REST Resource: users.settings.cse.identities
Stay organized with collections
Save and categorize content based on your preferences.
Resource: CseIdentity
The client-side encryption (CSE) configuration for the email address of an authenticated user. Gmail uses CSE configurations to save drafts of client-side encrypted email messages, and to sign and send encrypted email messages.
For administrators managing identities and keypairs for users in their organization, requests require authorization with a service account that has domain-wide delegation authority to impersonate users with the https://www.googleapis.com/auth/gmail.settings.basic scope.
For users managing their own identities and keypairs, requests require hardware key encryption turned on and configured.
| JSON representation |
{
"emailAddress": string,
// Union field key_pair_configuration can be only one of the following:
"primaryKeyPairId": string,
"signAndEncryptKeyPairs": {
object (SignAndEncryptKeyPairs)
}
// End of list of possible types for union field key_pair_configuration.
} |
| Fields |
emailAddress |
string
The email address for the sending identity. The email address must be the primary email address of the authenticated user.
|
Union field key_pair_configuration. key_pair_configuration can be only one of the following:
|
primaryKeyPairId |
string
If a key pair is associated, the ID of the key pair, CseKeyPair.
|
signAndEncryptKeyPairs |
object (SignAndEncryptKeyPairs)
The configuration of a CSE identity that uses different key pairs for signing and encryption.
|
SignAndEncryptKeyPairs
The configuration of a CSE identity that uses different key pairs for signing and encryption.
| JSON representation |
{
"signingKeyPairId": string,
"encryptionKeyPairId": string
} |
| Fields |
signingKeyPairId |
string
The ID of the CseKeyPair that signs outgoing mail.
|
encryptionKeyPairId |
string
The ID of the CseKeyPair that encrypts signed outgoing mail.
|
Methods |
|
|
Creates and configures a client-side encryption identity that's authorized to send mail from the user account. |
|
|
Deletes a client-side encryption identity. |
|
|
Retrieves a client-side encryption identity configuration. |
|
|
Lists the client-side encrypted identities for an authenticated user. |
|
|
Associates a different key pair with an existing client-side encryption identity. |
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-06-12 UTC.
[null,null,["Last updated 2025-06-12 UTC."],[],[],null,["# REST Resource: users.settings.cse.identities\n\n- [Resource: CseIdentity](#CseIdentity)\n - [JSON representation](#CseIdentity.SCHEMA_REPRESENTATION)\n- [SignAndEncryptKeyPairs](#SignAndEncryptKeyPairs)\n - [JSON representation](#SignAndEncryptKeyPairs.SCHEMA_REPRESENTATION)\n- [Methods](#METHODS_SUMMARY)\n\nResource: CseIdentity\n---------------------\n\nThe client-side encryption (CSE) configuration for the email address of an authenticated user. Gmail uses CSE configurations to save drafts of client-side encrypted email messages, and to sign and send encrypted email messages.\n\nFor administrators managing identities and keypairs for users in their organization, requests require authorization with a [service account](https://developers.google.com/identity/protocols/OAuth2ServiceAccount) that has [domain-wide delegation authority](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority) to impersonate users with the `https://www.googleapis.com/auth/gmail.settings.basic` scope.\n\nFor users managing their own identities and keypairs, requests require [hardware key encryption](https://support.google.com/a/answer/14153163) turned on and configured.\n\n| JSON representation |\n|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| ``` { \"emailAddress\": string, // Union field `key_pair_configuration` can be only one of the following: \"primaryKeyPairId\": string, \"signAndEncryptKeyPairs\": { object (/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities#SignAndEncryptKeyPairs) } // End of list of possible types for union field `key_pair_configuration`. } ``` |\n\n| Fields ||\n|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `emailAddress` | `string` The email address for the sending identity. The email address must be the primary email address of the authenticated user. |\n| Union field `key_pair_configuration`. `key_pair_configuration` can be only one of the following: ||\n| `primaryKeyPairId` | `string` If a key pair is associated, the ID of the key pair, [CseKeyPair](/workspace/gmail/api/reference/rest/v1/users.settings.cse.keypairs#CseKeyPair). |\n| `signAndEncryptKeyPairs` | `object (`[SignAndEncryptKeyPairs](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities#SignAndEncryptKeyPairs)`)` The configuration of a CSE identity that uses different key pairs for signing and encryption. |\n\nSignAndEncryptKeyPairs\n----------------------\n\nThe configuration of a CSE identity that uses different key pairs for signing and encryption.\n\n| JSON representation |\n|-----------------------------------------------------------------------|\n| ``` { \"signingKeyPairId\": string, \"encryptionKeyPairId\": string } ``` |\n\n| Fields ||\n|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `signingKeyPairId` | `string` The ID of the [CseKeyPair](/workspace/gmail/api/reference/rest/v1/users.settings.cse.keypairs#CseKeyPair) that signs outgoing mail. |\n| `encryptionKeyPairId` | `string` The ID of the [CseKeyPair](/workspace/gmail/api/reference/rest/v1/users.settings.cse.keypairs#CseKeyPair) that encrypts signed outgoing mail. |\n\n| Methods ------- ||\n|-------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|\n| ### [create](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/create) | Creates and configures a client-side encryption identity that's authorized to send mail from the user account. |\n| ### [delete](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/delete) | Deletes a client-side encryption identity. |\n| ### [get](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/get) | Retrieves a client-side encryption identity configuration. |\n| ### [list](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/list) | Lists the client-side encrypted identities for an authenticated user. |\n| ### [patch](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/patch) | Associates a different key pair with an existing client-side encryption identity. |"]]
