The Google Workspace Client-side Encryption API is currently in Restricted Beta. Apply for access

Authorization tokens

Bearer token (JWT: RFC 7516) issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.

To prevent abuse, the KACLS should verify that the caller is authorized to encrypt the object (file or document) before wrapping the key and to decrypt it before unwrapping the DEK.

JSON representation
{
  "aud": string,
  "email": string,
  "exp": string,
  "iat": string,
  "iss": string,
  "kacls_url": string,
  "perimeter_id": string,
  "resource_name": string,
  "role": string
}
Fields
aud

string

The audience, as identified by Google. Should be checked against the local configuration.

email

string (UTF-8)

The user's email address.

exp

string

Expiration time.

iat

string

Issuance time.

iss

string

The token issuer. Should be validated against the trusted set of authentication issuers.

kacls_url

string

The configured base KACLS URL, used to prevent MITM attacks.

perimeter_id

string (UTF-8)

(Optional) A value tied to the document location that can be used to choose which perimeter will be checked when unwrapping. Maximum size: 128 bytes.

resource_name

string (UTF-8)

An identifier for the object encrypted by the DEK. Maximum size: 128 bytes.

role

string

Contains one of the follow values:

  • reader: Allowed to call unwrap only.
  • writer: Allowed to call both wrap and unwrap
  • upgrader: Allowed to call wrap only. This is used by Google servers when performing one-way conversion of plain-text objects to encrypted objects.