Google Workspace CSE API Reference

  • The Google Workspace Client-side Encryption (CSE) API empowers you to manage your own encryption keys for enhanced security of Google Workspace data.

  • This API provides a comprehensive suite of methods for key management, including wrapping, unwrapping, encryption, decryption, and signing, offering granular control over your data protection.

  • You can leverage methods such as wrap and unwrap to encrypt and decrypt data encryption keys (DEKs), while privatekeydecrypt allows for decryption using your private keys.

  • Authentication and authorization are handled through JWTs, ensuring secure access control to your encrypted data.

  • Explore detailed documentation on methods, tokens, and error handling to effectively integrate the CSE API into your workflows.

The Google Workspace Client-side Encryption (CSE) API lets you own the encryption keys used to further encrypt Google Workspace data.

Methods

Methods
delegate POST https://KACLS_URL/delegate
Allows a first user to delegate a request to a second user.
digest POST https://KACLS_URL/digest
Returns the checksum of an unwrapped DEK.
privatekeydecrypt POST https://KACLS_URL/privatekeydecrypt
Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.
privatekeysign POST https://KACLS_URL/privatekeysign
Unwraps a wrapped private key and then signs the digest provided by the client.
privilegedprivatekeydecrypt POST https://KACLS_URL/privilegedprivatekeydecrypt
Decrypts without checking the wrapped private key ACL.
privilegedunwrap POST https://KACLS_URL/privilegedunwrap
Decrypts data exported from Google in a privileged context.
privilegedwrap POST https://KACLS_URL/privilegedwrap
Returns a wrapped Data Encryption Key (DEK) and associated data.
rewrap POST https://KACLS_URL/rewrap
Re-encrypts an encrypted DEK.
status GET https://KACLS_URL/status
Checks the status of a Key Access Control List Service (KACLS).
unwrap POST https://KACLS_URL/unwrap
Returns decrypted DEK.
wrap POST https://KACLS_URL/wrap
Returns encrypted DEK and associated data.
wrapprivatekey POST https://KACLS_URL/wrapprivatekey
Wraps a user's private key.

Tokens

Tokens
Authorization JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.
Authentication JWT issued by the identity provider that attests user identity.

Other

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026年04月20日 UTC.