How-to

Encrypt a message

Applies to: .NET SDK, Node.js SDK Last updated: 2026-06-11

Goal

Turn a plaintext body into an encrypted wire envelope addressed to a specific recipient identity.

Prerequisites

Code

.NET

using HexaEight.Bridge;

var client = new Client();

string envelope = await client.EncryptEnvelopeAsync(
    recipient: "[email protected]",
    body:      "hello alice");

Console.WriteLine($"Envelope length: {envelope.Length} bytes");
// Send `envelope` over any transport.

Node.js

import { HexaEight } from '@hexaeight/sdk';

const he = await HexaEight.connect();

const envelope = await he.envelope.encrypt({
    recipient: '[email protected]',
    body:      'hello alice',
});

console.log(`Envelope length: ${envelope.length} bytes`);

Optional parameters

ParameterTypePurpose
sessionIdstringIdentifies an ongoing conversation. See sessioned envelopes.
finalRecipientstringFor relay scenarios — the intended end recipient.
kgtlongForce a specific time window. Usually omitted (the SDK picks the current window).

What gets enforced automatically

If automatic enforcement is on (the default), the SDK runs an outbound authorisation check before encrypting. If a rule denies the operation, the SDK throws UnauthorizedAccessException in .NET (or UnauthorizedError in Node.js) and never produces an envelope.

try
{
    string envelope = await client.EncryptEnvelopeAsync("[email protected]", "hi");
}
catch (UnauthorizedAccessException ex)
{
    Console.WriteLine($"Outbound denied: {ex.Message}");
}

Common issues

SymptomCauseFix
Returns empty stringRecipient identity is invalid or the platform rejected the key requestCheck the recipient name spelling; verify your activation is still valid
UnauthorizedAccessExceptionAn outbound deny rule matchedInspect policy.csv; either remove the deny rule or add an allow rule
Decoy ASK markerThe platform refused to issue a key (typically activation/integrity check failure)Re-activate the identity

See also