Powered by Redocly

Wrapped data

Invoke the unwrap operation

Unwrap data either wrapped by the wrap endpoint, or returned by some other endpoint when a wrapped response is requested.

Note that then id should not be used as an authentication token since it can only be read once. The unwrap operation is unprivileged and no authentication is necessary.

Request
Request Body schema:
id
required
string

Id to unwrap.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/unwrap
Request samples 
id: b07516fc-c75f-4078-875e-fe3d42ad1524
Response samples 
data: VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZw==

Invoke the wrap operation

This endpoint is used to store any string inside a read-once token. To wrap complex data it is recommend to base64 encode first, then wrap the base64 string.

The resulting token can be unwrapped exactly once. The token will always have a ttl, if not explicitly configured as when wrapping the system default will be used.

It is possible to limit unwrapping to clients with certain ip addresses using the bound-cidrs argument.

The object will be removed when the parent token is revoked, unless the orphan leaf is set to true.

SecurityaccessToken
Request
Request Body schema:
data
required
string <plaintext>

Data to wrap. For data that isn't of the string type it is recommended to base64 encode the data first.

ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

The data will be available for unwrap for the configured duration and remain in the system for at least that duration.

orphan
boolean
Default: false

The token will be removed when the token that created it expires or is revoked, unless this field is set to true.

bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

This field can be used to limit the IP addresses that are allowed to unwrap the token.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/wrap
Request samples 
data: VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZw==
ttl: 4h30m40s
orphan: false
bound-cidrs:
  - 127.0.0.1/24
Response samples 
id: b07516fc-c75f-4078-875e-fe3d42ad1524
ttl: 4h30m40s
creation-time: 2021-03-05T12:27:02.050389Z
➔ Next to Clients