Decode Container Manifest

The Decode Container Manifest endpoint attempts to decrypt and return the original manifest for a secure Locktera container. This includes the list of files and their attributes like content types and sizes.

All decode requests are evaluated against the container’s current access policies (recipients, time window, IP, geo, and download rules). If access is not permitted, the request is denied.

Locktera decrypts data only after policy validation and integrity verification succeed, ensuring that access control is enforced cryptographically at the file level.

Endpoint

GET /users/{user_id}/containers/{container_id}/decode

Base URL:

https://share.locktera.com/api/v1

Full request URL example:

https://share.locktera.com/api/v1/users/USER_ID/containers/CONTAINER_ID/decode/{file_name}

Authentication

All requests must include a valid API key in the Authorization header.

Example request:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode/FILE_NAME \
  -H "Authorization: Bearer YOUR_API_KEY"

Path Parameters

container_id
Required. The unique identifier of the container to decode.

Example:

123e4567-e89b-12d3-a456-426614174000

Response (Successful Decode)

If access is permitted, the API returns the decoded content. The returned byte stream will return the decrypted, verified contents that were originally encoded. The response content type will match the content type originally encoded.

Response (Access Denied)

If access is not permitted under current container policies, the API returns 403 Forbidden.

HTTP 403 Forbidden

{
  "error": "access_denied",
  "message": "Access is not permitted under current container policies"
}

Denied decode attempts are recorded in audit logs.

Example Error Responses

HTTP 404 Not Found

{
  "error": "not_found",
  "message": "Container not found"
}

HTTP 401 Unauthorized

{
  "error": "unauthorized",
  "message": "Invalid API key"
}

DRM restrictions not satisfied (example):

{
  "error": "access_denied",
  "message": "Access denied: request does not satisfy container DRM rules"
}

Identity and Authorization Responsibility

Locktera enforces access policies cryptographically at the time of decryption, but identity determination is controlled by the customer’s application environment.

Customers are responsible for identifying and authenticating users who request access to encrypted containers.

Common approaches include integrating Locktera with existing identity systems such as:

• OIDC (OpenID Connect) providers
• IAM platforms
• SSO systems
• Application authentication frameworks

Examples include:

• Okta
• Auth0
• Azure Active Directory / Microsoft Entra ID
• AWS IAM
• Google Identity
• Custom identity providers

The customer’s application determines which authenticated user is requesting access, and then submits the decode request to Locktera.

Locktera evaluates the request against container access policies before permitting decryption.

Locktera does not operate as an identity provider or user directory.

What Happens During Decode

When a decode request is made:

  1. The request is authenticated using the API key

  2. Access rules are evaluated (recipient, time, IP, geo, etc.)

  3. Integrity is verified (tamper detection)

  4. If permitted, decrypted content is returned

  5. An audit event is recorded for the attempt (allowed or denied)

Decryption is only performed after access policies and integrity verification succeed.

Important Notes

• Decode is the only way to retrieve original file contents
• Access is enforced every time, using the current DRM policy
• If DRM rules change, future decode requests may be allowed or denied
• All decode attempts are auditable

Container integrity is verified before decryption to ensure contents have not been modified.

Decode Container Content

GET /users/{user_id}/containers/{container_id}/decode/{file_name}

Retrieve DRM Policy

GET /users/{user_id}/containers/{container_id}/drm

Update DRM Policy

PATCH /users/{user_id}/containers/{container_id}/drm

Retrieve Audit Events

GET /users/{user_id}/containers/{container_id}/events