Google Workspace CSE API Reference

  • The Google Workspace Client-side Encryption (CSE) API empowers you to manage your own encryption keys for enhanced security of Google Workspace data.

  • This API provides a comprehensive suite of methods for key management, including wrapping, unwrapping, encryption, decryption, and signing, offering granular control over your data protection.

  • You can leverage methods such as wrap and unwrap to encrypt and decrypt data encryption keys (DEKs), while privatekeydecrypt allows for decryption using your private keys.

  • Authentication and authorization are handled through JWTs, ensuring secure access control to your encrypted data.

  • Explore detailed documentation on methods, tokens, and error handling to effectively integrate the CSE API into your workflows.

The Google Workspace Client-side Encryption (CSE) API lets you own the encryption keys used to further encrypt Google Workspace data.

Methods

Methods
delegate POST https://KACLS_URL/delegate
Allows a first user to delegate a request to a second user.
digest POST https://KACLS_URL/digest
Returns the checksum of an unwrapped DEK.
privatekeydecrypt POST https://KACLS_URL/privatekeydecrypt
Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.
privatekeysign POST https://KACLS_URL/privatekeysign
Unwraps a wrapped private key and then signs the digest provided by the client.
privilegedprivatekeydecrypt POST https://KACLS_URL/privilegedprivatekeydecrypt
Decrypts without checking the wrapped private key ACL.
privilegedunwrap POST https://KACLS_URL/privilegedunwrap
Decrypts data exported from Google in a privileged context.
privilegedwrap POST https://KACLS_URL/privilegedwrap
Returns a wrapped Data Encryption Key (DEK) and associated data.
rewrap POST https://KACLS_URL/rewrap
Re-encrypts an encrypted DEK.
status GET https://KACLS_URL/status
Checks the status of a Key Access Control List Service (KACLS).
unwrap POST https://KACLS_URL/unwrap
Returns decrypted DEK.
wrap POST https://KACLS_URL/wrap
Returns encrypted DEK and associated data.
wrapprivatekey POST https://KACLS_URL/wrapprivatekey
Wraps a user's private key.

Tokens

Tokens
Authorization JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.
 
Authentication JWT issued by the identity provider that attests user identity.
 

Other