Ana içeriğe atla

General Information

Policy Type

policy-decryption

Description

Decryption policy decrypts encrypted data using cryptographic keys. It reads encrypted data from source variables, decrypts them using specified cipher algorithms, and stores the decrypted data in target variables. This policy provides data confidentiality capabilities by reversing encryption operations.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

HeaderValue
AuthorizationBearer {token}

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Response

Success Response (200 OK)

{
  "status": "SUCCESS",
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-decryption",
            "name": "decryption-policy",
            "description": "Decrypt encrypted data",
            "active": true
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes
Content-Typeapplication/jsonYes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name (unique identifier)

Request Body

Important: The request body must follow the PolicyOperationDTO structure with separate operationMetadata and policy objects. See Add Policy for the general structure.
Full JSON Body Example - Basic Decryption
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-decryption",
    "description": "Decrypt encrypted data",
    "active": true,
    "decryptionDefList": [
      {
        "description": "Decrypt request body",
        "sourceVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "keyName": "my-aes-key",
        "keyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      }
    ]
  }
}
Full JSON Body Example - Dynamic Cipher Algorithm
{
  "operationMetadata": {
    "targetScope": "ENDPOINT",
    "targetEndpoint": "/api/data",
    "targetEndpointHTTPMethod": "POST",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policy": {
    "type": "policy-decryption",
    "description": "Decrypt with dynamic algorithm",
    "active": true,
    "decryptionDefList": [
      {
        "description": "Decrypt with algorithm from variable",
        "sourceVar": {
          "name": "encryptedData",
          "type": "HEADER",
          "headerName": "X-Encrypted-Data",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedData",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "cipherAlgorithm": null,
        "cipherAlgorithmVar": {
          "name": "algorithm",
          "type": "HEADER",
          "headerName": "X-Cipher-Algorithm",
          "dataType": "STRING"
        },
        "keyName": "my-aes-key",
        "keyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "HEADER",
          "headerName": "X-IV",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      }
    ]
  }
}
Full JSON Body Example - Multiple Decryption Definitions
{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policy": {
    "type": "policy-decryption",
    "description": "Decrypt multiple fields",
    "active": true,
    "decryptionDefList": [
      {
        "description": "Decrypt request body",
        "sourceVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "keyName": "my-aes-key",
        "keyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      },
      {
        "description": "Decrypt header value",
        "sourceVar": {
          "name": "encryptedHeader",
          "type": "HEADER",
          "headerName": "X-Encrypted-Header",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedHeader",
          "type": "HEADER",
          "headerName": "X-Decrypted-Header",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "RSA_ECB_PKCS1Padding",
        "certificateName": "my-rsa-cert",
        "keyCertificateType": "CERTIFICATE",
        "ivExists": false,
        "ivVar": null,
        "ivEncodingType": null,
        "inputEncodingType": "BASE64"
      }
    ]
  }
}

Request Body Fields

The request body has two top-level fields:
FieldTypeRequiredDescription
operationMetadataobjectYesOperation metadata. See Policy Operation Metadata
policyobjectYesPolicy configuration (see below)
Policy Object Fields
FieldTypeRequiredDefaultDescription
typestringYes-Must be "policy-decryption"
descriptionstringNo-Policy description
activebooleanNotrueWhether the policy is active
policyConditionobjectNonullPolicy condition. See Policy Condition
errorMessageListarrayNo[]List of error messages. See Error Messages
decryptionDefListarrayYes-List of decryption definitions. See Decryption Definition

Decryption Definition (decryptionDefList)

FieldTypeRequiredDefaultDescription
descriptionstringNo-Definition description
sourceVarobjectYes-Source variable containing encrypted data
targetVarobjectYes-Target variable for decrypted data
cipherAlgorithmstringNonullCipher algorithm (if static). See EnumCipherAlgorithm
cipherAlgorithmVarobjectNonullVariable containing cipher algorithm name (if dynamic)
keyNamestringNonullKey name (for symmetric algorithms or asymmetric with KEY type). Resolved by name.
certificateNamestringNonullCertificate name (for asymmetric algorithms with CERTIFICATE type). Resolved by name.
keyCertificateTypestringNoKEYKey/certificate type. See EnumKeyCertificateType
ivExistsbooleanNofalseWhether initialization vector (IV) exists
ivVarobjectNonullVariable containing IV (if ivExists=true)
ivEncodingTypestringNonullIV encoding type (if ivExists=true). See EnumEncodingType
inputEncodingTypestringYes-Input encoding type of encrypted data. See EnumEncodingType

EnumCipherAlgorithm (cipherAlgorithm)

Symmetric Algorithms:
  • AES_CBC_NoPadding - AES/CBC/NoPadding
  • AES_CBC_PKCS5Padding - AES/CBC/PKCS5Padding (requires IV)
  • AES_ECB_NoPadding - AES/ECB/NoPadding
  • AES_ECB_PKCS5Padding - AES/ECB/PKCS5Padding
  • DES_CBC_NoPadding - DES/CBC/NoPadding
  • DES_CBC_PKCS5Padding - DES/CBC/PKCS5Padding (requires IV)
  • DES_ECB_NoPadding - DES/ECB/NoPadding
  • DES_ECB_PKCS5Padding - DES/ECB/PKCS5Padding
  • DESede_CBC_NoPadding - DESede/CBC/NoPadding
  • DESede_CBC_PKCS5Padding - DESede/CBC/PKCS5Padding (requires IV)
  • DESede_ECB_NoPadding - DESede/ECB/NoPadding
  • DESede_ECB_PKCS5Padding - DESede/ECB/PKCS5Padding
Asymmetric Algorithms:
  • RSA_ECB_PKCS1Padding - RSA/ECB/PKCS1Padding
  • RSA_ECB_OAEPWithSHA_1AndMGF1Padding - RSA/ECB/OAEPWithSHA-1AndMGF1Padding
  • RSA_ECB_OAEPWithSHA_256AndMGF1Padding - RSA/ECB/OAEPWithSHA-256AndMGF1Padding

EnumEncodingType (inputEncodingType, ivEncodingType)

  • BASE64 - Base64 encoding
  • HEXADECIMAL - Hexadecimal encoding

EnumKeyCertificateType (keyCertificateType)

  • KEY - Use cryptographic key (from keyName)
  • CERTIFICATE - Use certificate (from certificateName)

Variable Object (sourceVar, targetVar, ivVar, cipherAlgorithmVar)

FieldTypeRequiredDescription
namestringYesVariable name
typestringYesVariable type
headerNamestringNo*Header name (required if type=HEADER)
paramNamestringNo*Parameter name (required if type=PARAMETER)
jsonPathValuestringNo*JsonPath expression (required if type=BODY for JSON)
xpathValuestringNo*XPath expression (required if type=BODY for XML)
contextValuestringNo*Context value (required if type=CONTEXT_VALUES)
dataTypestringYesData type

Variable Types

  • HEADER - Extract from HTTP header
  • PARAMETER - Extract from query/path/form parameter
  • BODY - Extract from request/response body (XML, JSON, or raw)
  • CONTEXT_VALUES - Extract from system context values
  • CUSTOM - Extract using custom script

Response

Success Response (200 OK)

{
  "status": "SUCCESS",
  "resultList": null,
  "resultCount": null,
  "deploymentResult": null
}

Error Response (400 Bad Request)

{
  "status": "FAILURE",
  "resultMessage": "decryptionDefList cannot be empty"
}

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Same as Add Policy. All fields can be updated.

Response

Same as Add Policy.

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Response

Success Response (200 OK)

{
  "status": "SUCCESS",
  "resultList": null,
  "resultCount": null,
  "deploymentResult": null
}

cURL Examples

Example 1: Add Basic Decryption Policy

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["tester"],
      "order": 1
    },
    "policy": {
      "type": "policy-decryption",
      "description": "Decrypt encrypted data",
      "active": true,
      "decryptionDefList": [
        {
          "sourceVar": {
            "name": "encryptedBody",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "targetVar": {
            "name": "decryptedBody",
            "type": "BODY",
            "dataType": "STRING"
          },
          "cipherAlgorithm": "AES_CBC_PKCS5Padding",
          "keyName": "my-aes-key",
          "keyCertificateType": "KEY",
          "ivExists": true,
          "ivVar": {
            "name": "iv",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "ivEncodingType": "BASE64",
          "inputEncodingType": "BASE64"
        }
      ]
    }
  }'

Example 2: Update Decryption Policy

curl -X PUT \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["tester"],
      "order": 1
    },
    "policy": {
      "type": "policy-decryption",
      "description": "Updated decryption policy",
      "active": true,
      "decryptionDefList": [
        {
          "sourceVar": {
            "name": "encryptedBody",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "targetVar": {
            "name": "decryptedBody",
            "type": "BODY",
            "dataType": "STRING"
          },
          "cipherAlgorithm": "AES_CBC_PKCS5Padding",
          "keyName": "my-new-aes-key",
          "keyCertificateType": "KEY",
          "ivExists": true,
          "ivVar": {
            "name": "iv",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "ivEncodingType": "BASE64",
          "inputEncodingType": "BASE64"
        }
      ]
    }
  }'

Example 3: Delete Decryption Policy

curl -X DELETE \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Notes and Warnings

  • Cipher Algorithm:
    • Can be specified statically via cipherAlgorithm or dynamically via cipherAlgorithmVar
    • If both are null, decryption will be skipped (data returned as-is)
    • Algorithm must match the one used for encryption
  • Initialization Vector (IV):
    • Required for CBC mode algorithms
    • Set ivExists: true if IV is present
    • IV must be provided in ivVar with correct ivEncodingType
    • IV encoding must match the encoding used during encryption
    • ECB mode algorithms do not require IV
  • Input Encoding:
    • Must match the output encoding used during encryption
    • BASE64 - For Base64-encoded encrypted data
    • HEXADECIMAL - For hexadecimal-encoded encrypted data
  • Key/Certificate Management:
    • Keys must be configured in Key Store before use
    • Certificates must be configured in Certificate Store before use
    • Use keyCertificateType to specify key or certificate source
    • Specify the key or certificate by name; the system resolves it to the corresponding ID automatically
    • Key/certificate must match the one used for encryption
    • Keys and certificates are referenced by name (keyName, certificateName)
  • Variable Types:
    • Source and target variables can be from headers, parameters, body, or context
    • Use appropriate variable types based on data location
    • Encrypted data is typically stored in context or headers
  • Multiple Definitions:
    • Multiple decryption definitions can be configured in one policy
    • Each definition decrypts a different source variable
    • Definitions are executed in order
  • Decryption Order:
    • Decryption should be performed before other policies that need plaintext data
    • Consider policy order when configuring decryption policies
  • Error Handling:
    • Decryption failures will throw exceptions
    • Configure error messages for better error handling
    • Invalid keys or algorithms will cause decryption to fail

Permissions

User must have API_MANAGEMENT + MANAGE permission in the project. For deployment operations (when deploy: true is set), user must also have API_MANAGEMENT + DEPLOY_UNDEPLOY permission.