Decryption Policy

General Information

Policy Type

policy-decryption

Description

Decryption policy decrypts encrypted data using cryptographic keys. It reads encrypted data from source variables, decrypts them using specified cipher algorithms, and stores the decrypted data in target variables. This policy provides data confidentiality capabilities by reversing encryption operations.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

---

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header	Value
Authorization	Bearer {token}

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Response

Success Response (200 OK)

{
  "status": "SUCCESS",
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-decryption",
            "name": "decryption-policy",
            "description": "Decrypt encrypted data",
            "active": true
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

---

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value	Required
Authorization	Bearer {token}	Yes
Content-Type	application/json	Yes

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name (unique identifier)

Request Body

Important: The request body must follow the PolicyOperationDTO structure with separate operationMetadata and policy objects. See Add Policy for the general structure.

Full JSON Body Example - Basic Decryption

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-decryption",
    "description": "Decrypt encrypted data",
    "active": true,
    "decryptionDefList": [
      {
        "description": "Decrypt request body",
        "sourceVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "keyName": "my-aes-key",
        "keyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      }
    ]
  }
}

Full JSON Body Example - Dynamic Cipher Algorithm

{
  "operationMetadata": {
    "targetScope": "ENDPOINT",
    "targetEndpoint": "/api/data",
    "targetEndpointHTTPMethod": "POST",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policy": {
    "type": "policy-decryption",
    "description": "Decrypt with dynamic algorithm",
    "active": true,
    "decryptionDefList": [
      {
        "description": "Decrypt with algorithm from variable",
        "sourceVar": {
          "name": "encryptedData",
          "type": "HEADER",
          "headerName": "X-Encrypted-Data",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedData",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "cipherAlgorithm": null,
        "cipherAlgorithmVar": {
          "name": "algorithm",
          "type": "HEADER",
          "headerName": "X-Cipher-Algorithm",
          "dataType": "STRING"
        },
        "keyName": "my-aes-key",
        "keyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "HEADER",
          "headerName": "X-IV",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      }
    ]
  }
}

Full JSON Body Example - Multiple Decryption Definitions

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policy": {
    "type": "policy-decryption",
    "description": "Decrypt multiple fields",
    "active": true,
    "decryptionDefList": [
      {
        "description": "Decrypt request body",
        "sourceVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "keyName": "my-aes-key",
        "keyCertificateType": "KEY",
        "ivExists": true,
        "ivVar": {
          "name": "iv",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "ivEncodingType": "BASE64",
        "inputEncodingType": "BASE64"
      },
      {
        "description": "Decrypt header value",
        "sourceVar": {
          "name": "encryptedHeader",
          "type": "HEADER",
          "headerName": "X-Encrypted-Header",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "decryptedHeader",
          "type": "HEADER",
          "headerName": "X-Decrypted-Header",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "RSA_ECB_PKCS1Padding",
        "certificateName": "my-rsa-cert",
        "keyCertificateType": "CERTIFICATE",
        "ivExists": false,
        "ivVar": null,
        "ivEncodingType": null,
        "inputEncodingType": "BASE64"
      }
    ]
  }
}

Request Body Fields

The request body has two top-level fields:

Field	Type	Required	Description
operationMetadata	object	Yes	Operation metadata. See Policy Operation Metadata
policy	object	Yes	Policy configuration (see below)

Policy Object Fields

Field	Type	Required	Default	Description
type	string	Yes	-	Must be "policy-decryption"
description	string	No	-	Policy description
active	boolean	No	true	Whether the policy is active
policyCondition	object	No	null	Policy condition. See Policy Condition
errorMessageList	array	No	[]	List of error messages. See Error Messages
decryptionDefList	array	Yes	-	List of decryption definitions. See Decryption Definition

Decryption Definition (decryptionDefList)

Field	Type	Required	Default	Description
description	string	No	-	Definition description
sourceVar	object	Yes	-	Source variable containing encrypted data
targetVar	object	Yes	-	Target variable for decrypted data
cipherAlgorithm	string	No	null	Cipher algorithm (if static). See EnumCipherAlgorithm
cipherAlgorithmVar	object	No	null	Variable containing cipher algorithm name (if dynamic)
keyName	string	No	null	Key name (for symmetric algorithms or asymmetric with KEY type). Resolved by name.
certificateName	string	No	null	Certificate name (for asymmetric algorithms with CERTIFICATE type). Resolved by name.
keyCertificateType	string	No	KEY	Key/certificate type. See EnumKeyCertificateType
ivExists	boolean	No	false	Whether initialization vector (IV) exists
ivVar	object	No	null	Variable containing IV (if ivExists=true)
ivEncodingType	string	No	null	IV encoding type (if ivExists=true). See EnumEncodingType
inputEncodingType	string	Yes	-	Input encoding type of encrypted data. See EnumEncodingType

EnumCipherAlgorithm (cipherAlgorithm)

Symmetric Algorithms:

• AES_CBC_NoPadding - AES/CBC/NoPadding
• AES_CBC_PKCS5Padding - AES/CBC/PKCS5Padding (requires IV)
• AES_ECB_NoPadding - AES/ECB/NoPadding
• AES_ECB_PKCS5Padding - AES/ECB/PKCS5Padding
• DES_CBC_NoPadding - DES/CBC/NoPadding
• DES_CBC_PKCS5Padding - DES/CBC/PKCS5Padding (requires IV)
• DES_ECB_NoPadding - DES/ECB/NoPadding
• DES_ECB_PKCS5Padding - DES/ECB/PKCS5Padding
• DESede_CBC_NoPadding - DESede/CBC/NoPadding
• DESede_CBC_PKCS5Padding - DESede/CBC/PKCS5Padding (requires IV)
• DESede_ECB_NoPadding - DESede/ECB/NoPadding
• DESede_ECB_PKCS5Padding - DESede/ECB/PKCS5Padding

Asymmetric Algorithms:

• RSA_ECB_PKCS1Padding - RSA/ECB/PKCS1Padding
• RSA_ECB_OAEPWithSHA_1AndMGF1Padding - RSA/ECB/OAEPWithSHA-1AndMGF1Padding
• RSA_ECB_OAEPWithSHA_256AndMGF1Padding - RSA/ECB/OAEPWithSHA-256AndMGF1Padding

EnumEncodingType (inputEncodingType, ivEncodingType)

• BASE64 - Base64 encoding
• HEXADECIMAL - Hexadecimal encoding

EnumKeyCertificateType (keyCertificateType)

• KEY - Use cryptographic key (from keyName)
• CERTIFICATE - Use certificate (from certificateName)

Variable Object (sourceVar, targetVar, ivVar, cipherAlgorithmVar)

Field	Type	Required	Description
name	string	Yes	Variable name
type	string	Yes	Variable type
headerName	string	No*	Header name (required if type=HEADER)
paramName	string	No*	Parameter name (required if type=PARAMETER)
jsonPathValue	string	No*	JsonPath expression (required if type=BODY for JSON)
xpathValue	string	No*	XPath expression (required if type=BODY for XML)
contextValue	string	No*	Context value (required if type=CONTEXT_VALUES)
dataType	string	Yes	Data type

Variable Types

• HEADER - Extract from HTTP header
• PARAMETER - Extract from query/path/form parameter
• BODY - Extract from request/response body (XML, JSON, or raw)
• CONTEXT_VALUES - Extract from system context values
• CUSTOM - Extract using custom script

Response

Success Response (200 OK)

{
  "status": "SUCCESS",
  "resultList": null,
  "resultCount": null,
  "deploymentResult": null
}

Error Response (400 Bad Request)

{
  "status": "FAILURE",
  "resultMessage": "decryptionDefList cannot be empty"
}

---

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Same as Add Policy. All fields can be updated.

Response

Same as Add Policy.

---

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value	Required
Authorization	Bearer {token}	Yes

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Response

Success Response (200 OK)

{
  "status": "SUCCESS",
  "resultList": null,
  "resultCount": null,
  "deploymentResult": null
}

---

cURL Examples

Example 1: Add Basic Decryption Policy

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["tester"],
      "order": 1
    },
    "policy": {
      "type": "policy-decryption",
      "description": "Decrypt encrypted data",
      "active": true,
      "decryptionDefList": [
        {
          "sourceVar": {
            "name": "encryptedBody",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "targetVar": {
            "name": "decryptedBody",
            "type": "BODY",
            "dataType": "STRING"
          },
          "cipherAlgorithm": "AES_CBC_PKCS5Padding",
          "keyName": "my-aes-key",
          "keyCertificateType": "KEY",
          "ivExists": true,
          "ivVar": {
            "name": "iv",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "ivEncodingType": "BASE64",
          "inputEncodingType": "BASE64"
        }
      ]
    }
  }'

Example 2: Update Decryption Policy

curl -X PUT \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["tester"],
      "order": 1
    },
    "policy": {
      "type": "policy-decryption",
      "description": "Updated decryption policy",
      "active": true,
      "decryptionDefList": [
        {
          "sourceVar": {
            "name": "encryptedBody",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "targetVar": {
            "name": "decryptedBody",
            "type": "BODY",
            "dataType": "STRING"
          },
          "cipherAlgorithm": "AES_CBC_PKCS5Padding",
          "keyName": "my-new-aes-key",
          "keyCertificateType": "KEY",
          "ivExists": true,
          "ivVar": {
            "name": "iv",
            "type": "CONTEXT_VALUES",
            "dataType": "STRING"
          },
          "ivEncodingType": "BASE64",
          "inputEncodingType": "BASE64"
        }
      ]
    }
  }'

Example 3: Delete Decryption Policy

curl -X DELETE \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/decryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN"

---

Notes and Warnings

• Cipher Algorithm:

  • Can be specified statically via cipherAlgorithm or dynamically via cipherAlgorithmVar
  • If both are null, decryption will be skipped (data returned as-is)
  • Algorithm must match the one used for encryption

• Initialization Vector (IV):

  • Required for CBC mode algorithms
  • Set ivExists: true if IV is present
  • IV must be provided in ivVar with correct ivEncodingType
  • IV encoding must match the encoding used during encryption
  • ECB mode algorithms do not require IV

• Input Encoding:

  • Must match the output encoding used during encryption
  • BASE64 - For Base64-encoded encrypted data
  • HEXADECIMAL - For hexadecimal-encoded encrypted data

• Key/Certificate Management:

  • Keys must be configured in Key Store before use
  • Certificates must be configured in Certificate Store before use
  • Use keyCertificateType to specify key or certificate source
  • Specify the key or certificate by name; the system resolves it to the corresponding ID automatically
  • Key/certificate must match the one used for encryption
  • Keys and certificates are referenced by name (keyName, certificateName)

• Variable Types:

  • Source and target variables can be from headers, parameters, body, or context
  • Use appropriate variable types based on data location
  • Encrypted data is typically stored in context or headers

• Multiple Definitions:

  • Multiple decryption definitions can be configured in one policy
  • Each definition decrypts a different source variable
  • Definitions are executed in order

• Decryption Order:

  • Decryption should be performed before other policies that need plaintext data
  • Consider policy order when configuring decryption policies

• Error Handling:

  • Decryption failures will throw exceptions
  • Configure error messages for better error handling
  • Invalid keys or algorithms will cause decryption to fail

Permissions

User must have API_MANAGEMENT + MANAGE permission in the project. For deployment operations (when deploy: true is set), user must also have API_MANAGEMENT + DEPLOY_UNDEPLOY permission.

Related Documentation

• List Policies - List all policies
• Add Policy - Add a policy
• Update Policy - Update a policy
• Delete Policy - Delete a policy
• Encryption Policy - Encrypt data