Decrypt Signed Payload

Decrypts an AES-encrypted payload produced by the Build Signed Payload task and optionally verifies its RSA signature.

Purpose

Use this task to receive and validate a signed or encrypted data bundle that was created by the Build Signed Payload task. It handles both the standard encryption format (PBKDF2 key derivation with a random IV) and the legacy format (zero IV, direct key bytes), detecting which format was used automatically. When signature verification is enabled, the task confirms that the payload has not been tampered with since it was signed, making it suitable for secure cross-system data exchange and audit trail validation.

Inputs

Field	Type	Required	Description
Encrypted Payload	Multi-line Text	Yes	The encrypted payload to decrypt. Accepts raw encrypted text or the JSON envelope produced by Build Signed Payload when Return Mode is set to json.
Decryption Key (AES)	Text	Yes	AES key used during encryption. Must match the key that was used when the payload was created.
Verify Signature	Checkbox	No	When checked, the RSA signature embedded in the payload is verified using the provided public key.
Verification Key (RSA Public Key)	Multi-line Text	No	RSA public key in PEM format. Required when Verify Signature is enabled.
Return Mode	Dropdown	No	Output format for the decrypted content: string (plain text), base64 (base64-encoded), or json (parsed object with metadata). Defaults to json.

Visibility Rules

Verification Key (RSA Public Key) is only shown when Verify Signature is checked.

Outputs

Name	Description
decryptedPayload	The decrypted content formatted according to Return Mode. In json mode this is a structured object containing the payload, hash, signature verification status, and timestamp.
hash	SHA-256 hex digest of the decrypted payload for integrity checking.
signatureValid	Boolean indicating whether the RSA signature was valid. Only present when Verify Signature is enabled.