Google Workspace CSE API Reference

The Google Workspace Client-side Encryption (CSE) API lets you own the encryption keys used to further encrypt Google Workspace data.


digest POST https://KACLS_URL/digest
Returns the checksum of an unwrapped DEK.
privatekeydecrypt POST https://BASE_URL/privatekeydecrypt
Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.
privatekeysign POST https://BASE_URL/privatekeysign
Unwraps a wrapped private key and then signs the digest provided by the client.
privilegedprivatekeydecrypt POST https://BASE_URL/privilegedprivatekeydecrypt
Decrypts without checking the wrapped private key ACL.
privilegedunwrap POST https://KACLS_URL/privilegedunwrap
Decrypts data exported from Google in a privileged context.
privilegedwrap POST https://KACLS_URL/privilegedwrap
Returns a wrapped Data Encryption Key (DEK) and associated data.
rewrap POST https://KACLS_URL/rewrap
Re-encrypts an encrypted DEK.
status GET https://KACLS_URL/status
Checks the status of a Key Access Control List Service (KACLS).
unwrap POST https://KACLS_URL/unwrap
Returns decrypted DEK.
wrap POST https://KACLS_URL/wrap
Returns encrypted DEK and associated data.
wrapprivatekey POST https://BASE_URL/wrapprivatekey
Wraps a user's private key.


Authorization JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.
Authentication JWT issued by the identity provider that attests user identity.