Ana içeriğe atla

General Information

Policy Type

policy-decryption

UI Documentation

📖 For detailed information: [UI Documentation Link - Link will be added here]

Description

Decryption policy decrypts encrypted data using cryptographic keys. It reads encrypted data from source variables, decrypts them using specified cipher algorithms, and stores the decrypted data in target variables. This policy provides data confidentiality capabilities by reversing encryption operations. ⚠️ Implementation Status: This policy is currently not implemented in Management API. This policy cannot be created or managed through the Management API at this time. This documentation is provided for reference purposes and will be updated when full API support is added in a future release.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

HeaderValue
AuthorizationBearer {token}

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-decryption",
            "name": "decryption-policy",
            "description": "Decrypt encrypted data",
            "active": true
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes
Content-Typeapplication/jsonYes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name (unique identifier)

Request Body

Note: The current DTO implementation is empty. The following JSON structure is based on the underlying PolicyDecryption and PolicyDecryptionDef classes and represents the expected structure when full API support is added.
Full JSON Body Example - Basic Decryption
{
  "type": "policy-decryption",
  "description": "Decrypt encrypted data",
  "active": true,
  "policyCondition": null,
  "errorMessageList": [],
  "operationMetadata": {
    "targetScope": "API_PROXY",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policyDecryptionDefList": [
    {
      "id": "decryption-def-1",
      "description": "Decrypt request body",
      "sourceVar": {
        "name": "encryptedBody",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "targetVar": {
        "name": "decryptedBody",
        "type": "BODY",
        "dataType": "STRING"
      },
      "cipherAlgorithm": "AES_CBC_PKCS5Padding",
      "cipherAlgorithmVar": null,
      "cryptoKeyInfoId": "decryption-key-id",
      "certificateId": null,
      "enumKeyCertificateType": "KEY",
      "ivExists": true,
      "ivVar": {
        "name": "iv",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "ivEncodingType": "BASE64",
      "inputEncodingType": "BASE64"
    }
  ]
}
Full JSON Body Example - Dynamic Cipher Algorithm
{
  "type": "policy-decryption",
  "description": "Decrypt with dynamic algorithm",
  "active": true,
  "policyCondition": null,
  "errorMessageList": [],
  "operationMetadata": {
    "targetScope": "ENDPOINT",
    "targetEndpoint": "endpoint-id",
    "targetEndpointHTTPMethod": "POST",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policyDecryptionDefList": [
    {
      "id": "decryption-def-1",
      "description": "Decrypt with algorithm from variable",
      "sourceVar": {
        "name": "encryptedData",
        "type": "HEADER",
        "headerName": "X-Encrypted-Data",
        "dataType": "STRING"
      },
      "targetVar": {
        "name": "decryptedData",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "cipherAlgorithm": null,
      "cipherAlgorithmVar": {
        "name": "algorithm",
        "type": "HEADER",
        "headerName": "X-Cipher-Algorithm",
        "dataType": "STRING"
      },
      "cryptoKeyInfoId": "decryption-key-id",
      "certificateId": null,
      "enumKeyCertificateType": "KEY",
      "ivExists": true,
      "ivVar": {
        "name": "iv",
        "type": "HEADER",
        "headerName": "X-IV",
        "dataType": "STRING"
      },
      "ivEncodingType": "BASE64",
      "inputEncodingType": "BASE64"
    }
  ]
}
Full JSON Body Example - Multiple Decryption Definitions
{
  "type": "policy-decryption",
  "description": "Decrypt multiple fields",
  "active": true,
  "policyCondition": null,
  "errorMessageList": [],
  "operationMetadata": {
    "targetScope": "API_PROXY",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policyDecryptionDefList": [
    {
      "id": "decryption-def-1",
      "description": "Decrypt request body",
      "sourceVar": {
        "name": "encryptedBody",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "targetVar": {
        "name": "decryptedBody",
        "type": "BODY",
        "dataType": "STRING"
      },
      "cipherAlgorithm": "AES_CBC_PKCS5Padding",
      "cipherAlgorithmVar": null,
      "cryptoKeyInfoId": "aes-key-id",
      "certificateId": null,
      "enumKeyCertificateType": "KEY",
      "ivExists": true,
      "ivVar": {
        "name": "iv",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "ivEncodingType": "BASE64",
      "inputEncodingType": "BASE64"
    },
    {
      "id": "decryption-def-2",
      "description": "Decrypt header value",
      "sourceVar": {
        "name": "encryptedHeader",
        "type": "HEADER",
        "headerName": "X-Encrypted-Header",
        "dataType": "STRING"
      },
      "targetVar": {
        "name": "decryptedHeader",
        "type": "HEADER",
        "headerName": "X-Decrypted-Header",
        "dataType": "STRING"
      },
      "cipherAlgorithm": "RSA_ECB_PKCS1Padding",
      "cipherAlgorithmVar": null,
      "cryptoKeyInfoId": null,
      "certificateId": "rsa-cert-id",
      "enumKeyCertificateType": "CERTIFICATE",
      "ivExists": false,
      "ivVar": null,
      "ivEncodingType": null,
      "inputEncodingType": "BASE64"
    }
  ]
}

Request Body Fields

FieldTypeRequiredDefaultDescription
typestringYes-Must be "policy-decryption"
descriptionstringNo-Policy description
activebooleanNotrueWhether the policy is active
policyConditionobjectNonullPolicy condition
errorMessageListarrayNo[]List of error messages
operationMetadataobjectYes-Operation metadata
policyDecryptionDefListarrayYes-List of decryption definitions

Decryption Definition (policyDecryptionDefList)

FieldTypeRequiredDefaultDescription
idstringNo-Definition ID
descriptionstringNo-Definition description
sourceVarobjectYes-Source variable containing encrypted data
targetVarobjectYes-Target variable for decrypted data
cipherAlgorithmstringNonullCipher algorithm (if static)
cipherAlgorithmVarobjectNonullVariable containing cipher algorithm name (if dynamic)
cryptoKeyInfoIdstringNonullCrypto key info ID (for symmetric algorithms or asymmetric with KEY type)
certificateIdstringNonullCertificate ID (for asymmetric algorithms with CERTIFICATE type)
enumKeyCertificateTypestringNoKEYKey/certificate type
ivExistsbooleanNofalseWhether initialization vector (IV) exists
ivVarobjectNonullVariable containing IV (if ivExists=true)
ivEncodingTypestringNonullIV encoding type (if ivExists=true)
inputEncodingTypestringYes-Input encoding type of encrypted data

EnumCipherAlgorithm (cipherAlgorithm)

Symmetric Algorithms:
  • AES_CBC_NoPadding - AES/CBC/NoPadding
  • AES_CBC_PKCS5Padding - AES/CBC/PKCS5Padding (requires IV)
  • AES_ECB_NoPadding - AES/ECB/NoPadding
  • AES_ECB_PKCS5Padding - AES/ECB/PKCS5Padding
  • DES_CBC_NoPadding - DES/CBC/NoPadding
  • DES_CBC_PKCS5Padding - DES/CBC/PKCS5Padding (requires IV)
  • DES_ECB_NoPadding - DES/ECB/NoPadding
  • DES_ECB_PKCS5Padding - DES/ECB/PKCS5Padding
  • DESede_CBC_NoPadding - DESede/CBC/NoPadding
  • DESede_CBC_PKCS5Padding - DESede/CBC/PKCS5Padding (requires IV)
  • DESede_ECB_NoPadding - DESede/ECB/NoPadding
  • DESede_ECB_PKCS5Padding - DESede/ECB/PKCS5Padding
Asymmetric Algorithms:
  • RSA_ECB_PKCS1Padding - RSA/ECB/PKCS1Padding
  • RSA_ECB_OAEPWithSHA_1AndMGF1Padding - RSA/ECB/OAEPWithSHA-1AndMGF1Padding
  • RSA_ECB_OAEPWithSHA_256AndMGF1Padding - RSA/ECB/OAEPWithSHA-256AndMGF1Padding

EnumEncodingType (inputEncodingType, ivEncodingType)

  • BASE64 - Base64 encoding
  • HEXADECIMAL - Hexadecimal encoding

EnumKeyCertificateType (enumKeyCertificateType)

  • KEY - Use cryptographic key (from cryptoKeyInfoId)
  • CERTIFICATE - Use certificate (from certificateId)

Variable Object (sourceVar, targetVar, ivVar, cipherAlgorithmVar)

FieldTypeRequiredDescription
namestringYesVariable name
typestringYesVariable type
headerNamestringNo*Header name (required if type=HEADER)
paramNamestringNo*Parameter name (required if type=PARAMETER)
jsonPathValuestringNo*JsonPath expression (required if type=BODY for JSON)
xpathValuestringNo*XPath expression (required if type=BODY for XML)
contextValuestringNo*Context value (required if type=CONTEXT_VALUES)
dataTypestringYesData type

Variable Types

  • HEADER - Extract from HTTP header
  • PARAMETER - Extract from query/path/form parameter
  • BODY - Extract from request/response body (XML, JSON, or raw)
  • CONTEXT_VALUES - Extract from system context values
  • CUSTOM - Extract using custom script

Response

Success Response (200 OK)

{
  "success": true
}

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "policyDecryptionDefList cannot be empty"
}

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Same as Add Policy. All fields can be updated.

Response

Same as Add Policy.

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Response

Success Response (200 OK)

{
  "success": true
}

cURL Examples

Example 1: Add Basic Decryption Policy

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "policy-decryption",
    "description": "Decrypt encrypted data",
    "active": true,
    "operationMetadata": {
      "targetScope": "API_PROXY",
      "targetPipeline": "REQUEST",
      "deploy": false,
      "order": 1
    },
    "policyDecryptionDefList": [
      {
        "sourceVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "cryptoKeyInfoId": "decryption-key-id",
        "enumKeyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      }
    ]
  }'

Example 2: Update Decryption Policy

curl -X PUT \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "policy-decryption",
    "description": "Updated decryption policy",
    "active": true,
    "operationMetadata": {
      "targetScope": "API_PROXY",
      "targetPipeline": "REQUEST",
      "deploy": false,
      "order": 1
    },
    "policyDecryptionDefList": [
      {
        "sourceVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "cryptoKeyInfoId": "new-decryption-key-id",
        "enumKeyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      }
    ]
  }'

Example 3: Delete Decryption Policy

curl -X DELETE \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Notes and Warnings

  • ⚠️ Implementation Status:
    • This policy is currently NOT IMPLEMENTED in Management API
    • Attempting to create or update this policy via Management API will fail
    • This documentation is provided for reference purposes only
    • Full API support will be added in a future release
  • Cipher Algorithm:
    • Can be specified statically via cipherAlgorithm or dynamically via cipherAlgorithmVar
    • If both are null, decryption will be skipped (data returned as-is)
    • Algorithm must match the one used for encryption
  • Initialization Vector (IV):
    • Required for CBC mode algorithms
    • Set ivExists: true if IV is present
    • IV must be provided in ivVar with correct ivEncodingType
    • IV encoding must match the encoding used during encryption
    • ECB mode algorithms do not require IV
  • Input Encoding:
    • Must match the output encoding used during encryption
    • BASE64 - For Base64-encoded encrypted data
    • HEXADECIMAL - For hexadecimal-encoded encrypted data
  • Key/Certificate Management:
    • Keys must be configured in Key Store before use
    • Certificates must be configured in Certificate Store before use
    • Use enumKeyCertificateType to specify key or certificate source
    • Key/certificate must match the one used for encryption
  • Variable Types:
    • Source and target variables can be from headers, parameters, body, or context
    • Use appropriate variable types based on data location
    • Encrypted data is typically stored in context or headers
  • Multiple Definitions:
    • Multiple decryption definitions can be configured in one policy
    • Each definition decrypts a different source variable
    • Definitions are executed in order
  • Decryption Order:
    • Decryption should be performed before other policies that need plaintext data
    • Consider policy order when configuring decryption policies
  • Error Handling:
    • Decryption failures will throw exceptions
    • Configure error messages for better error handling
    • Invalid keys or algorithms will cause decryption to fail

Permissions

User must have API_MANAGEMENT + MANAGE permission in the project. For deployment operations (when deploy: true is set), user must also have API_MANAGEMENT + DEPLOY_UNDEPLOY permission.