Method: cryptoKeyVersions.getPublicKey

Full name: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.getPublicKey

Returns the public key for the given CryptoKeyVersion. The CryptoKey.purpose must be ASYMMETRIC_SIGN or ASYMMETRIC_DECRYPT.

HTTP request

The URLs use gRPC Transcoding syntax.

Path parameters



Required. The name of the CryptoKeyVersion public key to get.

Authorization requires the following IAM permission on the specified resource name:

  • cloudkms.cryptoKeyVersions.viewPublicKey

Request body

The request body must be empty.

Response body

The public key for a given CryptoKeyVersion. Obtained via cryptoKeyVersions.getPublicKey.

If successful, the response body contains data with the following structure:

JSON representation
  "pem": string,
  "algorithm": enum (CryptoKeyVersionAlgorithm),
  "pemCrc32c": string,
  "name": string,
  "protectionLevel": enum (ProtectionLevel)


The public key, encoded in PEM format. For more information, see the RFC 7468 sections for General Considerations and Textual Encoding of Subject Public Key Info.


enum (CryptoKeyVersionAlgorithm)

The Algorithm associated with this key.


string (Int64Value format)

Integrity verification field. A CRC32C checksum of the returned PublicKey.pem. An integrity check of PublicKey.pem can be performed by computing the CRC32C checksum of PublicKey.pem and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

NOTE: This field is in Beta.



The name of the CryptoKeyVersion public key. Provided here for verification.

NOTE: This field is in Beta.


enum (ProtectionLevel)

The ProtectionLevel of the CryptoKeyVersion public key.

Authorization scopes

Requires one of the following OAuth scopes:


For more information, see the Authentication Overview.