Bearer token ( JWT: RFC 7516 ) issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.
To prevent abuse, the Key Access Control List Service (KACLS) should verify that the caller is authorized to encrypt the object (file or document) before wrapping the key and to decrypt it before unwrapping the DEK.
Authorization token for Docs & Drive, Calendar and Meet client-side encryption (CSE)
| JSON representation | |
|---|---|
{ "aud" : string , "delegated_to" : string , "email" : string , "email_type" : string , "exp" : string , "iat" : string , "iss" : string , "kacls_url" : string , "perimeter_id" : string , "resource_name" : string , "role" : string } |
|
aud
string
The audience, as identified by Google. Should be checked against the local configuration.
delegated_to
string
(Optional) The email address of the user who is authorized to access the resource.
email
string (UTF-8)
The user's email address.
email_type
string
Contains one of the follow values:
-
google: This email belongs to a Google Account. -
google-visitor: This email doesn't belong to a Google Account, but was PIN-code verified by Google. -
customer-idp: This email doesn't belong to a Google Account, but the user's email was extracted using a customer-configured IdP. - The claim can be unset; in that case the default value is `google`.
exp
string
Expiration time.
iat
string
Issuance time.
iss
string
The token issuer. Should be validated against the trusted set of authentication issuers.
kacls_url
string
The configured base KACLS URL, used to prevent person-in-the-middle (PITM) attacks.
perimeter_id
string (UTF-8)
(Optional) A value tied to the document location that can be used to choose which perimeter will be checked when unwrapping. Maximum size: 128 bytes.
resource_name
string (UTF-8)
An identifier for the object encrypted by the DEK. Maximum size: 128 bytes.
Authorization token for Gmail CSE
| JSON representation | |
|---|---|
{ "aud" : string , "email" : string , "exp" : string , "iat" : string , "message_id" : string , "iss" : string , "kacls_url" : string , "perimeter_id" : string , "resource_name" : string , "role" : string , "spki_hash" : string , "spki_hash_algorithm" : string } |
|
aud
string
The audience, as identified by Google. Should be checked against the local configuration.
email
string (UTF-8)
The user's email address.
exp
string
Expiration time.
iat
string
Issuance time.
message_id
string
An identifier for the message on which the decryption or signing is performed. Used as client reason for auditing purposes.
iss
string
The token issuer. Should be validated against the trusted set of authentication issuers.
kacls_url
string
The configured base KACLS URL, used to prevent person-in-the-middle (PITM) attacks.
perimeter_id
string (UTF-8)
(Optional) A value tied to the document location that can be used to choose which perimeter is checked when unwrapping. Maximum size: 128 bytes.
resource_name
string (UTF-8)
An identifier for the object encrypted by the DEK. Maximum size: 512 bytes.
role
string
Contains one of the follow values:
-
decrypter: Can decrypt. -
signer: Can sign.
spki_hash
string
Standard base64-encoded digest of the DER-encoded SubjectPublicKeyInfo
of the private key being accessed.
spki_hash_algorithm
string
Algorithm used to produce spki_hash
. Can be SHA-256
.
Authorization token for KACLS migration service
| JSON representation | |
|---|---|
{ "aud" : string , "email" : string , "exp" : string , "iat" : string , "iss" : string , "kacls_url" : string , "resource_name" : string , "role" : string } |
|
aud
string
The audience, as identified by Google. Should be checked against the local configuration.
email
string (UTF-8)
The user's email address.
exp
string
Expiration time.
iat
string
Issuance time.
iss
string
The token issuer. Should be validated against the trusted set of authentication issuers.
kacls_url
string
The configured base KACLS URL, used to prevent person-in-the-middle (PITM) attacks.
