This document assumes you have enabled PII sharing.

Obtaining and Decrypting PII

First, you need to obtain a User Access Token. You should receive an id_token in the response, which is a JWT that you will need to decode. Here's an example written in JavaScript that uses the jsonwebtoken package:

const decodedIdToken = jwt.decode(id_token);

The result is an object with the following structure:

  "iss": "https://global.id/",
  "sub": "...",
  "aud": ["..."],
  "exp": 1234567890,
  "idp.globalid.net/claims/{acrc_id}": {
    "{consent_id}": [...encrypted consent tokens...]

Next, you need to aggregate and decrypt the consent tokens within the ACRC claim(s). The following is another JavaScript example that does just that by using the RSA.decrypt() function from the globalid-crypto-library:

const privateDataTokens = Object.entries(decodedIdToken)
  .filter(([name]) => name.startsWith("idp.globalid.net/claims/"))
  .flatMap(([, consentTokens]) =>
    Object.values(consentTokens).flatMap((tokens) =>
      tokens.map((token) => RSA.decrypt(privateKey, token))

Now pass the decrypted data token(s) to our vault service. You will also need to provide an App Access Token.

const { data: encryptedPii } = await axios.post(
  { private_data_tokens: privateDataTokens },
    headers: {
      Authorization: `Bearer ${access_token}`,

Finally, decrypt the encrypted_data_password with your private key, then decrypt the encrypted_data with the decrypted password. The JavaScript example below uses the RSA.decrypt() and AES.decrypt() functions from the globalid-crypto-library.

const pii = encryptedPii.map((encryptedData) => {
  const password = RSA.decrypt(
  const json = AES.decrypt(encryptedData.encrypted_data, password);
  return JSON.parse(json);

Last updated