Method: privilegedunwrap

  • Decrypts data exported from Google Takeout in a privileged context, bypassing standard access controls.

  • Requires a JWT for authentication and identifies the encrypted object with a resource name.

  • Returns the Data Encryption Key (DEK) used to encrypt the data, allowing privileged access to its content.

  • Uses a specific request body structure containing authentication, reason, resource name, and the wrapped key.

Decrypts data exported from Google in a privileged context. Previously known asTakeoutUnwrap. Returns the Data Encryption Key (DEK) that was wrapped usingwrap without checking the original documentor file access control list (ACL). For an example use case, see:GoogleTakeout.

HTTP request

POST https://KACLS_URL/privilegedunwrap

ReplaceKACLS_URL with the Key Access Control ListService (KACLS) URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{"authentication":string,"reason":string,"resource_name":string,"wrapped_key":string}
Fields
authentication

string

A JWT issued by the IdP asserting who the user is. Seeauthentication tokens.

reason

string (UTF-8)

A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Maximum size: 1 KB.

resource_name

string (UTF-8)

An identifier for the object encrypted by the DEK. This value must match theresource_name used to wrap the key. Maximum size: 128 bytes.

wrapped_key

string

The base64 binary object returned bywrap.

Response body

If successful, this method returns the document encryption key.

If the operation fails, astructured error replyshould be returned.

JSON representation
{"key":string}
Fields
key

string

The base64-encoded DEK.

Example

This example provides a sample request and response for theprivilegedunwrapmethod.

Request

POSThttps://mykacls.example.com/v1/takeout_unwrap{"wrapped_key":"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==","authentication":"eyJhbGciOi…""reason":"{client:'takeout' op:'read'}""resource_name":"item123"}

Response

{"key":"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ="}

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-01-27 UTC.