Cloud Key Management Service (KMS) API

Name: Cloud Key Management Service (KMS) API API
Brand: Cloud Key Management Service (KMS) API
Availability: InStock

✓ Official Vendor SpecSecuritySecrets Managementoauth234 EndpointsREST

For Agents

Manage Google Cloud encryption keys and perform encrypt, decrypt, sign, verify, and key-rotation operations. Useful for at-rest encryption, signing, and secrets-protection workflows on GCP.

Quickstart

Get started with Cloud Key Management Service (KMS) API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"encrypt data with google cloud kms"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Cloud Key Management Service (KMS) API API.

Encrypt and decrypt arbitrary payloads with a symmetric key version

Sign and verify payloads using asymmetric crypto keys

Asymmetrically decrypt ciphertext using a private key version

Rotate, destroy, restore, and disable individual key versions

GET STARTED

Start building with Cloud Key Management Service (KMS) API API

Explore with Jentic

View OpenAPI Document

Use Cases

Patterns agents use Cloud Key Management Service (KMS) API API for, with concrete tasks.

★ Application-Level Envelope Encryption

Backend services use Cloud KMS to encrypt a per-record data encryption key (DEK) under a KMS-managed key encryption key (KEK), then store the wrapped DEK alongside the ciphertext. The encrypt and decrypt endpoints handle the wrap and unwrap; the underlying KEK never leaves Google's HSMs. Setup is small, and the pattern scales to millions of records without exposing key material to the application.

Call POST /v1/{name}:encrypt on the crypto key with the plaintext DEK, store the returned ciphertext, then POST /v1/{name}:decrypt when the DEK is needed

Programmatic Key Rotation

Compliance pipelines rotate encryption keys on a fixed schedule by patching the crypto key to set a new primary version, or by creating a new version and updating dependent services. Cloud KMS retains old versions so previously encrypted data continues to decrypt, and the rotation event is audit-logged for compliance evidence.

Call PATCH on the crypto key resource with primaryVersion set to the new version name, then verify with GET on the crypto key

Asymmetric Signing for JWTs and Code

Services that issue JWTs or sign release artefacts use asymmetricSign with an EC or RSA key version. The private key never leaves Google's HSMs; verifiers download the public key once via getPublicKey and verify offline. This eliminates a class of key-leakage risk and gives a fully audit-logged signing surface.

Call POST /v1/{name}:asymmetricSign on the EC key version with the digest, then publish the public key returned by /v1/{name}/publicKey

AI Agent Crypto Operator via Jentic

An agent invoked by a security engineer searches Jentic for the right Cloud KMS operation, performs an encrypt or sign on behalf of a calling service, and returns the result. Through Jentic, the agent never holds the underlying service account key — Jentic injects a scoped token at execution time so cryptographic operations leave a clear audit trail.

Search Jentic for 'encrypt with google cloud kms', execute against POST /v1/{name}:encrypt with the plaintext, and return the resulting ciphertext

Key Endpoints

34 endpoints — google cloud kms is the managed service for cryptographic keys and operations on google cloud.

METHOD

PATH

DESCRIPTION

POST

/v1/{+name}:encrypt

Encrypt plaintext with a crypto key

POST

/v1/{+name}:decrypt

Decrypt ciphertext with a crypto key

POST

/v1/{+name}:asymmetricSign

Sign a digest with an asymmetric key version

POST

/v1/{+name}:asymmetricDecrypt

Decrypt with an asymmetric private key version

POST

/v1/{+name}:destroy

Schedule a crypto key version for destruction

POST

/v1/{+location}:generateRandomBytes

Generate cryptographically random bytes

GET

/v1/{+name}/publicKey

Retrieve the public key of an asymmetric key version

PATCH

/v1/{+name}

Update a crypto key, including its primary version

POST

/v1/{+name}:encrypt

Encrypt plaintext with a crypto key

POST

/v1/{+name}:decrypt

Decrypt ciphertext with a crypto key

POST

/v1/{+name}:asymmetricSign

Sign a digest with an asymmetric key version

POST

/v1/{+name}:asymmetricDecrypt

Decrypt with an asymmetric private key version

POST

/v1/{+name}:destroy

Schedule a crypto key version for destruction

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google Cloud OAuth 2.0 credentials and service account keys are stored encrypted in the Jentic vault. Agents receive short-lived access tokens scoped to cloudkms — raw service account JSON never enters the agent context, and KMS key material itself never leaves Google's HSMs.

Intent-based discovery

Agents search Jentic by intent (e.g. 'encrypt with google cloud kms' or 'rotate kms key') and Jentic returns the matching operation with its parameter schema, so the agent can call the right endpoint without reading Discovery docs.

Time to first call

Direct Cloud KMS integration: 1-3 days for OAuth, role assignment, and KMS key path handling. Through Jentic: under an hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Secret Manager API

Stores application secrets that are encrypted at rest using Cloud KMS keys

Use Cloud KMS for direct cryptographic operations; use Secret Manager when you want a managed secret storage layer that uses KMS underneath

Complementary

Identity and Access Management (IAM) API

Grants the cloudkms roles that gate Cloud KMS operations

Use IAM to grant or revoke encrypter/decrypter roles; use Cloud KMS for the cryptographic operations themselves

Complementary

Cloud Asset API

Inventory and IAM analysis surface that can audit who has access to KMS keys

Use Cloud KMS for cryptographic operations; use Cloud Asset to audit the IAM bindings on key rings and crypto keys

FAQs

Specific to using Cloud Key Management Service (KMS) API API through Jentic.

What authentication does the Cloud KMS API use?

The Cloud KMS API uses OAuth 2.0 with the cloudkms or cloud-platform scope. Tokens are issued for a Google service account or end user and the caller must hold the appropriate cloudkms.cryptoKeyEncrypterDecrypter or related role. Through Jentic, the OAuth credential lives in the Jentic vault and the agent receives a short-lived access token only — the underlying credential never enters agent context.

Can I encrypt and decrypt data with this API?

Yes. POST /v1/{name}:encrypt with a base64 plaintext on a symmetric crypto key returns ciphertext; POST /v1/{name}:decrypt reverses it. The same key resource is used for both operations, and Cloud KMS automatically uses the primary version for encryption while still able to decrypt with any prior version.

What are the rate limits for the Cloud KMS API?

Cloud KMS quotas are published per-method in the Google Cloud console under the Cloud KMS API quota page; typical defaults are several thousand cryptographic operations per minute per project, with lower limits on key creation and import-job operations. HSM-protected keys have separate, lower quotas than software keys.

How do I rotate a key through Jentic?

Search Jentic for 'rotate google cloud kms key' and execute the returned operation against PATCH /v1/{name} on the crypto key with primaryVersion set to a new version name. Existing ciphertext continues to decrypt with the old version while new encryptions use the new primary.

Can I generate cryptographically random bytes with Cloud KMS?

Yes. POST /v1/{location}:generateRandomBytes with a length and a protectionLevel (SOFTWARE or HSM) returns a base64-encoded random byte string. This is useful for generating session tokens, salts, or DEKs without trusting client-side RNGs.

Is Cloud KMS free?

Cloud KMS charges per active key version per month plus per cryptographic operation, with HSM-protected keys priced higher than software keys; the full schedule is documented on the Cloud KMS pricing page. EKM and external key material have their own pricing tiers.