Method: unwrap

  • Returns the decrypted Data Encryption Key (DEK) when provided with a wrapped key, authentication, authorization, and reason.

  • Requires a wrapped key generated by the wrap method, alongside authentication and authorization tokens for security and access control.

  • Accepts an optional reason parameter for providing context about the operation, which should be sanitized before display.

  • Returns the base64-encoded DEK on successful execution, or a structured error reply if the operation fails.

  • Utilizes the KACLS URL for making the POST request and requires specifying the version in the URL path (e.g., /v1/unwrap).

Returns decrypted Data Encryption Key (DEK).

For more details, see Encrypt & decrypt data.

HTTP request

POST https://KACLS_URL/unwrap

Replace KACLS_URL with the Key Access Control List Service (KACLS) URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{
 "authentication": string,
 "authorization": string,
 "reason": string,
 "wrapped_key": string
}
Fields
authentication

string

A JWT issued by the IdP asserting who the user is. See authentication tokens.

authorization

string

A JWT asserting that the user is allowed to unwrap a key for resource_name. See authorization tokens.

reason

string (UTF-8)

A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.

wrapped_key

string

The base64 binary object returned by wrap.

Response body

If successful, this method returns the document encryption key.

If the operation fails, a structured error reply should be returned.

JSON representation
{
 "key": string
}
Fields
key

string

The base64-encoded DEK.

Example

This example provides a sample request and response for the unwrap method.

Request

POSThttps://mykacls.example.com/v1/unwrap
{
"wrapped_key":"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==",
"authorization":"eyJhbGciOi..."
"authentication":"eyJhbGciOi..."
"reason":"{client:'drive' op:'read'}"
}

Response

{
"key":"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ="
}

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026年01月27日 UTC.