Skip to main content

Encryption with the API

About encryption#

By default, anything you store on Request can be read by anyone. That might be what you are looking for, or not!

To give you control over this, the Request Protocol supports end-to-end encryption. It means that no one outside of a request stakeholder (usually, its payer and payee) can read its information.

Request Portal API, however, do not offer end-to-end encryption, but does allow you to remove public access. What it means is that your request would be stored encrypted on the Network (Ethereum + IPFS) but we, at Request, could have access to the request data.


Although we technically have access to your request data, we will never use or share this data. We are planning to withdraw our own access to any encrypted data to provide end-to-end encryption with the API, while keeping the best possible experience for our builders.

If end-to-end encryption is paramount for your usage, we recommend you use the Request Client instead of the Portal API.

Handle encrypted requests#

Create an encrypted request#

Creating an encrypted request with the API is very easy. You simply have to add encrypted: true to the payload.

const apiKey = 'YOUR_API_KEY';
currency: 'EUR',
expectedAmount: '1000',
payment: {
type: 'declarative',
value: {},
payer: {
type: 'email',
value: '',
encrypted: true,
headers: {
Authorization: apiKey,

Specify the stakeholders#

By default, you, as payee and creator of a request, will always be granted with Read access to the request.

If you specify a Payer that is also using Request Portal API, they will be given access to the request as well.

For other cases (Payer not using the API, third party access), you can specify as many public keys as you want to the stakeholders field. To know more about the public key format, please refer to this page.

Request decryption#

Reading encrypted requests is the same as non-encrypted ones, the API handles the decryption for you! This applies only if the request was created through the API; if it was created outside of the API, an encrypted request will not be found on the API.