Join us for Google Workspace Developer Summit on October 8th and 9th in Sunnyvale, CA and October 21st and 22nd in Paris, France. Register today to connect with other developers and get a preview of the latest features and updates.

Authorization tokens

AI-generated Key Takeaways

Google issues a bearer token (JWT) to authorize encryption and decryption of resources, verified by the Key Access Control List Service (KACLS).
This token contains fields like audience, user email, expiration, issuance time, resource name, and role for access control.
Different token structures and fields exist for Docs/Drive/Calendar/Meet, Gmail, and KACLS migration, each serving specific purposes and containing relevant information.
The KACLS plays a role in preventing abuse by verifying authorization for encryption and decryption operations.
Roles like reader, writer, decrypter, signer, migrator, and verifier define the allowed actions within each service.

Bearer token (JWT: RFC 7516) issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.

To prevent abuse, the Key Access Control List Service (KACLS) should verify that the caller is authorized to encrypt the object (file or document) before wrapping the key and to decrypt it before unwrapping the DEK.

Authorization token for Docs & Drive, Calendar and Meet client-side encryption (CSE)

JSON representation
{ "aud": string, "delegated_to": string, "email": string, "email_type": string, "exp": string, "iat": string, "iss": string, "kacls_url": string, "perimeter_id": string, "resource_name": string, "role": string }

JSON representation

{
  "aud": string,
  "delegated_to": string,
  "email": string,
  "email_type": string,
  "exp": string,
  "iat": string,
  "iss": string,
  "kacls_url": string,
  "perimeter_id": string,
  "resource_name": string,
  "role": string
}

Fields
`aud`	`string` The audience, as identified by Google. Should be checked against the local configuration.
`delegated_to`	`string` (Optional) The email address of the user who is authorized to access the resource.
`email`	`string (UTF-8)` The user's email address.
`email_type`	`string` Contains one of the follow values: `google`: This email belongs to a Google Account. `google-visitor`: This email doesn't belong to a Google Account, but was PIN-code verified by Google. `customer-idp`: This email doesn't belong to a Google Account, but the user's email was extracted using a customer-configured IdP. The claim can be unset; in that case the default value is `google`.
`exp`	`string` Expiration time.
`iat`	`string` Issuance time.
`iss`	`string` The token issuer. Should be validated against the trusted set of authentication issuers.
`kacls_url`	`string` The configured base KACLS URL, used to prevent person-in-the-middle (PITM) attacks.
`perimeter_id`	`string (UTF-8)` (Optional) A value tied to the document location that can be used to choose which perimeter will be checked when unwrapping. Maximum size: 128 bytes.
`resource_name`	`string (UTF-8)` An identifier for the object encrypted by the DEK. Maximum size: 128 bytes.
`role`	`string` Contains one of the follow values: `reader`: Allowed to call `unwrap` only. `writer`: Allowed to call both `wrap` and `unwrap`

Authorization token for Gmail CSE

JSON representation
{ "aud": string, "email": string, "exp": string, "iat": string, "message_id": string, "iss": string, "kacls_url": string, "perimeter_id": string, "resource_name": string, "role": string, "spki_hash": string, "spki_hash_algorithm": string }