The client-side encryption (CSE) configuration for the email address of an authenticated user. Gmail uses CSE configurations to save drafts of client-side encrypted email messages, and to sign and send encrypted email messages.
For administrators managing identities and keypairs for users in their organization, requests require authorization with a service account that has domain-wide delegation authority to impersonate users with the https://www.googleapis.com/auth/gmail.settings.basic scope.
For users managing their own identities and keypairs, requests require hardware key encryption turned on and configured.
JSON representation
{"emailAddress": string,// Union field key_pair_configuration can be only one of the following:"primaryKeyPairId": string,"signAndEncryptKeyPairs": {object (SignAndEncryptKeyPairs)}// End of list of possible types for union field key_pair_configuration.}
Fields
emailAddress
string
The email address for the sending identity. The email address must be the primary email address of the authenticated user.
Union field key_pair_configuration.
key_pair_configuration can be only one of the following:
primaryKeyPairId
string
If a key pair is associated, the ID of the key pair, CseKeyPair.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-06-12 UTC."],[],[],null,["# REST Resource: users.settings.cse.identities\n\n- [Resource: CseIdentity](#CseIdentity)\n - [JSON representation](#CseIdentity.SCHEMA_REPRESENTATION)\n- [SignAndEncryptKeyPairs](#SignAndEncryptKeyPairs)\n - [JSON representation](#SignAndEncryptKeyPairs.SCHEMA_REPRESENTATION)\n- [Methods](#METHODS_SUMMARY)\n\nResource: CseIdentity\n---------------------\n\nThe client-side encryption (CSE) configuration for the email address of an authenticated user. Gmail uses CSE configurations to save drafts of client-side encrypted email messages, and to sign and send encrypted email messages.\n\nFor administrators managing identities and keypairs for users in their organization, requests require authorization with a [service account](https://developers.google.com/identity/protocols/OAuth2ServiceAccount) that has [domain-wide delegation authority](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority) to impersonate users with the `https://www.googleapis.com/auth/gmail.settings.basic` scope.\n\nFor users managing their own identities and keypairs, requests require [hardware key encryption](https://support.google.com/a/answer/14153163) turned on and configured.\n\n| JSON representation |\n|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| ``` { \"emailAddress\": string, // Union field `key_pair_configuration` can be only one of the following: \"primaryKeyPairId\": string, \"signAndEncryptKeyPairs\": { object (/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities#SignAndEncryptKeyPairs) } // End of list of possible types for union field `key_pair_configuration`. } ``` |\n\n| Fields ||\n|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `emailAddress` | `string` The email address for the sending identity. The email address must be the primary email address of the authenticated user. |\n| Union field `key_pair_configuration`. `key_pair_configuration` can be only one of the following: ||\n| `primaryKeyPairId` | `string` If a key pair is associated, the ID of the key pair, [CseKeyPair](/workspace/gmail/api/reference/rest/v1/users.settings.cse.keypairs#CseKeyPair). |\n| `signAndEncryptKeyPairs` | `object (`[SignAndEncryptKeyPairs](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities#SignAndEncryptKeyPairs)`)` The configuration of a CSE identity that uses different key pairs for signing and encryption. |\n\nSignAndEncryptKeyPairs\n----------------------\n\nThe configuration of a CSE identity that uses different key pairs for signing and encryption.\n\n| JSON representation |\n|-----------------------------------------------------------------------|\n| ``` { \"signingKeyPairId\": string, \"encryptionKeyPairId\": string } ``` |\n\n| Fields ||\n|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `signingKeyPairId` | `string` The ID of the [CseKeyPair](/workspace/gmail/api/reference/rest/v1/users.settings.cse.keypairs#CseKeyPair) that signs outgoing mail. |\n| `encryptionKeyPairId` | `string` The ID of the [CseKeyPair](/workspace/gmail/api/reference/rest/v1/users.settings.cse.keypairs#CseKeyPair) that encrypts signed outgoing mail. |\n\n| Methods ------- ||\n|-------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|\n| ### [create](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/create) | Creates and configures a client-side encryption identity that's authorized to send mail from the user account. |\n| ### [delete](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/delete) | Deletes a client-side encryption identity. |\n| ### [get](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/get) | Retrieves a client-side encryption identity configuration. |\n| ### [list](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/list) | Lists the client-side encrypted identities for an authenticated user. |\n| ### [patch](/workspace/gmail/api/reference/rest/v1/users.settings.cse.identities/patch) | Associates a different key pair with an existing client-side encryption identity. |"]]