Encryption Key Management

The key management APIs can be used to generate isolated encryption keys for local encryption and decryption operations.

Create a data key

Generate a data key for local encryption based on the provided key context.

The encrypted data key MUST be stored by the application, as it cannot be retrieved after generation.

 import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456789');

await workos.vault.createDataKey({
  context: { organizationId: 'org_01EHZNVPK3SFK441A1RGBFSHRT' },
});

`vault.createDataKey()`

`Parameters` `object`

`Returns` `object`

Decrypt a data key

Decrypt a data key that was previously encrypted using WorkOS Vault.

 import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456789');

await workos.vault.decryptDataKey({
  keys: 'V09TLkVLTS52MQBiZjUxY2NlYy03OGI0LTUyMDAtYjM4My0zNTczMGU3MWVmNjEBATEBJDU2OWYyNDdjLTFkY2QtNDQzMC04MjRmLWQ3N2MxZDNhZmU1NgF0NTY5ZjI0N2MtMWRjZC00NDMwLTgyNGYtZDc3YzFkM2FmZTU2pWvKMbiudRtpyjYexZCX/K9ggOEioUw2c0B62kEh+oj68uuAJQWNfPKTC+mapgJPxdnMKniKxzI7a6zmHgXTK7dSOmAzJBDhDgtEiaqyKTM=',
});

`vault.decryptDataKey()`

`Parameters` `object`

`Returns` `object`

Encrypt data

Perform a local encryption option. A data key is generated based on the provided key context and used to encrypt the data. The operation happens locally and neither the plaintext nor encrypted data are sent over the network.

 import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456789');

await workos.vault.encrypt('keep it secret, keep it safe', {
  organizationId: 'org_01EHZNVPK3SFK441A1RGBFSHRT',
});

`vault.encrypt()`

`Parameters`

`Returns`

Decrypt data

Decrypt data that was previously encrypted with Vault. The data key in the ciphertext is decrypted using the Vault API and used to decrypt the remaining data. The decryption operations happen locally and neither the plaintext nor encrypted data are sent over the network.

 import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456789');

await workos.vault.decrypt(
  'J/HGPfUVMxY1GGvViE3MDe31fOU9BuIUja0/ekDOraRaA3v13YRnwLvDWbnSPjWjzgFXT1MuRUtNLnYxAGQ0ZWNkYjkwLTMwZmMtNTYwYS04MGM0LWExYWQ2N2IyYjUzYwEBMQEkMDIxOTlmM2EtMjE4NS00ODg4LTkzNzgtZTA0ODAxOGRkN2M1AXQwMjE5OWYzYS0yMTg1LTQ4ODgtOTM3OC1lMDQ4MDE4ZGQ3YzWdnLz+Zc8ySzyfZYOVKmuz2k3rNFa6MAihjl9+5u6fiXOjmavMBUcSg0wLFDxznK0UToroLyHDaPOnpN8MTlKO8lN1Qz4KSCpQWawThmSIZ2wwwiR1jY3AOo9P/YygzE5v',
);

`vault.decrypt()`

`Parameters`

`Returns`

WidgetContinue to the next section

Up next

Encryption Key Management

Create a data key

vault.createDataKey()

Parameters object

context: object

Returns object

dataKey: object

encryptedKeys: string

context: object

Decrypt a data key

vault.decryptDataKey()

Parameters object

keys: string

Returns object

id: string

key: string

Encrypt data

vault.encrypt()

Parameters

data: string

context: object

associatedData?: string

Returns

encryptedData: string

Decrypt data

vault.decrypt()

Parameters

encryptedData: string

associatedData?: string

Returns

data: string

`vault.createDataKey()`

`Parameters` `object`

`Returns` `object`

`vault.decryptDataKey()`

`Parameters` `object`

`Returns` `object`

`vault.encrypt()`

`Parameters`

`Returns`

`vault.decrypt()`

`Parameters`

`Returns`