Google Workspace CSE API Reference

    • The Google Workspace Client-side Encryption (CSE) API empowers you to manage your own encryption keys for enhanced security of Google Workspace data.

    • This API provides a comprehensive suite of methods for key management, including wrapping, unwrapping, encryption, decryption, and signing, offering granular control over your data protection.

    • You can leverage methods such as wrap and unwrap to encrypt and decrypt data encryption keys (DEKs), while privatekeydecrypt allows for decryption using your private keys.

    • Authentication and authorization are handled through JWTs, ensuring secure access control to your encrypted data.

    • Explore detailed documentation on methods, tokens, and error handling to effectively integrate the CSE API into your workflows.

    The Google Workspace Client-side Encryption (CSE) API lets you own the encryption keys used to further encrypt Google Workspace data.

    Methods

    Methods
    delegate POST https:// KACLS_URL /delegate
    Allows a first user to delegate a request to a second user.
    digest POST https:// KACLS_URL /digest
    Returns the checksum of an unwrapped DEK.
    privatekeydecrypt POST https:// KACLS_URL /privatekeydecrypt
    Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.
    privatekeysign POST https:// KACLS_URL /privatekeysign
    Unwraps a wrapped private key and then signs the digest provided by the client.
    privilegedprivatekeydecrypt POST https:// KACLS_URL /privilegedprivatekeydecrypt
    Decrypts without checking the wrapped private key ACL.
    privilegedunwrap POST https:// KACLS_URL /privilegedunwrap
    Decrypts data exported from Google in a privileged context.
    privilegedwrap POST https:// KACLS_URL /privilegedwrap
    Returns a wrapped Data Encryption Key (DEK) and associated data.
    rewrap POST https:// KACLS_URL /rewrap
    Re-encrypts an encrypted DEK.
    status GET https:// KACLS_URL /status
    Checks the status of a Key Access Control List Service (KACLS).
    unwrap POST https:// KACLS_URL /unwrap
    Returns decrypted DEK.
    wrap POST https:// KACLS_URL /wrap
    Returns encrypted DEK and associated data.
    wrapprivatekey POST https:// KACLS_URL /wrapprivatekey
    Wraps a user's private key.

    Tokens

    Tokens
    Authorization JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.
    Authentication JWT issued by the identity provider that attests user identity.

    Other
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: