Referencia de la API de CSE en Google Workspace
Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
La API de la encriptación del cliente (CSE) de Google Workspace te permite tener tus propias claves de encriptación para encriptar aún más los datos de Google Workspace.
Métodos
| Métodos |
delegate |
POST https://KACLS_URL/delegate
Permite que un primer usuario delegue una solicitud a un segundo usuario. |
digest |
POST https://KACLS_URL/digest
Devuelve la suma de verificación de una DEK separada. |
privatekeydecrypt |
POST https://KACLS_URL/privatekeydecrypt
Desenvuelve una clave privada envuelta y, luego, desencripta la clave de encriptación de contenido que está encriptada con la clave pública. |
privatekeysign |
POST https://KACLS_URL/privatekeysign
Desenvuelve una clave privada envuelta y, luego, firma el resumen proporcionado por el cliente.
|
privilegedprivatekeydecrypt |
POST https://KACLS_URL/privilegedprivatekeydecrypt
Desencripta sin verificar la LCA de la clave privada encapsulada. |
privilegedunwrap |
POST https://KACLS_URL/privilegedunwrap
Descifra los datos exportados desde Google en un contexto privilegiado. |
privilegedwrap |
POST https://KACLS_URL/privilegedwrap
Devuelve una clave de encriptación de datos (DEK) unida y los datos asociados. |
rewrap |
POST https://KACLS_URL/rewrap
Vuelve a encriptar una DEK encriptada. |
status |
GET https://KACLS_URL/status
Verifica el estado de un servicio de lista de control de acceso a las claves (KACLS). |
unwrap |
POST https://KACLS_URL/unwrap
Devuelve la DEK desencriptada. |
wrap |
POST https://KACLS_URL/wrap
Devuelve la DEK encriptada y los datos asociados. |
wrapprivatekey |
POST https://KACLS_URL/wrapprivatekey
Encapsula la clave privada de un usuario. |
Tokens
| Tokens |
Authorization |
Es el JWT que emite Google para verificar que el llamador está autorizado a encriptar o desencriptar un recurso.
|
Authentication |
Es el JWT que emite el proveedor de identidad y que certifica la identidad del usuario.
|
Otro
Salvo que se indique lo contrario, el contenido de esta página está sujeto a la licencia Atribución 4.0 de Creative Commons, y los ejemplos de código están sujetos a la licencia Apache 2.0. Para obtener más información, consulta las políticas del sitio de Google Developers. Java es una marca registrada de Oracle o sus afiliados.
Última actualización: 2025-07-26 (UTC)
[null,null,["Última actualización: 2025-07-26 (UTC)"],[[["\u003cp\u003eThe Google Workspace Client-side Encryption (CSE) API empowers you to manage your own encryption keys for enhanced security of Google Workspace data.\u003c/p\u003e\n"],["\u003cp\u003eThis API provides a comprehensive suite of methods for key management, including wrapping, unwrapping, encryption, decryption, and signing, offering granular control over your data protection.\u003c/p\u003e\n"],["\u003cp\u003eYou can leverage methods such as \u003ccode\u003ewrap\u003c/code\u003e and \u003ccode\u003eunwrap\u003c/code\u003e to encrypt and decrypt data encryption keys (DEKs), while \u003ccode\u003eprivatekeydecrypt\u003c/code\u003e allows for decryption using your private keys.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication and authorization are handled through JWTs, ensuring secure access control to your encrypted data.\u003c/p\u003e\n"],["\u003cp\u003eExplore detailed documentation on methods, tokens, and error handling to effectively integrate the CSE API into your workflows.\u003c/p\u003e\n"]]],["The Google Workspace CSE API enables key ownership for encrypting Workspace data. Key actions include: `digest` to return checksums, `privatekeydecrypt` to decrypt keys, `privatekeysign` to sign digests, `unwrap`/`wrap` to decrypt/encrypt DEKs, `rewrap` to re-encrypt DEKs, `privileged` methods for special decryption/wrapping, `wrapprivatekey` to wrap a user's private key and `status` to check the Key Access Control List Service. It uses `Authorization` and `Authentication` JWT tokens and details structured error handling.\n"],null,["# Google Workspace CSE API Reference\n\nThe Google Workspace Client-side Encryption (CSE) API lets you own the\nencryption keys used to further encrypt Google Workspace data.\n\nMethods\n-------\n\n| Methods ||\n|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| [delegate](/workspace/cse/reference/delegate) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/delegate` Allows a first user to delegate a request to a second user. |\n| [digest](/workspace/cse/reference/digest) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/digest` Returns the checksum of an unwrapped DEK. |\n| [privatekeydecrypt](/workspace/cse/reference/private-key-decrypt) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privatekeydecrypt` Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key. |\n| [privatekeysign](/workspace/cse/reference/private-key-sign) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privatekeysign` Unwraps a wrapped private key and then signs the digest provided by the client. |\n| [privilegedprivatekeydecrypt](/workspace/cse/reference/privileged-private-key-decrypt) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedprivatekeydecrypt` Decrypts without checking the wrapped private key ACL. |\n| [privilegedunwrap](/workspace/cse/reference/privileged-unwrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedunwrap` Decrypts data exported from Google in a privileged context. |\n| [privilegedwrap](/workspace/cse/reference/privileged-wrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privilegedwrap` Returns a wrapped Data Encryption Key (DEK) and associated data. |\n| [rewrap](/workspace/cse/reference/rewrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/rewrap` Re-encrypts an encrypted DEK. |\n| [status](/workspace/cse/reference/status) | `GET https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/status` Checks the status of a Key Access Control List Service (KACLS). |\n| [unwrap](/workspace/cse/reference/unwrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/unwrap` Returns decrypted DEK. |\n| [wrap](/workspace/cse/reference/wrap) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/wrap` Returns encrypted DEK and associated data. |\n| [wrapprivatekey](/workspace/cse/reference/wrap-private-key) | `POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/wrapprivatekey` Wraps a user's private key. |\n\nTokens\n------\n\n| Tokens ||\n|------------------------------------------------------------------|------------------------------------------------------------------------------------------------|\n| [Authorization](/workspace/cse/reference/authorization-tokens) | JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource. |\n| [Authentication](/workspace/cse/reference/authentication-tokens) | JWT issued by the identity provider that attests user identity. |\n\nOther\n-----\n\n- \\[Resource key hash\\]\n- [Structured error replies](/workspace/cse/reference/structured-errors)"]]
