Encrypt data using a symmetric or asymmetric key.

Published on Jul 8, 2025

2 minute(s) read

Post

/crypto/v1/encrypt

For symmetric ciphers, mode (the block cipher mode) is a required field. For GCM and CCM modes, tag_len is a required field. iv is optional for symmetric ciphers and unused for asymmetric ciphers. If provided, it will be used as the cipher initialization vector. The length of iv must match the initialization vector size for the cipher and mode. If not provided, a random iv of the correct length is created and returned in the response. Objects of type Opaque, EC, or HMAC may not be used with this API.

Security

HTTP

Type bearer

API Key: apiKeyAuth

Header parameter nameAuthorization

Body parameters

Expand All

object

key

Uniquely identifies a persisted or transient sobject.

OneOf

SobjectDescriptorVariantKid

object (SobjectDescriptorVariantKid)

kid

string (uuid) Required

SobjectDescriptorVariantName

object (SobjectDescriptorVariantName)

name

string Required

Max length4096

Pattern^[^\n]*[^\s\n][^\n]*$

SobjectDescriptorVariantTransientKey

object (SobjectDescriptorVariantTransientKey)

transient_key

string (byte) Required

SobjectDescriptorVariantInline

object (SobjectDescriptorVariantInline)

inline

object Required

value

string (byte) Required

obj_type

string Required

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]

alg

string Required

A cryptographic algorithm.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ]

plain

string (byte) Required

Plaintext bytes to be encrypted.

Note that when performing format-preserving encryption (i.e., tokenization), the plaintext should be encoded as UTF-8 bytes.

mode

CipherMode or RsaEncryptionPadding, depending on the encryption algorithm.

OneOf

string

Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]

object

OneOf

RsaEncryptionPaddingVariantOaep

object (RsaEncryptionPaddingVariantOaep)

OAEP

object Required

mgf

Specifies the Mask Generating Function (MGF) to use.

OneOf

MgfVariantMgf1

object (MgfVariantMgf1)

mgf1

object Required

hash

string Required

A hash algorithm.

Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]

RsaEncryptionPaddingVariantPkcs1V15

object (RsaEncryptionPaddingVariantPkcs1V15)

PKCS1_V15

object Required

RsaEncryptionPaddingVariantRawDecrypt

object (RsaEncryptionPaddingVariantRawDecrypt)

RAW_DECRYPT

object Required

string (byte)

The initialization vector to use. This is only applicable to modes that take IVs, and will be randomly generated if not specified.

string (byte)

The authenticated data to use. This is only applicable when using authenticated encryption modes (like GCM or CCM).

tag_len

integer | null

The length of the authentication tag, in bits, for authenticated encryption modes (i.e., GCM or CCM). For other modes, this field is irrelevant.

label

string (byte)

The optional label to use. Currently this field only serves as the rsa_oaep_label when the encryption algorithm is RSA and the mode is Oaep. For other modes, providing this field causes a bad request error.

Responses

2XX

Success result

object

kid

string (uuid) | null

The ID of the key used for encryption. Returned for non-transient keys.

cipher

string (byte)

Encrypted ciphertext bytes.

Note that when performing format-preserving encryption (i.e., tokenization), the ciphertext is encoded as UTF-8 bytes.

string (byte)

The initialization vector used during encryption. This is only applicable for certain symmetric encryption modes.

tag

string (byte)

When using the GCM or CCM modes, the tag is returned from authenticated encryption.

Was this article helpful?