How-to

Debug a decryption failure

Applies to: .NET SDK Last updated: 2026-06-11

Step 1 — Inspect the envelope

var inspected = Client.InspectEnvelope(envelope);
Console.WriteLine($"Kind:        {inspected.Kind}");
Console.WriteLine($"SourceId:    {inspected.SourceId?.Substring(0, 32)}...");
Console.WriteLine($"Kgt:         {inspected.Kgt}");
Console.WriteLine($"SessionHash: {inspected.SessionHash}");

Step 2 — Match against the symptom

SymptomLikely causeAction
FormatException: missing separatorEnvelope corrupted in transitCheck transport binary safety
ASK fetch failed: -3Platform refused to issue a keyVerify both identities exist and belong to the same client app
Decryption returned emptyKGT window has expired (more than ~1 hour old)Re-send. For longer-lived traffic use sessioned envelopes.
Decoy ASK marker (lowercase 'd')Activation expired or library integrity check failedRe-activate the identity
Sessioned envelope has no cached ASKReceiver did not pin the ASK before the envelope arrivedPin via PinAskForSession first, or use unsessioned variant

Step 3 — Enable detailed logging

Route the SDK's logs at Debug level for full per-call detail (see Read the audit log).

See also