Data Decryption
To protect sensitive data in transit, Apaya encrypts certain fields (especially those containing PII) within payloads before delivery to your endpoint. This document explains how to decrypt these fields in your integration.
Encrypted values appear as Base64-encoded strings in place of the original plaintext values e.g.
"cardHolder":"TGlQI08fXllI4+afLJIreISonlK9MqKN4QA26EXxMw=="
Your Encryption Key
Your unique encryption key is provided by Apaya during onboarding. If you have not received your key or need it rotated, please contact your Apaya account manager.
Important: Store your encryption key securely. Never expose it in client-side code, public repositories, or logs.
Decryption sample code
This example uses the built-in System.Security.Cryptography namespace available in .NET Core 3.0+ and .NET 5+.
C# (.NET)
using System;
using System.Security.Cryptography;
using System.Text;
public static class ApayaDecryption
{
public static string Decrypt(string encryptionKey, string encryptedBase64)
{
// Normalise key to 32 bytes using SHA-256 if necessary
byte[] keyBytes = Encoding.UTF8.GetBytes(encryptionKey);
if (keyBytes.Length != 32)
{
using (var sha256 = SHA256.Create())
{
keyBytes = sha256.ComputeHash(keyBytes);
}
}
// Decode the Base64 string
byte[] combinedBytes = Convert.FromBase64String(encryptedBase64);
// Extract components: [Nonce (12)][Ciphertext (variable)][Tag (16)]
byte[] nonce = new byte[12];
byte[] tag = new byte[16];
byte[] ciphertext = new byte[combinedBytes.Length - 28];
Buffer.BlockCopy(combinedBytes, 0, nonce, 0, 12);
Buffer.BlockCopy(combinedBytes, 12, ciphertext, 0, ciphertext.Length);
Buffer.BlockCopy(combinedBytes, combinedBytes.Length - 16, tag, 0, 16);
// Decrypt
byte[] plaintext = new byte[ciphertext.Length];
using (var aesGcm = new AesGcm(keyBytes))
{
aesGcm.Decrypt(nonce, ciphertext, tag, plaintext);
}
return Encoding.UTF8.GetString(plaintext);
}
}
// Usage
string decryptedValue = ApayaDecryption.Decrypt("your-encryption-key", encryptedFieldValue);