Skip to main content
We use AES-256-GCM - a symmetric encryption algorithm combining Advanced Encryption Standard with a 256-bit key length and Galois/Counter Mode (GCM).

Setup

Enabling Encryption

1

Enable Encryption

Turn on payload encryption in the Deck Dashboard.
2

Configure Encryption

Choose to encrypt your requests, responses, or both.
3

Find Your Keys

Find your Encryption Key in the API Keys section of the Dashboard.

Configuration Options

You can configure encryption for:
  • Request encryption: Full payload or input field only
  • Response encryption: API responses and webhook payloads

Encryption Modes

Full Payload Encryption

Encrypt the entire request or response payload: 
{
    "encrypted_payload": "base64_encoded_encrypted_data", 
    "encryption_version": "1.0"
}
encrypted_payload: The encrypted Base64-encoded payload

Input Field Encryption

For /jobs/submit requests, encrypt only the input field: 
{
    "job_code": "EnsureConnection",
    "input": "base64_encoded_encrypted_data"
}

Implementation

Sending Encrypted Requests

# Original unencrypted payload:
# {
#   "job_code": "EnsureConnection",
#   "input": {
#     "source_guid": "11115055-46cf-4e49-6ba4-08ddcbf23235",
#     "username": "user123",
#     "password": "password123"
#   }
# }

curl --location 'https://live.deck.co/api/v1/jobs/submit' \
--header 'x-deck-client-id: your_client_id' \
--header 'x-deck-secret: your_secret' \
--header 'Content-Type: application/json+encrypted' \
--data '{
  "encrypted_payload": "il0hAWW83PG7ZwHkeLQzJRn8X01RNdyK8DI86jkZJTLjkYdOTQfhVn/y/dsAU+6D0T0ODgKCcNxoGqUs5Z+cvei3+3J99XP3bOXGzxwL6ZaNpO5f7YotVBHBimqtHpNceEP9s2Kahvk/v1MMf0NQRKA7H4mz2dXyyiU3+mDIMQOPO9dBF2omZTNS1lOOsrfWL1YDDBISIN8i86jb5dzVSXnTfAxclZDWnofLY4DfO2dZ0pNAfRd/a2qkyaf/AEhepmHlURM=",
  "encryption_version": "1.0"
}'

Receiving Encrypted Responses

# Encrypted response:
{
    "encrypted_payload": "rpcnQBAb0k+6ctcXyRgfk06WhCyHTxv+xNMKjCIdiue9U5b97AfM2a+OIJRkpQ2kPqh4WIOQ81nL3wczRUwLa6+9/2gSIqNb42Pr+osmuKkdibkC49ip1GGz2HNH4dq76G4vsPx3Hs728Sc3QQ==",
    "encryption_version": "1.0"
}

# Decrypted content:
{
    "job_guid": "834fb49c-5ebb-4f7c-775b-08ddcbf231fd",
    "job_code": "EnsureConnection"
}

Decryption

Key Requirements

  • Algorithm: AES-256-GCM
  • Key: Use the encryption key provided by Deck in the Dashboard
  • Format: Base64-encoded encrypted data
  • Structure: nonce + ciphertext + tag (combined and base64-encoded)

Decryption Steps

1

Extract the encrypted payload

Get the encrypted_payload field from the API response or webhook
2

Base64 decode

Decode the base64-encoded encrypted payload to get the raw bytes
3

Split the components

  • First 12 bytes: nonce
  • Last 16 bytes: authentication tag
  • Middle: ciphertext
4

Decrypt using AES-256-GCM

Use your encryption key to decrypt the ciphertext with the nonce and tag
5

Parse the JSON

Convert the decrypted bytes to a string and parse as JSON to get the original data