Ana içeriğe atla

General Information

Policy Type

policy-encryption

Description

Encryption policy encrypts data using cryptographic keys or certificates. It reads data from source variables, encrypts them using specified cipher algorithms, and stores the encrypted data in target variables. This policy provides data confidentiality capabilities. ⚠️ Implementation Status: This policy is currently not implemented in Management API. This policy cannot be created or managed through the Management API at this time. This documentation is provided for reference purposes and will be updated when full API support is added in a future release.

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

HeaderValue
AuthorizationBearer {token}

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-encryption",
            "name": "encryption-policy",
            "description": "Encrypt sensitive data",
            "active": true
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ]
}

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes
Content-Typeapplication/jsonYes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name (unique identifier)

Request Body

Note: The current DTO implementation is empty. The following JSON structure is based on the underlying PolicyEncryption and PolicyEncryptionDef classes and represents the expected structure when full API support is added.
Full JSON Body Example - Basic Encryption
{
  "type": "policy-encryption",
  "description": "Encrypt sensitive data",
  "active": true,
  "policyCondition": null,
  "errorMessageList": [],
  "operationMetadata": {
    "targetScope": "API_PROXY",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policyEncryptionDefList": [
    {
      "id": "encryption-def-1",
      "description": "Encrypt request body",
      "sourceVar": {
        "name": "requestBody",
        "type": "BODY",
        "dataType": "STRING"
      },
      "targetVar": {
        "name": "encryptedBody",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "cipherAlgorithm": "AES_CBC_PKCS5Padding",
      "cryptoKeyInfoId": "encryption-key-id",
      "certificateId": null,
      "enumKeyCertificateType": "KEY",
      "createIV": true,
      "ivEncodingType": "BASE64",
      "ivVar": {
        "name": "iv",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "cipherAlgorithmVar": null,
      "outputEncodingType": "BASE64"
    }
  ]
}
Full JSON Body Example - Multiple Encryption Definitions
{
  "type": "policy-encryption",
  "description": "Encrypt multiple fields",
  "active": true,
  "policyCondition": null,
  "errorMessageList": [],
  "operationMetadata": {
    "targetScope": "ENDPOINT",
    "targetEndpoint": "endpoint-id",
    "targetEndpointHTTPMethod": "POST",
    "targetPipeline": "REQUEST",
    "deploy": false,
    "deployTargetEnvironmentNameList": [],
    "order": 1
  },
  "policyEncryptionDefList": [
    {
      "id": "encryption-def-1",
      "description": "Encrypt request body",
      "sourceVar": {
        "name": "requestBody",
        "type": "BODY",
        "dataType": "STRING"
      },
      "targetVar": {
        "name": "encryptedBody",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "cipherAlgorithm": "AES_CBC_PKCS5Padding",
      "cryptoKeyInfoId": "aes-key-id",
      "certificateId": null,
      "enumKeyCertificateType": "KEY",
      "createIV": true,
      "ivEncodingType": "BASE64",
      "ivVar": {
        "name": "iv",
        "type": "CONTEXT_VALUES",
        "dataType": "STRING"
      },
      "cipherAlgorithmVar": null,
      "outputEncodingType": "BASE64"
    },
    {
      "id": "encryption-def-2",
      "description": "Encrypt header value",
      "sourceVar": {
        "name": "sensitiveHeader",
        "type": "HEADER",
        "dataType": "STRING"
      },
      "targetVar": {
        "name": "encryptedHeader",
        "type": "HEADER",
        "dataType": "STRING"
      },
      "cipherAlgorithm": "RSA_ECB_PKCS1Padding",
      "cryptoKeyInfoId": null,
      "certificateId": "rsa-cert-id",
      "enumKeyCertificateType": "CERTIFICATE",
      "createIV": false,
      "ivEncodingType": null,
      "ivVar": null,
      "cipherAlgorithmVar": null,
      "outputEncodingType": "BASE64"
    }
  ]
}

Request Body Fields

FieldTypeRequiredDefaultDescription
typestringYes-Must be "policy-encryption"
descriptionstringNo-Policy description
activebooleanNotrueWhether the policy is active
policyConditionobjectNonullPolicy condition. See Policy Condition
errorMessageListarrayNo[]List of error messages. See Error Messages
operationMetadataobjectYes-Operation metadata. See Policy Operation Metadata
policyEncryptionDefListarrayYes-List of encryption definitions. See Encryption Definition

Encryption Definition (policyEncryptionDefList)

FieldTypeRequiredDefaultDescription
idstringNo-Definition ID
descriptionstringNo-Definition description
sourceVarobjectYes-Source variable to encrypt. See Variable Object
targetVarobjectYes-Target variable for encrypted data. See Variable Object
cipherAlgorithmstringYes-Cipher algorithm. See EnumCipherAlgorithm
cipherAlgorithmVarobjectNonullVariable containing cipher algorithm name (if dynamic)
cryptoKeyInfoIdstringNonullCrypto key info ID (for symmetric algorithms or asymmetric with KEY type)
certificateIdstringNonullCertificate ID (for asymmetric algorithms with CERTIFICATE type)
enumKeyCertificateTypestringNoKEYKey/certificate type. See EnumKeyCertificateType
createIVbooleanNofalseWhether to create initialization vector (IV)
ivEncodingTypestringNonullIV encoding type (if createIV=true). See EnumEncodingType
ivVarobjectNonullVariable to store IV (if createIV=true)
outputEncodingTypestringYes-Output encoding type. See EnumEncodingType

EnumCipherAlgorithm (cipherAlgorithm)

Symmetric Algorithms:
  • AES_CBC_NoPadding - AES/CBC/NoPadding
  • AES_CBC_PKCS5Padding - AES/CBC/PKCS5Padding (requires IV)
  • AES_ECB_NoPadding - AES/ECB/NoPadding
  • AES_ECB_PKCS5Padding - AES/ECB/PKCS5Padding
  • DES_CBC_NoPadding - DES/CBC/NoPadding
  • DES_CBC_PKCS5Padding - DES/CBC/PKCS5Padding (requires IV)
  • DES_ECB_NoPadding - DES/ECB/NoPadding
  • DES_ECB_PKCS5Padding - DES/ECB/PKCS5Padding
  • DESede_CBC_NoPadding - DESede/CBC/NoPadding
  • DESede_CBC_PKCS5Padding - DESede/CBC/PKCS5Padding (requires IV)
  • DESede_ECB_NoPadding - DESede/ECB/NoPadding
  • DESede_ECB_PKCS5Padding - DESede/ECB/PKCS5Padding
Asymmetric Algorithms:
  • RSA_ECB_PKCS1Padding - RSA/ECB/PKCS1Padding
  • RSA_ECB_OAEPWithSHA_1AndMGF1Padding - RSA/ECB/OAEPWithSHA-1AndMGF1Padding
  • RSA_ECB_OAEPWithSHA_256AndMGF1Padding - RSA/ECB/OAEPWithSHA-256AndMGF1Padding

EnumEncodingType (outputEncodingType, ivEncodingType)

  • BASE64 - Base64 encoding
  • HEXADECIMAL - Hexadecimal encoding

EnumKeyCertificateType (enumKeyCertificateType)

  • KEY - Use cryptographic key (from cryptoKeyInfoId)
  • CERTIFICATE - Use certificate (from certificateId)

Variable Object (sourceVar, targetVar, ivVar, cipherAlgorithmVar)

See Variable Definition for complete variable documentation.

Variable Types

  • HEADER - Extract from HTTP header
  • PARAMETER - Extract from query/path/form parameter
  • BODY - Extract from request/response body (XML, JSON, or raw)
  • CONTEXT_VALUES - Extract from system context values
  • CUSTOM - Extract using custom script

Policy Condition (policyCondition)

See Policy Condition Documentation for detailed information.

Policy Operation Metadata (operationMetadata)

See Policy Operation Metadata Documentation for detailed information.

Error Messages (errorMessageList)

See Error Messages Documentation for detailed information.

Response

Success Response (200 OK)

{
  "success": true
}

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "policyEncryptionDefList cannot be empty"
}

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Same as Add Policy. All fields can be updated.

Response

Same as Add Policy.

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

HeaderValueRequired
AuthorizationBearer {token}Yes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name
policyNamestringYesPolicy name

Response

Success Response (200 OK)

{
  "success": true
}

cURL Examples

Example 1: Add Basic Encryption Policy

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/encryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "policy-encryption",
    "description": "Encrypt sensitive data",
    "active": true,
    "operationMetadata": {
      "targetScope": "API_PROXY",
      "targetPipeline": "REQUEST",
      "deploy": false,
      "order": 1
    },
    "policyEncryptionDefList": [
      {
        "sourceVar": {
          "name": "requestBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "cryptoKeyInfoId": "encryption-key-id",
        "enumKeyCertificateType": "KEY",
        "createIV": true,
        "ivEncodingType": "BASE64",
        "outputEncodingType": "BASE64"
      }
    ]
  }'

Example 2: Update Encryption Policy

curl -X PUT \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/encryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "policy-encryption",
    "description": "Updated encryption policy",
    "active": true,
    "operationMetadata": {
      "targetScope": "API_PROXY",
      "targetPipeline": "REQUEST",
      "deploy": false,
      "order": 1
    },
    "policyEncryptionDefList": [
      {
        "sourceVar": {
          "name": "requestBody",
          "type": "BODY",
          "dataType": "STRING"
        },
        "targetVar": {
          "name": "encryptedBody",
          "type": "CONTEXT_VALUES",
          "dataType": "STRING"
        },
        "cipherAlgorithm": "AES_CBC_PKCS5Padding",
        "cryptoKeyInfoId": "new-encryption-key-id",
        "enumKeyCertificateType": "KEY",
        "createIV": true,
        "ivEncodingType": "BASE64",
        "outputEncodingType": "BASE64"
      }
    ]
  }'

Example 3: Delete Encryption Policy

curl -X DELETE \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/encryption-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Notes and Warnings

  • ⚠️ Implementation Status:
    • This policy is currently NOT IMPLEMENTED in Management API
    • Attempting to create or update this policy via Management API will fail
    • This documentation is provided for reference purposes only
    • Full API support will be added in a future release
  • Cipher Algorithms:
    • Symmetric algorithms (AES, DES, DESede) require cryptoKeyInfoId
    • Asymmetric algorithms (RSA) can use either cryptoKeyInfoId (KEY) or certificateId (CERTIFICATE)
    • CBC mode algorithms require IV (set createIV: true)
    • ECB mode algorithms do not require IV
  • Initialization Vector (IV):
    • Required for CBC mode algorithms
    • Set createIV: true to generate IV automatically
    • IV is stored in ivVar with specified ivEncodingType
    • IV must be provided for decryption
  • Encoding Types:
    • BASE64 - Common encoding for encrypted data
    • HEXADECIMAL - Alternative encoding format
    • Output encoding must match input encoding for decryption
  • Key/Certificate Management:
    • Keys must be configured in Key Store before use
    • Certificates must be configured in Certificate Store before use
    • Use enumKeyCertificateType to specify key or certificate source
  • Variable Types:
    • Source and target variables can be from headers, parameters, body, or context
    • Use appropriate variable types based on data location
  • Multiple Definitions:
    • Multiple encryption definitions can be configured in one policy
    • Each definition encrypts a different source variable
    • Definitions are executed in order

Permissions

User must have API_MANAGEMENT + MANAGE permission in the project. For deployment operations (when deploy: true is set), user must also have API_MANAGEMENT + DEPLOY_UNDEPLOY permission.