Decrypt data using a symmetric or asymmetric key.

  • Published on Jul 8, 2025
  • 2 minute(s) read
Prev Next
Post
/crypto/v1/decrypt

For symmetric ciphers, mode (the block cipher mode) is a required field. For GCM and CCM modes, tag_len is a required field. iv is required for symmetric ciphers and unused for asymmetric ciphers. If the mode requires one, the request must contain the initialization vector used when the data was encrypted. Objects of type Opaque, EC, or HMAC may not be used with this API.

Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Body parameters
Expand All
object
key

Uniquely identifies a persisted or transient sobject.

OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
alg
string

A cryptographic algorithm.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ]
cipher
string (byte) Required

Ciphertext bytes to be decrypted.

Note that when performing format-preserving decryption (i.e., detokenization), the ciphertext should be encoded as UTF-8 bytes.

mode

CipherMode or RsaEncryptionPadding, depending on the encryption algorithm.

OneOf
string
string
Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
object
OneOf
RsaEncryptionPaddingVariantOaep
object (RsaEncryptionPaddingVariantOaep)
OAEP
object Required
mgf

Specifies the Mask Generating Function (MGF) to use.

OneOf
MgfVariantMgf1
object (MgfVariantMgf1)
mgf1
object Required
hash
string Required

A hash algorithm.

Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]
RsaEncryptionPaddingVariantPkcs1V15
object (RsaEncryptionPaddingVariantPkcs1V15)
PKCS1_V15
object Required
RsaEncryptionPaddingVariantRawDecrypt
object (RsaEncryptionPaddingVariantRawDecrypt)
RAW_DECRYPT
object Required
iv
string (byte)

The initialization vector to use, required for modes that take IVs (and irrelevant otherwise).

ad
string (byte)

The authenticated data to use. This is only applicable when using authenticated decryption modes (like GCM or CCM).

tag
string (byte)

The authentication tag, relevant for authenticated encryption modes (i.e., GCM or CCM), and otherwise irrelevant.

masked
boolean | null

Whether to returned a masked result when detokenizing (i.e., when decrypting using the FF1/FPE mode). Defaults to false.

This field is only useful if the app has the DECRYPT permission. In such situations, when this field is true, decryption returns masked output. However, with the MASKDECRYPT permission, this field is ignored and detokenization will always return the masked output.

label
string (byte)

The optional label to use. Currently this field only serves as the rsa_oaep_label when the decryption algorithm is RSA and the mode is Oaep. For other modes, providing this field causes a bad request error.

Responses
2XX

Success result

object
kid
string (uuid) | null

The ID of the key used for decryption. Returned for non-transient keys.

plain
string (byte)

Decrypted plaintext bytes.

Note that when performing format-preserving decryption (i.e., detokenization), the plaintext is encoded as UTF-8 bytes.