方法:unwrap
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
返回解密的数据加密密钥 (DEK)。
有关详情,请参阅加密和解密数据。
HTTP 请求
POST https://KACLS_URL/unwrap
将 KACLS_URL
替换为密钥访问控制列表服务 (KACLS)
网址。
路径参数
无。
请求正文
请求正文中包含结构如下的数据:
JSON 表示法 |
{
"authentication": string,
"authorization": string,
"reason": string,
"wrapped_key": string
}
|
字段 |
authentication |
string
由 IdP 颁发的 JWT,用于声明用户的身份。请参阅身份验证令牌。
|
authorization |
string
一个 JWT,断言允许用户解封 resource_name 的密钥。请参阅授权令牌。
|
reason |
string (UTF-8)
提供操作的其他上下文的直通式 JSON 字符串。提供的 JSON 应在显示之前进行清理。大小上限:1 KB。
|
wrapped_key |
string
wrap 返回的 base64 二进制对象。
|
响应正文
如果成功,此方法将返回文档加密密钥。
如果操作失败,
结构化错误回复
。
JSON 表示法 |
{
"key": string
}
|
字段 |
key |
string
采用 base64 编码的 DEK。
|
示例
此示例提供了 unwrap
方法的示例请求和响应。
请求
POST https://mykacls.example.com/v1/unwrap
{
"wrapped_key": "7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==",
"authorization": "eyJhbGciOi…"
"authentication": "eyJhbGciOi…"
"reason": "{client:'drive' op:'read'}"
}
响应
{
"key": "0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ="
}
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-25。
[null,null,["最后更新时间 (UTC):2025-07-25。"],[[["\u003cp\u003eReturns the decrypted Data Encryption Key (DEK) when provided with a wrapped key, authentication, authorization, and reason.\u003c/p\u003e\n"],["\u003cp\u003eRequires a wrapped key generated by the \u003ccode\u003ewrap\u003c/code\u003e method, alongside authentication and authorization tokens for security and access control.\u003c/p\u003e\n"],["\u003cp\u003eAccepts an optional reason parameter for providing context about the operation, which should be sanitized before display.\u003c/p\u003e\n"],["\u003cp\u003eReturns the base64-encoded DEK on successful execution, or a structured error reply if the operation fails.\u003c/p\u003e\n"],["\u003cp\u003eUtilizes the KACLS URL for making the POST request and requires specifying the version in the URL path (e.g., /v1/unwrap).\u003c/p\u003e\n"]]],["The `unwrap` method decrypts a Data Encryption Key (DEK). It requires a `POST` request to the KACLS URL with a JSON body containing: `authentication` (user ID JWT), `authorization` (key unwrapping permission JWT), `reason` (operation context), and `wrapped_key` (base64 encrypted key). A successful response returns a JSON body with the decrypted `key` (base64-encoded DEK). Failure returns a structured error.\n"],null,["# Method: unwrap\n\nReturns decrypted Data Encryption Key (DEK).\n\nFor more details, see [Encrypt \\& decrypt data](/workspace/cse/guides/encrypt-and-decrypt-data).\n\n### HTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/unwrap`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List Service (KACLS)\nURL.\n\n### Path parameters\n\nNone.\n\n### Request body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|--------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"reason\": string, \"wrapped_key\": string } ``` |\n\n| Fields ||\n|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the IdP asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `authorization` | `string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See [authorization tokens](/workspace/cse/reference/authorization-tokens). |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n| `wrapped_key` | `string` The base64 binary object returned by [`wrap`](/workspace/cse/reference/wrap). |\n\n### Response body\n\nIf successful, this method returns the document encryption key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nshould be returned.\n\n| JSON representation ||\n|---------------------------|---|\n| ``` { \"key\": string } ``` |\n\n| Fields ||\n|-------|----------------------------------|\n| `key` | `string` The base64-encoded DEK. |\n\n### Example\n\nThis example provides a sample request and response for the `unwrap` method.\n\n#### Request\n\n POST https://mykacls.example.com/v1/unwrap\n\n {\n \"wrapped_key\": \"7qTh6Mp+svVwYPlnZMyuj8WHTrM59wl/UI50jo61Qt/QubZ9tfsUc1sD62xdg3zgxC9quV4r+y7AkbfIDhbmxGqP64pWbZgFzOkP0JcSn+1xm/CB2E5IknKsAbwbYREGpiHM3nzZu+eLnvlfbzvTnJuJwBpLoPYQcnPvcgm+5gU1j1BjUaNKS/uDn7VbVm7hjbKA3wkniORC2TU2MiHElutnfrEVZ8wQfrCEpuWkOXs98H8QxUK4pBM2ea1xxGj7vREAZZg1x/Ci/E77gHxymnZ/ekhUIih6Pwu75jf+dvKcMnpmdLpwAVlE1G4dNginhFVyV/199llf9jmHasQQuaMFzQ9UMWGjA1Hg2KsaD9e3EL74A5fLkKc2EEmBD5v/aP+1RRZ3ISbTOXvxqYIFCdSFSCfPbUhkc9I2nHS0obEH7Q7KiuagoDqV0cTNXWfCGJ1DtIlGQ9IA6mPDAjX8Lg==\",\n \"authorization\": \"eyJhbGciOi...\"\n \"authentication\": \"eyJhbGciOi...\"\n \"reason\": \"{client:'drive' op:'read'}\"\n }\n\n#### Response\n\n {\n \"key\": \"0saNxttLMQULfXuTbRFJzi/QJokN1jW16u0yaNvvLdQ=\"\n }"]]