The Decrypt Data action adds an extra layer of security and enables you to decrypt data in Architect flows by using your own encryption key. Use this action to decrypt PCI data after you call a data action to a back-end system.

This action uses the AWS Encryption SDK, which interacts with KMS. The SDK extracts the encrypted data key from the encryption result buffer, decrypts it, and then uses it to decrypt the data. Before you begin, make sure that you configure an AWS KMS symmetric key within Genesys Cloud. For more information, see Use an AWS KMS symmetric key for conversations.

  • This action fully supports single-region KMS keys and partially supports multi-region KMS keys. For multi-region keys, however, the region in which the data is decrypted must be the same region in which that data is encrypted.
  • The encryption services keeps key configuration for approximately 31 days. You can decrypt data with a previously used key and not the current key for up to 31 days. However, the key must still exist in KMS and the currently configured key must reside in the same account.

This action is available in the Customer Secured Data menu in the task editor Toolbox. Use this action in all flow types, excluding bot flows.

Action Description and use


Type a meaningful name for the action. The label you enter here becomes the action’s name displayed in the task sequence.

Data to Decrypt

The encrypted string value to decrypt back to a JSON value. To enter the encrypted string value, perform one of these steps

  • Enter the string value in the Enter expression box.
  • Click the Expression Modes button , click Expression , and enter an expression to represent the data to decrypt.
  • Click the Expression Modes button , click Expression , click Large expression editor and in the Edit ‘Data to Encrypt’ expression editor, enter the value to decrypt.

Architect generates encrypted string values from the Encrypt Data action. If you supply a NOT_SET string value or a blank String value to the action at runtime, execution takes the Failure output with an error reason string value of NoDataSupplied.

Decrypted Data

Enter a variable name to hold the decrypted JSON value from the supplied encrypted string value.

Failure Outputs

Failure outputs include these fields:

  • errorType: A nonempty String that contains the type or category of the error. The allowable values are:
    • CustomerKeyNotConfigured
    • CustomerKeyNotFound
    • GeneralError
    • MaximumDataSizeExceeded
    • NoDataSupplied
  • errorMessage: A non-localized error message. The String may be empty or NOT_SET.

Define success, failure, and output paths

Name Description

This path indicates that the action successfully communicated with its external endpoint and received a result. Drag the appropriate action below the Success path that follows the route you want the interaction to take. 

Note: A completed Success path indicates that no errors were encountered during the process. It is not a measure of whether the data received is the intended result or functionality.


This path indicates that an error occurred while running the action or a problem occurred while processing the results from a data action. Drag the appropriate action below the Failure path and direct the route you want the interaction to take.  

Note: If the network experiences connectivity issues, the action automatically takes this failure path.