> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Batch decrypt with one or more keys. > The order of batch items in the response matches that of the request. returned in the same order. An individual status code is returned for each batch item. **Note** : Provide the key ID in the *`kid`* field. The *`key`* field within the *`request`* field should be omitted. ## OpenAPI ````json POST /crypto/v1/keys/batch/decrypt { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/crypto/v1/keys/batch/decrypt": { "post": { "operationId": "BatchDecrypt", "tags": [ "Crypto" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Batch decrypt with one or more keys.", "description": "The order of batch items in the response matches that of the request.\nreturned in the same order. An individual status code is returned\nfor each batch item.\n\n**Note** : Provide the key ID in the *`kid`* field. The *`key`* field within the *`request`* field should be omitted.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/BatchDecryptRequestItem" } } } } }, "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/BatchDecryptResponseItem" } } } } } } } } }, "components": { "schemas": { "BatchDecryptRequestItem": { "allOf": [ { "type": "object", "description": "Request body of each item in batch decryption\n\n**Note** : Provide the key ID in the *`kid`* field. The *`key`* field within the *`request`* field should be omitted.", "properties": { "kid": { "type": "string", "format": "uuid", "description": "UUID of the sobject" }, "request": { "$ref": "#/components/schemas/DecryptRequest" } }, "required": [ "kid", "request" ] } ] }, "BatchDecryptResponseItem": { "oneOf": [ { "title": "BatchDecryptResponseItemSuccess", "type": "object", "properties": { "status": { "type": "integer" }, "body": { "$ref": "#/components/schemas/DecryptResponse" } } }, { "title": "BatchDecryptResponseItemError", "type": "object", "properties": { "status": { "type": "integer" }, "error": { "type": "string" } } } ] }, "DecryptRequest": { "allOf": [ { "type": "object", "description": "Request to decrypt data.", "properties": { "key": { "$ref": "#/components/schemas/SobjectDescriptor" }, "alg": { "$ref": "#/components/schemas/Algorithm" }, "cipher": { "type": "string", "format": "byte", "description": "Ciphertext bytes to be decrypted.\n\nNote that when performing format-preserving decryption (i.e.,\ndetokenization), the ciphertext should be encoded as UTF-8 bytes." }, "mode": { "$ref": "#/components/schemas/CryptMode" }, "iv": { "type": "string", "format": "byte", "description": "The initialization vector to use, required for modes that take IVs\n(and irrelevant otherwise)." }, "ad": { "type": "string", "format": "byte", "description": "The authenticated data to use. This is only applicable when using\nauthenticated decryption modes (like GCM or CCM)." }, "tag": { "type": "string", "format": "byte", "description": "The authentication tag, relevant for authenticated encryption modes\n(i.e., GCM or CCM), and otherwise irrelevant." }, "masked": { "type": "boolean", "nullable": true, "description": "Whether to returned a masked result when detokenizing (i.e., when\ndecrypting using the FF1/FPE mode). Defaults to false.\n\nThis field is only useful if the app has the `DECRYPT` permission.\nIn such situations, when this field is `true`, decryption returns\nmasked output. However, with the `MASKDECRYPT` permission, this field\nis ignored and detokenization will always return the masked output." }, "label": { "type": "string", "format": "byte", "description": "The optional label to use. Currently this field only serves as the\nrsa_oaep_label when the decryption algorithm is RSA and the mode is\nOaep. For other modes, providing this field causes a bad request error." } }, "required": [ "cipher" ] } ] }, "DecryptResponse": { "allOf": [ { "type": "object", "description": "Response of a decryption request.", "properties": { "kid": { "type": "string", "format": "uuid", "nullable": true, "description": "The ID of the key used for decryption. Returned for non-transient keys." }, "plain": { "type": "string", "format": "byte", "description": "Decrypted plaintext bytes.\n\nNote that when performing format-preserving decryption (i.e.,\ndetokenization), the plaintext is encoded as UTF-8 bytes." } }, "required": [ "plain" ] } ] }, "SobjectDescriptor": { "description": "Uniquely identifies a persisted or transient sobject.", "oneOf": [ { "title": "SobjectDescriptorVariantKid", "type": "object", "properties": { "kid": { "type": "string", "format": "uuid" } }, "required": [ "kid" ] }, { "title": "SobjectDescriptorVariantName", "type": "object", "properties": { "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$" } }, "required": [ "name" ] }, { "title": "SobjectDescriptorVariantTransientKey", "type": "object", "properties": { "transient_key": { "type": "string", "format": "byte" } }, "required": [ "transient_key" ] }, { "title": "SobjectDescriptorVariantInline", "type": "object", "properties": { "inline": { "$ref": "#/components/schemas/SobjectDescriptorInline" } }, "required": [ "inline" ] } ] }, "Algorithm": { "description": "A cryptographic algorithm.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "SLIP10", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ] }, "CryptMode": { "description": "`CipherMode` or `RsaEncryptionPadding`, depending on the encryption algorithm.", "oneOf": [ { "$ref": "#/components/schemas/CipherMode" }, { "$ref": "#/components/schemas/RsaEncryptionPadding" } ] }, "SobjectDescriptorInline": { "allOf": [ { "type": "object", "properties": { "value": { "type": "string", "format": "byte" }, "obj_type": { "$ref": "#/components/schemas/ObjectType" } }, "required": [ "value", "obj_type" ] } ] }, "CipherMode": { "description": "Cipher mode used for symmetric key algorithms.", "type": "string", "enum": [ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ] }, "RsaEncryptionPadding": { "description": "Type of padding to use for RSA encryption. The use of PKCS#1 v1.5 padding is strongly\ndiscouraged, because of its susceptibility to Bleichenbacher's attack. The padding specified\nmust adhere to the key's encryption policy. If not specified, the default based on the key's\npolicy will be used.", "oneOf": [ { "title": "RsaEncryptionPaddingVariantOaep", "type": "object", "properties": { "OAEP": { "$ref": "#/components/schemas/RsaEncryptionPaddingOaep" } }, "required": [ "OAEP" ] }, { "title": "RsaEncryptionPaddingVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] }, { "title": "RsaEncryptionPaddingVariantRawDecrypt", "type": "object", "properties": { "RAW_DECRYPT": { "type": "object", "properties": {} } }, "required": [ "RAW_DECRYPT" ] } ] }, "ObjectType": { "description": "Type of security object.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "SLIP10", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ] }, "RsaEncryptionPaddingOaep": { "allOf": [ { "type": "object", "description": "Optimal Asymmetric Encryption Padding (PKCS#1 v2.1).", "properties": { "mgf": { "$ref": "#/components/schemas/Mgf" } }, "required": [ "mgf" ] } ] }, "Mgf": { "description": "Specifies the Mask Generating Function (MGF) to use.", "oneOf": [ { "title": "MgfVariantMgf1", "type": "object", "properties": { "mgf1": { "$ref": "#/components/schemas/MgfMgf1" } }, "required": [ "mgf1" ] } ] }, "MgfMgf1": { "allOf": [ { "type": "object", "description": "MGF1 algorithm", "properties": { "hash": { "$ref": "#/components/schemas/DigestAlgorithm" } }, "required": [ "hash" ] } ] }, "DigestAlgorithm": { "description": "A hash algorithm.", "type": "string", "enum": [ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ] } } } } ````