How-to
Decrypt a message
Goal
Take a wire envelope received from a transport, decrypt it, verify the sender, and obtain the body.
Code
.NET
using HexaEight.Bridge;
using HexaEight.Bridge.Authorization;
var client = new Client();
var msg = await client.DecryptEnvelopeAsync(envelope);
switch (msg.Authorized)
{
case AuthorizationStatus.Allowed:
Console.WriteLine($"From {msg.Sender}: {msg.Body}");
break;
case AuthorizationStatus.Denied:
Console.WriteLine($"Blocked: {msg.DenialReason}");
break;
case AuthorizationStatus.Disabled:
// AutoEnforce is off — body is the real content, no check ran
Console.WriteLine($"From {msg.Sender}: {msg.Body}");
break;
} Node.js
import { HexaEight } from '@hexaeight/sdk';
const he = await HexaEight.connect();
const msg = await he.envelope.decrypt(envelope);
if (msg.authorized === 'Denied') {
console.warn(`Blocked: ${msg.denialReason}`);
} else {
console.log(`From ${msg.sender}: ${msg.body}`);
} What you get back
| Field | Meaning |
|---|---|
Sender | Cryptographically verified sender identity |
Body | The plaintext body — or the redaction marker if denied |
SessionId | Session identifier if the envelope was sessioned |
Authorized | Allowed, Denied, or Disabled |
DenialReason | Populated when Authorized == Denied |
FinalRecipient | Set by the original sender for relay scenarios |
OriginalSender | Set by a relay agent for forwarded messages |
What happens on a denied inbound message
When automatic enforcement is on (the default) and a policy rule denies
the message, the SDK still returns a DecryptedEnvelope. The
difference is:
msg.Bodycontains the literal text"redacted due to authorization enforcement"msg.AuthorizedisDeniedmsg.DenialReasoncontains the matching rule
Your application can detect the denial and react (log, alert, queue for review) without ever seeing the original body.
Common issues
| Symptom | Cause | Fix |
|---|---|---|
FormatException: Envelope missing separator | The envelope was corrupted or truncated in transit | Check your transport — ensure binary-safe encoding |
Decryption returned empty | The KGT in the envelope has expired (typically more than an hour old) | Re-send. For longer-lived envelopes use sessioned mode. |
ASK fetch failed: -3 | This agent is not authorised by the platform to communicate with the sender | Check that both identities are valid and from the same client app |
See also
- Encrypt a message How-to
- Handle a denied message How-to
- Debug a decryption failure How-to
- Messages and envelopes Concept