A JWT asserting that the user is allowed to unwrap a key for resource_name. See authorization tokens.
reason
string (UTF-8)
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-14 UTC."],[[["\u003cp\u003eReturns the decrypted Data Encryption Key (DEK) when provided with a wrapped key, authentication, authorization, and reason.\u003c/p\u003e\n"],["\u003cp\u003eRequires a wrapped key generated by the \u003ccode\u003ewrap\u003c/code\u003e method, alongside authentication and authorization tokens for security and access control.\u003c/p\u003e\n"],["\u003cp\u003eAccepts an optional reason parameter for providing context about the operation, which should be sanitized before display.\u003c/p\u003e\n"],["\u003cp\u003eReturns the base64-encoded DEK on successful execution, or a structured error reply if the operation fails.\u003c/p\u003e\n"],["\u003cp\u003eUtilizes the KACLS URL for making the POST request and requires specifying the version in the URL path (e.g., /v1/unwrap).\u003c/p\u003e\n"]]],["The `unwrap` method decrypts a Data Encryption Key (DEK). It requires a `POST` request to the KACLS URL with a JSON body containing: `authentication` (user ID JWT), `authorization` (key unwrapping permission JWT), `reason` (operation context), and `wrapped_key` (base64 encrypted key). A successful response returns a JSON body with the decrypted `key` (base64-encoded DEK). Failure returns a structured error.\n"],null,["Returns decrypted Data Encryption Key (DEK).\n\nFor more details, see [Encrypt \\& decrypt data](/workspace/cse/guides/encrypt-and-decrypt-data).\n\nHTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/unwrap`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List Service (KACLS)\nURL.\n\nPath parameters\n\nNone.\n\nRequest body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|--------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"reason\": string, \"wrapped_key\": string } ``` |\n\n| Fields ||\n|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the IdP asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `authorization` | `string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See [authorization tokens](/workspace/cse/reference/authorization-tokens). |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n| `wrapped_key` | `string` The base64 binary object returned by [`wrap`](/workspace/cse/reference/wrap). |\n\nResponse body\n\nIf successful, this method returns the document encryption key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\n| JSON representation ||\n|---------------------------|---|\n| ``` { \"key\": string } ``` |\n\n| Fields ||\n|-------|----------------------------------|\n| `key` | `string` The base64-encoded DEK. |\n\nExample\n\nThis example provides a sample request and response for the `unwrap` method.\n\nRequest \n\n POST https://mykacls.example.com/v1/unwrap\n\n {\n \"wrapped_key\": \"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\",\n \"authorization\": \"eyJhbGciOi...\"\n \"authentication\": \"eyJhbGciOi...\"\n \"reason\": \"{client:'drive' op:'read'}\"\n }\n\nResponse \n\n {\n \"key\": \"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ=\"\n }"]]
