Java SDK

You can use our Java SDK to:

  • Encrypt data server-side
  • Decrypt data server-side
  • Invoke Functions
  • Proxy requests through Relay

Encrypting/Decrypting data with our backend SDKs instead of Relay may expose you to greater compliance burden because because your server handles plaintext data.

Instead you can:

  • Use a Relay to encrypt data before it reaches your server.
  • Use our client-side SDKs to encrypt data before sending it to your server.


Install SDK

First, let's install the Evervault SDK using either gradle or maven.

Initialize SDK

Now, let's initialize the SDK using our App's ID and API key. If you don't have one yet, you can get one by creating an App in the Evervault Dashboard.

Evervault CA

To allow automatic outbound interception with Relay, the Evervault Root CA certificate must be added to the JVM keystore.

This step is optional, and is only required if you plan on using Relay as a HTTP CONNECT proxy in Java. If you are not using Relay (or plan on using a Relay URL to proxy requests) this step can be skipped.

Encrypt a string

Now that the SDK is initialized, we can encrypt a string.

Decrypt data

decrypt() will decrypt data previously encrypted with the encrypt() function or through Relay. It will also deserialise the data into an object of a specified type.



The SDK constructor accepts the following parameters:

  • Your App's ID
  • Your App's API key



Your Evervault App's ID.


An API key for your Evervault App.


Encrypts data using Evervault Encryption. Evervault Strings can be used across all of our Primitives.

To encrypt data using the Java SDK, simply pass a value into the evervault.encrypt() function. encrypt() will encrypt your data and return an object which is a String in case you passed a literal type like boolStringintfloatcharbyte.

The encrypted data can be stored in your database as normal and can be used with any of Evervault’s other services.

dataRequiredString | Map | int | float | char | bool | byte

The data to encrypt.


Decrypts data previously encrypted using the encrypt() function or through Relay (Evervault's encryption proxy).

An API key with the decrypt permission must be used to perform this operation.


The data to decrypt.


The value type of the data to deserialize into.

Decrypting data with our backend SDKs is not available if you are part of the PCI or HIPAA compliance use cases

Instead you can:

  • Use Relay to decrypt data before it reaches third-party services.
  • Use Functions or Enclaves to process encrypted data.

evervault.createClientSideDecryptToken(payload, expiry)

Client Side Decrypt Tokens are versatile and short-lived tokens that frontend applications can utilise to decrypt data previously encrypted through Evervault. Client Side Decrypt Tokens are restricted to specific payloads.

By default, a Client Side Decrypt Token will live for 5 minutes into the future. The maximum time to live of the token is 10 minutes into the future.


The payload containing encrypted data that the token will be used to decrypt.


The time the token will expire. Defaults to 5 minutes in the future., payload, responseType)

Lets you invoke an Evervault Function with a given payload.


Name of the function the run token is for.


Payload for the function.


The type into which the function's result will be serialized.


The request timeout defines the maximum duration the SDK will wait before aborting the function run if it has not completed.


The function result will be deserialized into an instance of responseType and will be returned.

evervault.createRunToken(functionName, data)

Creates a single use, time bound token (5 minutes) for invoking an Evervault Function with a given payload.

Run Tokens can be used to invoke an Evervault Function client-side without providing a sensitive API Key.


Name of the function the run token is for.


Payload that the token can be used with. If not provided, a run token will be created, and the payload will not be validated when the function is executed.


An instance of the class RunToken is returned. The token is available under the token property.

Run Tokens can then be used to authenticate Function runs from the client-side.