Method: unwrap

  • Returns the decrypted Data Encryption Key (DEK) when provided with a wrapped key, authentication, authorization, and reason.

  • Requires a wrapped key generated by thewrap method, alongside authentication and authorization tokens for security and access control.

  • Accepts an optional reason parameter for providing context about the operation, which should be sanitized before display.

  • Returns the base64-encoded DEK on successful execution, or a structured error reply if the operation fails.

  • Utilizes the KACLS URL for making the POST request and requires specifying the version in the URL path (e.g., /v1/unwrap).

Returns decrypted Data Encryption Key (DEK).

For more details, seeEncrypt & decryptdata.

HTTP request

POST https://KACLS_URL/unwrap

ReplaceKACLS_URL with the Key Access Control ListService (KACLS) URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{"authentication":string,"authorization":string,"reason":string,"wrapped_key":string}
Fields
authentication

string

A JWT issued by the IdP asserting who the user is. Seeauthentication tokens.

authorization

string

A JWT asserting that the user is allowed to unwrap a key forresource_name. Seeauthorization tokens.

reason

string (UTF-8)

A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.

wrapped_key

string

The base64 binary object returned bywrap.

Response body

If successful, this method returns the document encryption key.

If the operation fails, astructured error replyshould be returned.

JSON representation
{"key":string}
Fields
key

string

The base64-encoded DEK.

Example

This example provides a sample request and response for theunwrap method.

Request

POSThttps://mykacls.example.com/v1/unwrap{"wrapped_key":"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==","authorization":"eyJhbGciOi…""authentication":"eyJhbGciOi…""reason":"{client:'drive' op:'read'}"}

Response

{"key":"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ="}

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-01-27 UTC.