POST
/
decrypt-key
Decrypt an Encrypted Data Encryption Key (DEK)
curl --request POST \
  --url https://api.customer.com/sarvam/byok/v1/decrypt-key \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'x-request-id: <x-request-id>' \
  --header 'x-request-timestamp: <x-request-timestamp>' \
  --data '{
  "data": {
    "key_alias": "samvaad-prod-master-key-01",
    "encrypted_key": "byok:v1:CiBQ EXEMPLARY/ENCRYPTED+DATA+STRING"
  }
}'
{
  "data": {
    "plaintext_key": "VGhpcyBJcyBBIERlY3J5cHRlZCBLZXkgRm9yIFRlc3Rpbmc="
  }
}

Authorizations

Authorization
string
header
required

A token sent in the Authorization header.

This can be one of two types:

  1. A short-lived JWT obtained from the /auth endpoint.
  2. A long-lived, static API Key provided during setup.

In both cases, the header format is Authorization: Bearer <token>.

Headers

x-request-id
string<uuid>
required

A unique identifier for this specific API call, generated by the client (Samvaad).

x-trace-id
string<uuid>

An identifier to trace a single request across multiple services.

x-request-timestamp
string<date-time>
required

The ISO 8601 timestamp of when the client sent the request.

Body

application/json

The request containing the key alias and the encrypted key data.

data
object
required

The request payload to decrypt a key.

Response

The DEK was successfully decrypted.

data
object
required

The response payload containing the decrypted key.