Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
⌘Ctrlk
機密データを暗号化する
Encrypt sensitive fields exchanged with the D1 backend using JSON Web Encryption (JWE) (RFC 7516).
Serialize the sensitive fields as JSON before you encrypt.
JWE requirements
Use JWE compact serialization (a single Base64URL-encoded string).
The D1 backend expects the following JWE configuration:
alg: ECDH-ES
enc: A256GCM
kid: key identifier of the recipient public key
EC curve: P-256
Set kid to the identifier of the public key you provisioned for the recipient. The D1 backend uses kid to select the correct key.
Encrypt sensitive data
This section shows an end-to-end example that encrypts card credentials for the D1 backend.
Example payload
Encrypt the following JSON fields:
JSON field
Description
MOC
Length
pan
PAN
M
Up to 19
exp
Expiry date (MMYY)
M
4
Recipient EC public key (JWK):
Clear data (JSON to encrypt):
Source code samples:
Decrypt sensitive data
Decrypt the JWE payload in your issuer backend using the matching private key.
Generate a P-256 key pair
Use OpenSSL to generate a P-256 key pair for JWE encryption and decryption.
Generate a private key for your issuer backend. Protect it in your environment.
Generate a public key to provision in the D1 backend.
Keep the private key in your issuer backend to decrypt payloads sent by the D1 backend.
Provide the public key and its kid to the Thales Delivery Team during D1 Onboarding. The D1 backend uses the public key to encrypt sensitive data for your issuer backend.
