POST /operations
API reference for the generic operations endpoint
The /operations endpoint provides a generic interface for cryptographic operations with full pipeline processing.
Endpoint
POST /api/v1/operations
Request
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer token with API key |
Content-Type | Yes | Must be application/json |
X-Request-Id | No | Client-provided request ID for tracing |
Body
{
"operation": "encrypt",
"payload": { ... }
}
| Field | Type | Required | Description |
|---|---|---|---|
operation | string | Yes | Operation type (see below) |
payload | any | Yes | Operation-specific payload |
Supported Operations
| Operation | Description |
|---|---|
encrypt | Encrypt payload with symmetric or hybrid encryption |
decrypt | Decrypt an encrypted payload |
sign | Create a digital signature |
verify | Verify a digital signature |
hash | Compute a cryptographic hash |
Example Request
curl -X POST https://api.4quays.com/api/v1/operations \
-H "Authorization: Bearer sk_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{
"operation": "encrypt",
"payload": {
"data": {
"transferId": "txn-12345",
"amount": 5000
},
"algorithm": "AES-256-GCM",
"keyId": "key_abc123"
}
}'
Response
Success (200 OK)
{
"requestId": "req_abc123",
"result": { ... },
"timestamp": "2026-02-09T10:30:00.000Z"
}
Error Response
{
"error": {
"code": "AUTHENTICATION_FAILED",
"message": "Invalid or expired API key"
},
"requestId": "req_abc123"
}
Operation: Encrypt
Encrypt data with a specified algorithm and key.
Request
{
"operation": "encrypt",
"payload": {
"data": { ... },
"algorithm": "AES-256-GCM",
"keyId": "key_abc123"
}
}
| Field | Type | Required | Description |
|---|---|---|---|
data | any | Yes | Data to encrypt |
algorithm | string | Yes | Encryption algorithm |
keyId | string | No | Specific key to use (optional) |
Response
{
"requestId": "req_abc123",
"result": {
"ciphertext": "base64-encoded-ciphertext",
"iv": "base64-encoded-iv",
"tag": "base64-encoded-tag",
"algorithm": "AES-256-GCM",
"keyId": "key_abc123"
},
"timestamp": "2026-02-09T10:30:00.000Z"
}
Operation: Decrypt
Decrypt previously encrypted data.
Request
{
"operation": "decrypt",
"payload": {
"ciphertext": "base64-encoded-ciphertext",
"iv": "base64-encoded-iv",
"tag": "base64-encoded-tag",
"algorithm": "AES-256-GCM",
"keyId": "key_abc123"
}
}
Response
{
"requestId": "req_abc123",
"result": {
"data": { ... }
},
"timestamp": "2026-02-09T10:30:00.000Z"
}
Operation: Sign
Create a digital signature for data.
Request
{
"operation": "sign",
"payload": {
"data": { ... },
"algorithm": "RSA-SHA256",
"keyId": "key_signing_123"
}
}
Response
{
"requestId": "req_abc123",
"result": {
"signature": "base64-encoded-signature",
"algorithm": "RSA-SHA256",
"keyId": "key_signing_123"
},
"timestamp": "2026-02-09T10:30:00.000Z"
}
Operation: Verify
Verify a digital signature.
Request
{
"operation": "verify",
"payload": {
"data": { ... },
"signature": "base64-encoded-signature",
"algorithm": "RSA-SHA256",
"keyId": "key_signing_123"
}
}
Response
{
"requestId": "req_abc123",
"result": {
"valid": true
},
"timestamp": "2026-02-09T10:30:00.000Z"
}
Operation: Hash
Compute a cryptographic hash.
Request
{
"operation": "hash",
"payload": {
"data": { ... },
"algorithm": "SHA-256"
}
}
| Algorithm | Description |
|---|---|
SHA-256 | SHA-2 256-bit |
SHA-384 | SHA-2 384-bit |
SHA-512 | SHA-2 512-bit |
Response
{
"requestId": "req_abc123",
"result": {
"hash": "base64-encoded-hash",
"algorithm": "SHA-256"
},
"timestamp": "2026-02-09T10:30:00.000Z"
}
Processing Pipeline
Every operation goes through:
- Request parsing — Validate JSON structure
- Authentication — Verify API key (bcrypt)
- Key revocation check — Ensure key is not revoked
- Policy enforcement — Check operation is allowed
- Crypto operation — Perform the operation
- Response transformation — Format the response
- Audit logging — Log to
crypto_operations_audit
Audit Trail
All operations are logged:
| Field | Description |
|---|---|
request_id | Unique request identifier |
application_id | Calling application's service ID |
operation_type | encrypt, decrypt, sign, verify, hash |
payload_size_bytes | Size of input payload |
response_status | HTTP status code |
response_time_ms | Total processing time |
error_message | Error details if failed |
When to Use /operations vs /protect
| Use Case | Endpoint |
|---|---|
| Policy-driven encryption for external services | /protect |
| Policy-driven decryption from external services | /unprotect |
| Direct crypto operations with specific algorithms | /operations |
| Internal data encryption | /operations |
| Signature creation/verification | /operations |
| Hash computation | /operations |
Best Practices
- Prefer /protect for external integrations — Policies provide abstraction
- Use /operations for internal crypto — Direct control when needed
- Always log request IDs — For debugging
- Handle errors appropriately — Different operations have different failure modes
Related
- POST /protect — Policy-driven protection
- POST /unprotect — Policy-driven unprotection
- Error Codes — Full error reference