How-to

Decrypt a message

Applies to: .NET SDK, Node.js SDK Last updated: 2026-06-11

Goal

Take a wire envelope received from a transport, decrypt it, verify the sender, and obtain the body.

Code

.NET

using HexaEight.Bridge;
using HexaEight.Bridge.Authorization;

var client = new Client();
var msg = await client.DecryptEnvelopeAsync(envelope);

switch (msg.Authorized)
{
    case AuthorizationStatus.Allowed:
        Console.WriteLine($"From {msg.Sender}: {msg.Body}");
        break;
    case AuthorizationStatus.Denied:
        Console.WriteLine($"Blocked: {msg.DenialReason}");
        break;
    case AuthorizationStatus.Disabled:
        // AutoEnforce is off — body is the real content, no check ran
        Console.WriteLine($"From {msg.Sender}: {msg.Body}");
        break;
}

Node.js

import { HexaEight } from '@hexaeight/sdk';

const he = await HexaEight.connect();
const msg = await he.envelope.decrypt(envelope);

if (msg.authorized === 'Denied') {
    console.warn(`Blocked: ${msg.denialReason}`);
} else {
    console.log(`From ${msg.sender}: ${msg.body}`);
}

What you get back

FieldMeaning
SenderCryptographically verified sender identity
BodyThe plaintext body — or the redaction marker if denied
SessionIdSession identifier if the envelope was sessioned
AuthorizedAllowed, Denied, or Disabled
DenialReasonPopulated when Authorized == Denied
FinalRecipientSet by the original sender for relay scenarios
OriginalSenderSet by a relay agent for forwarded messages

What happens on a denied inbound message

When automatic enforcement is on (the default) and a policy rule denies the message, the SDK still returns a DecryptedEnvelope. The difference is:

Your application can detect the denial and react (log, alert, queue for review) without ever seeing the original body.

Common issues

SymptomCauseFix
FormatException: Envelope missing separatorThe envelope was corrupted or truncated in transitCheck your transport — ensure binary-safe encoding
Decryption returned emptyThe KGT in the envelope has expired (typically more than an hour old)Re-send. For longer-lived envelopes use sessioned mode.
ASK fetch failed: -3This agent is not authorised by the platform to communicate with the senderCheck that both identities are valid and from the same client app

See also