Transport is already protected by HTTPS/TLS. JWE adds an application-layer of protection so the payload stays encrypted end-to-end (for example, through logs, proxies, or intermediaries) until it reaches AutoSend.
How it works
Fetch the public key
Get AutoSend’s public key from the JWKS endpoint and cache it. The recommended (active) key is always listed first.
Encrypt your payload
Encrypt the complete JSON body into a JWE compact string using
RSA-OAEP-256 for key management and A256GCM for content encryption.Encryption standard
| Field | Value |
|---|---|
Key management (alg) | RSA-OAEP-256 |
Content encryption (enc) | A256GCM |
| Serialization | JWE Compact |
| Key size | RSA 2048-bit |
Public key endpoint (JWKS)
Fetch AutoSend’s public key from the JWKS endpoint:Node.js example
This example fetches the public key, encrypts a contact payload, and calls the contacts API. It uses thejose library.
Any language with a JWE library works. Equivalent libraries exist for Python
(
jwcrypto / python-jose), Go, Java, Ruby, and more. Always use alg = RSA-OAEP-256 and enc = A256GCM.Request format
Send the JWE asencryptedData, with the encryption headers:
Set to
jwe for encrypted requests. Omit (or use none) for plaintext.The
kid of the public key you encrypted with. If omitted, AutoSend reads the kid from the JWE protected header.The JWE compact string containing your complete JSON payload.
Works with any public endpoint
The encrypted request format is the same for every/v1 endpoint. Just put the JWE inside { "encryptedData": "…" } and add the headers. For example, to send an email:
Error handling
If the encrypted payload is malformed, the key id is unknown, or decryption fails, the API responds with HTTP 400:Malformed JWE
Malformed JWE
The
encryptedData value is not a valid JWE compact string. Re-encrypt the payload with the public key from the JWKS endpoint.Unknown or missing key id
Unknown or missing key id
The
kid doesn’t match any active AutoSend key. Refresh the JWKS and use the kid from the returned key.Decryption failure
Decryption failure
The payload was encrypted with the wrong key or a different algorithm. Use
RSA-OAEP-256 + A256GCM and AutoSend’s current public key.FAQ
Is encryption required?
Is encryption required?
No. It’s optional and per request. Endpoints accept plaintext bodies exactly as before. Only requests with the
jwe header or an encryptedData field are decrypted.How often should I fetch the public key?
How often should I fetch the public key?
Cache it and refresh periodically (for example, daily or weekly). AutoSend supports key rotation, so always encrypt with the
kid from the latest JWKS.Which languages are supported?
Which languages are supported?
Any language with a JWE library. The example uses Node.js with
jose; equivalent libraries exist for Python (jwcrypto / python-jose), Go, Java, Ruby, and more. Use alg = RSA-OAEP-256 and enc = A256GCM.Do I still need HTTPS?
Do I still need HTTPS?
Yes. JWE complements transport security, it does not replace it. Always call AutoSend over HTTPS and add JWE on top when you need application-layer encryption.
Related Resources
API Keys
Create and manage the API keys you authenticate requests with.
API Reference
Explore every public endpoint you can send encrypted payloads to.
Upsert Contact
The contacts endpoint used in the encryption example above.
Send Email
Send transactional emails, with or without an encrypted body.