Method: wrapprivatekey
Stay organized with collections
Save and categorize content based on your preferences.
Wraps a user's private key. This is a privileged operation, and can only be
performed by authorized Key Access Control List Service (KACLS) admins.
This API is optional. Neither Google nor the Gmail client calls
this API. The specification provided is a recommendation, not a requirement.
HTTP request
POST https://KACLS_URL/wrapprivatekey
Replace KACLS_URL with the Key Access Control List
Service (KACLS) URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
| JSON representation |
{
"authentication": string,
"perimeter_id": string,
"private_key": string
}
|
| Fields |
authentication |
string
A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.
|
perimeter_id |
string (UTF-8)
The perimeter ID to encrypt with the key.
|
private_key |
string
The base64-encoded DEK. Max size: 128 bytes.
|
Response body
If successful, this method returns the wrapped private key.
If the operation fails, a
structured error reply
is returned.
| JSON representation |
{
"wrapped_private_key": string
}
|
| Fields |
wrapped_private_key |
string
The base64-encoded wrapped private key. Max size: 8 KB.
|
Example
This example provides a sample request and response for the wrapprivatekey
method.
Request
POST https://mykacls.example.org/v1/wrapprivatekey
{
"private_key": "-----BEGIN RSA PRIVATE KEY-----\\nMIIJ......\\n-----END RSA PRIVATE KEY-----",
"perimeter_id": ""
}
Response
{
"wrapped_private_key": "LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PG8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDUT89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxpCxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlRBDyZSFhatPQ==",
}
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-04 UTC.
[null,null,["Last updated 2025-08-04 UTC."],[[["\u003cp\u003eWraps a user's private key, a privileged operation only authorized Key Access Control List Service (KACLS) admins can perform.\u003c/p\u003e\n"],["\u003cp\u003eThis API is optional and not used by Google or the Gmail client; the specification is a recommendation.\u003c/p\u003e\n"],["\u003cp\u003eThe API request requires a JSON body containing user authentication, perimeter ID, and the base64-encoded private key.\u003c/p\u003e\n"],["\u003cp\u003eUpon successful execution, the API returns the base64-encoded wrapped private key.\u003c/p\u003e\n"],["\u003cp\u003eIn case of failure, the API returns a structured error reply.\u003c/p\u003e\n"]]],["Authorized Key Access Control List Service (KACLS) admins can use the `wrapprivatekey` API to wrap a user's private key via a POST request. The request requires a JWT (`authentication`), a `perimeter_id`, and a base64-encoded `private_key` (max 128 bytes). Upon success, the API returns a base64-encoded `wrapped_private_key` (max 8 KB). This API is optional, not used by Google or Gmail, and serves as a recommendation.\n"],null,["# Method: wrapprivatekey\n\nWraps a user's private key. This is a privileged operation, and can only be\nperformed by authorized Key Access Control List Service (KACLS) admins.\nThis API is optional. Neither Google nor the Gmail client calls\nthis API. The specification provided is a recommendation, not a requirement.\n\n### HTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/wrapprivatekey`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List\nService (KACLS) URL.\n\n### Path parameters\n\nNone.\n\n### Request body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|-------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"perimeter_id\": string, \"private_key\": string } ``` |\n\n| Fields ||\n|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the identity provider (IdP) asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `perimeter_id` | `string (UTF-8)` The perimeter ID to encrypt with the key. |\n| `private_key` | `string` The base64-encoded DEK. Max size: 128 bytes. |\n\n### Response body\n\nIf successful, this method returns the wrapped private key.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nis returned.\n\n| JSON representation ||\n|-------------------------------------------|---|\n| ``` { \"wrapped_private_key\": string } ``` |\n\n| Fields ||\n|-----------------------|------------------------------------------------------------------|\n| `wrapped_private_key` | `string` The base64-encoded wrapped private key. Max size: 8 KB. |\n\n### Example\n\nThis example provides a sample request and response for the `wrapprivatekey`\nmethod.\n\n#### Request\n\n POST https://mykacls.example.org/v1/wrapprivatekey\n\n {\n \"private_key\": \"-----BEGIN RSA PRIVATE KEY-----\\\\nMIIJ......\\\\n-----END RSA PRIVATE KEY-----\",\n \"perimeter_id\": \"\"\n }\n\n#### Response\n\n {\n \"wrapped_private_key\": \"LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PG8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDUT89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxpCxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlRBDyZSFhatPQ==\",\n }"]]
