Google Workspace CSE API Reference

The Google Workspace Client-side Encryption (CSE) API lets you own the encryption keys used to further encrypt Google Workspace data.


digest POST https://{kacls_url}/digest
Returns the checksum of an unwrapped DEK.
takeout_unwrap POST https://{kacls_url}/takeout_unwrap
Decrypts data exported from Google in a privileged context.
rewrap POST https://{kacls_url}/rewrap
Re-encrypts an encrypted DEK.
status GET https://{kacls_url}/status
Checks the status of a KACLS.
unwrap POST https://{kacls_url}/unwrap
Returns decrypted DEK.
wrap POST https://{kacls_url}/wrap
Returns encrypted DEK and associated data.


Authorization JWT issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.
Authentication JWT issued by the identity provider that attests user identity.