Payload Encryption
In a nutshell
Zoho Creator provides built-in encryption to secure your data. To add another layer of protection, you can enable the payload encryption feature. This helps achieve end-to-end encryption for all transmitted information, ensuring confidentiality and privacy.
Availability
- Payload encryption is currently in its beta release and is available on-demand for users on paid plans. To enable this feature, please contact our support team.
- Only the super admin and admins can configure payload encryption.
1. Overview
Zoho Creator uses TLS encryption to secure data in transit between the browser and the Creator servers. To provide an additional layer of protection, we also support Payload Encryption, which encrypts the request payload beyond the standard TLS layer.
This ensures that even if the data is accessed during transit, it remains unreadable and secure.
Data is referred to as the payload because it represents the actual content being transmitted between systems. Payload encryption is the process of encoding data (the payload) to protect its confidentiality and integrity during transmission—whether within your application or between your application and external services. It works by programmatically converting the data payload into an encrypted, unreadable format before transmission. This ensures that end-to-end encryption protects the data during transit, preventing unauthorized access or misuse.
1.1. Navigation guide
Go to the Governance module under the Manage section in the left-side pane of your dashboard. In the Encryption tab, click Configure next to Payload Encryption. You'll be redirected to the Payload Encryption section within Zoho Directory, where all further activities will take place.
1.2. Prerequisites
Ensure that the application is added to Zoho Directory before proceeding. This step is required to enable integration and configure payload encryption settings.
1.3. Why is Payload Encryption Important?
Implementing payload encryption is a critical security measure for enterprises handling sensitive data.
- Data Confidentiality: This prevents unauthorized parties, such as attackers intercepting network traffic, from accessing sensitive data including PII (Personally Identifiable Information), ePHI (Electronic Protected Health Information), passwords, or financial details.
- Data Integrity: Encryption helps ensure that the data has not been tampered with or altered during transit. Any modification to the encrypted data will result in a decryption failure.
- Regulatory Compliance: Many data protection regulations, like GDPR, HIPAA, CCPA, and DPDP mandate the encryption of personal and sensitive data to protect user privacy.
1.4. Who is this feature for?
Payload encryption is designed for organizations that require an additional layer of security beyond standard encryption protocols. This feature is particularly valuable for enterprises operating in high-trust environments, such as finance, healthcare, legal, or government sectors, where sensitive data demands maximum protection.
This feature is ideal for cases where built-in encryption alone may not meet strict compliance or security requirements.
1.5. Use cases
- Healthcare: Hospitals and insurance companies transmitting patient records between systems.
- Finance & Banking: Banks processing online transactions or financial apps syncing user data.
- Government & Defence: Agencies sharing classified or sensitive national security information.
- Technology: Companies transmitting sensitive user data or proprietary source code between micro services.
- Legal: Law firms sharing confidential case files and client information.
1.6. Supported Encryption Methods
The Payload Encryption feature in Zoho Creator is powered by Zoho Directory, which manages encryption settings and keys to ensure secure data transmission in compliance with industry standards. The platform supports two primary encryption methods: symmetric encryption and asymmetric encryption.
Symmetric Encryption (AES-256)
In Zoho Creator, symmetric encryption is implemented using the AES-256 standard. This method uses a single secret key for both encrypting and decrypting the payload. The same key must be securely accessible to both the sending service and the receiving service. Symmetric encryption is generally recommended for API payloads because it offers high performance and efficiency.
When configured through Zoho Directory, symmetric encryption ensures that data exchanged between the Zoho Creator frontend and backend remains secure, even if intercepted. It is ideal for scenarios where your low-code application communicates internally or with trusted systems, offering high performance and minimal latency for large data transfers.
Asymmetric Encryption (RSA)
Asymmetric encryption in Zoho Creator uses a public and private key pair, managed through Zoho Directory, for secure key handling. The public key encrypts the payload, while the private key decrypts it. Since the public key can be shared openly and the private key is kept confidential, this method eliminates the need to share a secret key in advance.
This encryption type is often used in Zoho Creator when integrating with third-party services, such as payment gateways or API connectors, where Zoho Directory manages the key exchange process. This is especially well-suited for secure communication with external systems that require public and private key authentication.
1.7. How Payload Encryption Works
Payload encryption secures your core data through a multi-layered process involving both client-side and server-side encryption, ensuring confidentiality and integrity throughout transmission.
Here’s how it works:
First, the data payload is encrypted at the source using a powerful algorithm, such as the Advanced Encryption Standard (AES-256). This means the data is unreadable both at rest and in transit. This already-encrypted data is then sent through a secure channel protected by Transport Layer Security (TLS), which encrypts the entire connection, adding another layer of security.
Finally, a cryptographic signature (like a Message Authentication Code) is used to verify two things upon arrival: that the data came from an authentic source and that it was not altered in any way. This layered approach ensures your data is robustly protected.
1.8. Configuring Payload Encryption
Zoho Directory manages payload encryption for Zoho Creator to ensure secure data transmission.
When you click Configure, you will be redirected to the Zoho Directory page to enable payload encryption, choose supported applications, and manage encryption keys.
For detailed steps, see the Zoho Directory guide on enabling Payload Encryption.
2. Points to note
- Payload Encryption is supported for API requests but is not available for external services.
- Decryption can fail if the key is incorrect, the data was corrupted in transit, or the ciphertext was tampered with.
- If decryption fails, the system must immediately reject the request. A generic HTTP 400 Bad Request or HTTP 422 Unprocessable Entity status code should be returned. Do not provide specific details like "Invalid Key" in the public error response, as this can give attackers useful information.
- Log the event of a decryption failure (e.g., Timestamp, Source IP, API Endpoint). Under no circumstances should you log the secret key or the payload that failed to be decrypted.
- Payload encryption is not a replacement for HTTPS/TLS. TLS protects the channel of communication, while payload encryption protects the data itself. The two work together to provide defense-in-depth.
- Implementing payload encryption is a key step towards compliance with data protection regulations like GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and India's DPDPA (Digital Personal Data Protection Act, 2023).
3. Related topics
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho Writer?
Create. Review. Publish.
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Encryption in Zoho Creator
Encryption is primarily used to safeguard the contents of a message so that only the intended recipient could read it. This is done by replacing the contents with unrecognizable data, which could be understood only by the intended recipient. This is ...Understanding data encryption for fields
Applies to the following fields: Single line, email, phone, date, date-time, number, percent, decimal, currency, and IP address. Learn how to manage data encryption for fields Encryption is a method of adding a layer of security to data preventing ...Governance in Zoho Creator (Supported by Zoho Directory)
This help page is for users in Creator 6. If you are in the older version (Creator 5), click here. Know your Creator version. 1. What Does This Page Cover? Learn how you can improve user management and run your organization efficiently using the Zoho ...Encryption using Private Key in Zoho Creator
1. In a nutshell Bring Your Own Encryption Key (BYOK) allows you to encrypt your field data using a private key you configure and manage in Zoho Directory. This gives you direct control over your encryption, ensuring compliance with your ...Common methods
The ZCUISDKUtil of Zoho Creator's Android SDK lets you manage the interface of the components of your Zoho Creator applications. Below are the methods available in it. Note: Zoho Creator's Mobile SDK is currently a Beta feature. We do not recommend ...
New to Zoho LandingPage?
Zoho LandingPage Resources