Stay organized with collections
Save and categorize content based on your preferences.
Wraps a user's private key. This is a privileged operation, and can only be
performed by authorized Key Access Control List Service (KACLS) admins.
This API is optional. Neither Google nor the Gmail client calls
this API. The specification provided is a recommendation, not a requirement.
HTTP request
POST https://KACLS_URL/wrapprivatekey
Replace KACLS_URL with the Key Access Control List
Service (KACLS) URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-04 UTC."],[[["\u003cp\u003eWraps a user's private key, a privileged operation only authorized Key Access Control List Service (KACLS) admins can perform.\u003c/p\u003e\n"],["\u003cp\u003eThis API is optional and not used by Google or the Gmail client; the specification is a recommendation.\u003c/p\u003e\n"],["\u003cp\u003eThe API request requires a JSON body containing user authentication, perimeter ID, and the base64-encoded private key.\u003c/p\u003e\n"],["\u003cp\u003eUpon successful execution, the API returns the base64-encoded wrapped private key.\u003c/p\u003e\n"],["\u003cp\u003eIn case of failure, the API returns a structured error reply.\u003c/p\u003e\n"]]],["Authorized Key Access Control List Service (KACLS) admins can use the `wrapprivatekey` API to wrap a user's private key via a POST request. The request requires a JWT (`authentication`), a `perimeter_id`, and a base64-encoded `private_key` (max 128 bytes). Upon success, the API returns a base64-encoded `wrapped_private_key` (max 8 KB). This API is optional, not used by Google or Gmail, and serves as a recommendation.\n"],null,["Wraps a user's private key. This is a privileged operation, and can only be\nperformed by authorized Key Access Control List Service (KACLS) admins.\nThis API is optional. Neither Google nor the Gmail client calls\nthis API. The specification provided is a recommendation, not a requirement.\n\nHTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/wrapprivatekey`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List\nService (KACLS) URL.\n\nPath parameters\n\nNone.\n\nRequest body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|-------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"perimeter_id\": string, \"private_key\": string } ``` |\n\n| Fields ||\n|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the identity provider (IdP) asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `perimeter_id` | `string (UTF-8)` The perimeter ID to encrypt with the key. |\n| `private_key` | `string` The base64-encoded DEK. Max size: 128 bytes. |\n\nResponse body\n\nIf successful, this method returns the wrapped private key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nis returned.\n\n| JSON representation ||\n|-------------------------------------------|---|\n| ``` { \"wrapped_private_key\": string } ``` |\n\n| Fields ||\n|-----------------------|------------------------------------------------------------------|\n| `wrapped_private_key` | `string` The base64-encoded wrapped private key. Max size: 8 KB. |\n\nExample\n\nThis example provides a sample request and response for the `wrapprivatekey`\nmethod.\n\nRequest \n\n POST https://mykacls.example.org/v1/wrapprivatekey\n\n {\n \"private_key\": \"-----BEGIN RSA PRIVATE KEY-----\\\\nMIIJ......\\\\n-----END RSA PRIVATE KEY-----\",\n \"perimeter_id\": \"\"\n }\n\nResponse \n\n {\n \"wrapped_private_key\": \"LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PG8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDUT89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxpCxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlRBDyZSFhatPQ==\",\n }"]]
