Batch encrypt with one or more keys.

Published on Jul 22, 2025

2 minute(s) read

Post

/crypto/v1/keys/batch/encrypt

The order of batch items in the response matches that of the request. An individual status code is returned for each batch item.

Note : Provide the key ID in the kid field. The key field within the request field should be omitted.

Security

HTTP

Type bearer

API Key: apiKeyAuth

Header parameter nameAuthorization

Body parameters

Array of object

object

kid

string (uuid) Required

UUID of the sobject

request

object Required

key

Uniquely identifies a persisted or transient sobject.

OneOf

SobjectDescriptorVariantKid

object (SobjectDescriptorVariantKid)

kid

string (uuid) Required

SobjectDescriptorVariantName

object (SobjectDescriptorVariantName)

name

string Required

Max length4096

Pattern^[^\n]*[^\s\n][^\n]*$

SobjectDescriptorVariantTransientKey

object (SobjectDescriptorVariantTransientKey)

transient_key

string (byte) Required

SobjectDescriptorVariantInline

object (SobjectDescriptorVariantInline)

inline

object Required

value

string (byte) Required

obj_type

string Required

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]

alg

string Required

A cryptographic algorithm.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ]

plain

string (byte) Required

Plaintext bytes to be encrypted.

Note that when performing format-preserving encryption (i.e., tokenization), the plaintext should be encoded as UTF-8 bytes.

mode

CipherMode or RsaEncryptionPadding, depending on the encryption algorithm.

OneOf

string

Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]

object

OneOf

RsaEncryptionPaddingVariantOaep

object (RsaEncryptionPaddingVariantOaep)

OAEP

object Required

mgf

Specifies the Mask Generating Function (MGF) to use.

OneOf

MgfVariantMgf1

object (MgfVariantMgf1)

mgf1

object Required

hash

string Required

A hash algorithm.

Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]

RsaEncryptionPaddingVariantPkcs1V15

object (RsaEncryptionPaddingVariantPkcs1V15)

PKCS1_V15

object Required

RsaEncryptionPaddingVariantRawDecrypt

object (RsaEncryptionPaddingVariantRawDecrypt)

RAW_DECRYPT

object Required

string (byte)

The initialization vector to use. This is only applicable to modes that take IVs, and will be randomly generated if not specified.

string (byte)

The authenticated data to use. This is only applicable when using authenticated encryption modes (like GCM or CCM).

tag_len

integer | null

The length of the authentication tag, in bits, for authenticated encryption modes (i.e., GCM or CCM). For other modes, this field is irrelevant.

label

string (byte)

The optional label to use. Currently this field only serves as the rsa_oaep_label when the encryption algorithm is RSA and the mode is Oaep. For other modes, providing this field causes a bad request error.

Responses

2XX

Success result

Expand All

Array

OneOf

BatchEncryptResponseItemSuccess

object (BatchEncryptResponseItemSuccess)

status

integer

body

object

kid

string (uuid) | null

The ID of the key used for encryption. Returned for non-transient keys.

cipher

string (byte)

Encrypted ciphertext bytes.

Note that when performing format-preserving encryption (i.e., tokenization), the ciphertext is encoded as UTF-8 bytes.

string (byte)

The initialization vector used during encryption. This is only applicable for certain symmetric encryption modes.

tag

string (byte)

When using the GCM or CCM modes, the tag is returned from authenticated encryption.

BatchEncryptResponseItemError

object (BatchEncryptResponseItemError)

status

integer

error

string

Was this article helpful?