A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.
authorization
string
A JWT asserting that the user is allowed to unwrap a key for resource_name. See authorization tokens.
algorithm
string
The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.
encrypted_data_encryption_key
string (UTF-8)
Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB.
rsa_oaep_label
string
Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored.
reason
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
wrapped_private_key
string
The base64-encoded wrapped private key. Max size: 8 KB.
The format of the private key or the wrapped private key is up to the Key Access Control List Service (KACLS) implementation. On the client and on the Gmail side, this is treated as an opaque blob.
Response body
If successful, this method returns a base64 data encryption key.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-04 UTC."],[[["\u003cp\u003eThis endpoint (\u003ccode\u003eprivatekeydecrypt\u003c/code\u003e) unwraps a wrapped private key and decrypts the data encryption key.\u003c/p\u003e\n"],["\u003cp\u003eThe request body requires authentication, authorization, algorithm, encrypted data encryption key, wrapped private key, and optionally, RSA OAEP label and reason.\u003c/p\u003e\n"],["\u003cp\u003eUpon successful execution, the endpoint returns the base64-encoded data encryption key.\u003c/p\u003e\n"],["\u003cp\u003eIf the operation fails, a structured error response will be returned.\u003c/p\u003e\n"],["\u003cp\u003eAn example request and response are provided for illustration.\u003c/p\u003e\n"]]],["The `privatekeydecrypt` method unwraps a provided private key and decrypts an encrypted data encryption key (DEK). A POST request is sent to the `BASE_URL/privatekeydecrypt` endpoint. The request body requires `authentication`, `authorization`, `algorithm`, `encrypted_data_encryption_key`, `rsa_oaep_label`(optional), `reason`, and `wrapped_private_key`. Upon success, the response body returns the decrypted base64-encoded `data_encryption_key`; otherwise, a structured error is returned.\n"],null,["Unwraps a wrapped private key and then decrypts the content encryption key\nthat is encrypted to the public key.\n\nHTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privatekeydecrypt`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List\nService (KACLS) URL.\n\nPath parameters\n\nNone.\n\nRequest body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"algorithm\": string, \"encrypted_data_encryption_key\": string, \"rsa_oaep_label\": string, \"reason\": string, \"wrapped_private_key\": string } ``` |\n\n| Fields ||\n|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the identity provider (IdP) asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `authorization` | `string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See [authorization tokens](/workspace/cse/reference/authorization-tokens). |\n| `algorithm` | `string` The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption. |\n| `encrypted_data_encryption_key` | `string (UTF-8)` Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB. |\n| `rsa_oaep_label` | `string` Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored. |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n| `wrapped_private_key` | `string` The base64-encoded wrapped private key. Max size: 8 KB. The format of the private key or the wrapped private key is up to the Key Access Control List Service (KACLS) implementation. On the client and on the Gmail side, this is treated as an opaque blob. |\n\nResponse body\n\nIf successful, this method returns a base64 data encryption key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nis returned.\n\n| JSON representation ||\n|-------------------------------------------|---|\n| ``` { \"data_encryption_key\": string } ``` |\n\n| Fields ||\n|-----------------------|------------------------------------------------|\n| `data_encryption_key` | `string` A base64-encoded data encryption key. |\n\nExample\n\nThis example provides a sample request and response for the `privatekeydecrypt`\nmethod.\n\nRequest \n\n POST https://mykacls.example.org/v1/privatekeydecrypt\n\n {\n \"wrapped_private_key\": \"wHrlNOTI9mU6PBdqiq7EQA...\",\n \"encrypted_data_encryption_key\": \"dGVzdCB3cmFwcGVkIGRlaw...\",\n \"authorization\": \"eyJhbGciOi...\",\n \"authentication\": \"eyJhbGciOi...\",\n \"algorithm\": \"RSA/ECB/PKCS1Padding\",\n \"reason\": \"decrypt\"\n }\n\nResponse \n\n {\n \"data_encryption_key\": \"akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc=\"\n }"]]
