Authorization tokens

Bearer token (JWT: RFC 7516) issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.

To prevent abuse, the KACLS should verify that the caller is authorized to encrypt the object (file or document) before wrapping the key and to decrypt it before unwrapping the DEK.

JSON representation
{ "aud": string, "email": string, "exp": string, "iat": string, "iss": string, "kacls_url": string, "perimeter_id": string, "resource_name": string, "role": string }

Fields
`aud`	`string` The audience, as identified by Google. Should be checked against the local configuration.
`email`	`string (UTF-8)` The user's email address.
`exp`	`string` Expiration time.
`iat`	`string` Issuance time.
`iss`	`string` The token issuer. Should be validated against the trusted set of authentication issuers.
`kacls_url`	`string` The configured base KACLS URL, used to prevent MITM attacks.
`perimeter_id`	`string (UTF-8)` (Optional) A value tied to the document location that can be used to choose which perimeter will be checked when unwrapping. Maximum size: 128 bytes.
`resource_name`	`string (UTF-8)` An identifier for the object encrypted by the DEK. Maximum size: 128 bytes.
`role`	`string` Contains one of the follow values: `reader`: Allowed to call `unwrap` only. `writer`: Allowed to call both `wrap` and `unwrap` `upgrader`: Allowed to call `wrap` only. This is used by Google servers when performing one-way conversion of plain-text objects to encrypted objects.