Hashtag Helpers
PKC Decrypt
Decrypts data that was encrypted with the pkc_encrypt helper
This hashtag helper decrypts data that was previously encrypted using the pkc_encrypt helper. The decryption is performed based on the service and identifier restrictions that were applied during encryption.
In most cases, you won't need to use this helper directly. The system automatically applies it when encrypting data. This documentation is provided for completeness and to help understand how the encryption/decryption process works.
Uses
- Decrypt sensitive data that was encrypted with
pkc_encrypt - Access encrypted information within the appropriate service context
- Retrieve sensitive information only when the correct identifier is being used
Usage
Helper name: pkc_decrypt
Arguments
Parameters
eg.
~~#pkc_decrypt#encrypted_data
or
~~#pkc_decrypt 'service_name'#encrypted_data
or
~~#pkc_decrypt 'service_name' 'identifier'#encrypted_data
How It Works
When data is encrypted using pkc_encrypt, the system automatically generates a pkc_decrypt helper with the appropriate service and identifier restrictions. This encrypted data is typically stored in a task result or other location.
When you reference this encrypted data in a substitution, the system will:
- Check if the current service matches the service restriction (if any)
- Check if the current identifier matches the identifier restriction (if any)
- Decrypt the data only if all restrictions are satisfied
Examples
Basic Usage
In most cases, you'll simply reference the encrypted data using a standard substitution path:
In this example, if stubpost.tasks.my_task.payload.secret_pin contains encrypted data, the system will automatically attempt to decrypt it based on the service and identifier restrictions.
Understanding the Encrypted Format
When data is encrypted with pkc_encrypt, it's transformed into a format like this:
This includes:
- A
targethelper to ensure the decryption is only attempted by the appropriate service - A
pkc_decrypthelper with service and identifier restrictions - The actual encrypted data
Decryption Scenarios
Unrestricted Decryption
If data was encrypted without service or identifier restrictions, any service can decrypt it:
Service-Restricted Decryption
If data was encrypted for a specific service, only that service can decrypt it:
Service and Identifier-Restricted Decryption
If data was encrypted for a specific service and identifier, only that service using that identifier can decrypt it:
Special Identifier Syntax
When using the pkc_encrypt helper with an identifier, the system will often use the special ~~__identifier syntax in the resulting encrypted data. This is a placeholder that gets replaced with the actual identifier at runtime.
For example, in WhatsApp, ~~__identifier will be replaced with the phone number being used for the message.
Practical Example
Here's a complete workflow example:
- Encrypt data in an API Call task:
- The API Call result contains the encrypted data:
- Use the encrypted data in a WhatsApp message:
- The WhatsApp service will decrypt the data only when sending to the specified phone number:
If the WhatsApp service tries to send the message to any phone number other than 27713334444, the decryption will fail, and the message will not contain the sensitive data.
For most use cases, you don't need to manually use the pkc_decrypt helper. Simply reference the encrypted data using standard substitution, and the system will handle the decryption automatically if the service and identifier restrictions are satisfied.