |
{
"key": string
}
|
| Fields |
key |
string
The base64-encoded DEK.
|
Example
This example provides a sample request and response for the unwrap method.
Request
POST https://mykacls.example.com/v1/unwrap
{
"wrapped_key": "7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==",
"authorization": "eyJhbGciOi…"
"authentication": "eyJhbGciOi…"
"reason": "{client:'drive' op:'read'}"
}
Response
{
"key": "0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ="
}
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-11-14 UTC.
[null,null,["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eReturns the decrypted Data Encryption Key (DEK) when provided with a wrapped key, authentication, authorization, and reason.\u003c/p\u003e\n"],["\u003cp\u003eRequires a wrapped key generated by the \u003ccode\u003ewrap\u003c/code\u003e method, alongside authentication and authorization tokens for security and access control.\u003c/p\u003e\n"],["\u003cp\u003eAccepts an optional reason parameter for providing context about the operation, which should be sanitized before display.\u003c/p\u003e\n"],["\u003cp\u003eReturns the base64-encoded DEK on successful execution, or a structured error reply if the operation fails.\u003c/p\u003e\n"],["\u003cp\u003eUtilizes the KACLS URL for making the POST request and requires specifying the version in the URL path (e.g., /v1/unwrap).\u003c/p\u003e\n"]]],["The `unwrap` method decrypts a Data Encryption Key (DEK). It requires a `POST` request to the KACLS URL with a JSON body containing: `authentication` (user ID JWT), `authorization` (key unwrapping permission JWT), `reason` (operation context), and `wrapped_key` (base64 encrypted key). A successful response returns a JSON body with the decrypted `key` (base64-encoded DEK). Failure returns a structured error.\n"],null,["# Method: unwrap\n\nReturns decrypted Data Encryption Key (DEK).\n\nFor more details, see [Encrypt \\& decrypt data](/workspace/cse/guides/encrypt-and-decrypt-data).\n\n### HTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/unwrap`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List Service (KACLS)\nURL.\n\n### Path parameters\n\nNone.\n\n### Request body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|--------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"reason\": string, \"wrapped_key\": string } ``` |\n\n| Fields ||\n|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the IdP asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `authorization` | `string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See [authorization tokens](/workspace/cse/reference/authorization-tokens). |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n| `wrapped_key` | `string` The base64 binary object returned by [`wrap`](/workspace/cse/reference/wrap). |\n\n### Response body\n\nIf successful, this method returns the document encryption key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\n| JSON representation ||\n|---------------------------|---|\n| ``` { \"key\": string } ``` |\n\n| Fields ||\n|-------|----------------------------------|\n| `key` | `string` The base64-encoded DEK. |\n\n### Example\n\nThis example provides a sample request and response for the `unwrap` method.\n\n#### Request\n\n POST https://mykacls.example.com/v1/unwrap\n\n {\n \"wrapped_key\": \"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\",\n \"authorization\": \"eyJhbGciOi...\"\n \"authentication\": \"eyJhbGciOi...\"\n \"reason\": \"{client:'drive' op:'read'}\"\n }\n\n#### Response\n\n {\n \"key\": \"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ=\"\n }"]]
