Decrypt
Decrypts ciphertext. Supports bulk operations.
To decrypt ciphertext, the request must include the scope used when the ciphertext was encrypted. By default, only ciphertext considered active is decrypted. Ciphertext is considered active when its metadata expiration property is for the current or a future date. If options is set to archived, the ciphertext is only decrypted if its metadata expiration property is for a date in the past.
By default, all property values from the ciphertext are returned. Use props to return a subset of the encrypted property values.
If any request details are invalid, none of the ciphertexts are decrypted.
The role performing this operation must have both of these:
- The
CapCryptoDecryptercapability. - At least one allowing policy and no denying policies for the
decryptoperation for each of the collection properties specified in the call.
See identity and access management for more information about how Vault uses capabilities to control access to operations and policies to control access to data.
Request
Header parameters
X-Tenant-Id- array of stringsList of tenant IDs to enforce on the request.
Path parameters
collection- string required*The name of a collection.
Query parameters
options- array of stringsOptions for the operation. Options include:
archived– whether to decrypt only archived objects. If not specified, decrypts only active objects.include_metadata- show the encrypted object metadata.
Option for the operation.
adhoc_reason- stringAn ad-hoc reason for accessing the Vault data. Required when
reasonis set toOther.reason- string required*Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false.
custom_audit- stringCustom audit information to be included in the audit log.
reload_cache- booleanReloads the cache before the action.
Request body
Details of the decryption request.
- application/json
encrypted_object- object required*An encrypted object.
ciphertext- string required*The encrypted object base64 cipher text.
scope- stringThe scope used to encrypt the object. By default, it uses the scope of the encrypted object.
props- array of stringsThe list of property names and transformers to include in the decrypted object. If not set, return all encrypted property values.
Each string:
[
{
"encrypted_object": "...",
"props": [
"phone_number",
"email"
]
}
]
Possible responses
- 200
- 400
- 401
- 403
- 404
- 405
- 409
- 410
- 500
- 503
The request is successful.
- application/json
fields- object required*A list of maps of object properties and their values.
Example{
"date_of_birth": "1993-02-22",
"email": "patfar@example.com",
"first_name": "Pat",
"last_name": "Far",
"phone_number": "+11011010101"
}metadata- objecttype- string required*The type of the encryption:
randomized- generates a different randomized unpredictable, non-repeating ciphertext each time.deterministic- generates the ciphertext deterministically based on the collection name, input object, and scope. Defaults torandomizedif not set.
scope- string required*The scope of the tokens.
expiration- stringEffective expiry time of the encrypted object (UTC).
tags- array of strings required*Tags associated with the encrypted object.
Each string:
[
{
"fields": {
"date_of_birth": "1993-02-22",
"email": "patfar@example.com",
"first_name": "Pat",
"last_name": "Far",
"phone_number": "+11011010101"
},
"metadata": {
"type": "randomized",
"scope": "default",
"expiration": "2019-08-24T14:15:22Z",
"tags": [
"credit_cards"
]
}
}
]
The request is invalid.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV1001",
"message": "The access reason is missing.",
"context": {
"reason": null
}
}
Authentication credentials are incorrect or missing.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV1005",
"message": "The request is unauthorized.",
"context": {}
}
The caller doesn't have the required access rights.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV1007",
"message": "The operation is forbidden due to missing capabilities.",
"context": {
"username": "WebServer"
}
}
The collection or properties aren't found.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"objectid": "credit_cadr",
"error_code": "PV3003",
"message": "One or more values are invalid."
}
The operation is not allowed.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV1026",
"message": "The operation is not allowed in in-memory mode.",
"context": {}
}
A conflict occurs.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV3218",
"message": "Concurrent conflicting updates to the same object.",
"context": {}
}
Access to a resource that is no longer available occurs.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV1033",
"message": "The resource is gone.",
"context": {}
}
An error occurs on the server.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV1000",
"message": "Something went wrong",
"context": {}
}
The service is unavailable.
- application/json
context- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code- string required*The error code.
message- string required*The error message.
error_url- stringThe URL to the error documentation.
{
"error_code": "PV1009",
"message": "The operation timed out on the server.",
"context": {}
}
Path parameters
Query parameters
Headers
Request body
Code examples