# Encrypted Data Integration (`sovanza.inc/encrypted-data-integration`) Actor Encrypted Data Integration encrypts sensitive Apify data before export or automation. It supports selected fields, full records, or full payload encryption with AES-GCM, manifests, fingerprints, and dataset or key-value store output. - **URL**: https://apify.com/sovanza.inc/encrypted-data-integration.md - **Developed by:** [Sovanza](https://apify.com/sovanza.inc) (community) - **Categories:** Developer tools, Automation, Other - **Stats:** 2 total users, 1 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $4.00 / 1,000 encrypted records This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ### 🔐 Encrypted Data Integration Tool – Secure API & Data Sync Automation Securely integrate and transfer **encrypted** data across your automation stack. Built for developers, SaaS teams, and data engineers who need **safe handling of sensitive fields** inside Apify runs—without pasting plaintext into exports, logs, or downstream webhooks. **What it actually does:** this actor reads structured records from an Apify **dataset**, **key-value store** item, pasted **JSON**, or **inline JSON records**, applies **authenticated encryption**, and writes **encrypted output** back to a **dataset** and/or **KV store**. Use it as the cryptographic step in larger sync workflows (schedules + API exports + your own integrations). --- ### Optimized positioning **Securely protect data before it leaves your Apify storage boundary.** Choose field-level encryption (most common), encrypt an entire record, or encrypt a full batch payload for handoff. Pair with Apify schedules and your own HTTP/database connectors for end-to-end pipelines. --- ### 🚀 Start secure data integration Automate pipelines with encryption and operational control: 👉 **Protect sensitive columns** before export or handoff 👉 **Deterministic fingerprints** for matching workflows (hashes—not encryption by themselves) 👉 **Structured manifests** so decryptors know algorithm, KDF, and scope 👉 **Runs on demand or on schedule** via Apify --- ### 🧠 What this tool actually does This actor is a **secure transformation engine** inside Apify—not a turnkey “reverse ETL” to every SaaS vendor out of the box. It connects to **your existing Apify data** and produces **encrypted derivatives**: | Capability | Detail | |-----------|--------| | **Read from** | `dataset`, `kv_store`, `json_records`, `json_text` | | **Encrypt** | `selected_fields`, `full_record`, or `full_payload` | | **Algorithms** | **AES-256-GCM** (recommended) or **Fernet** compatibility mode | | **Key material** | **Passphrase** (PBKDF2 or scrypt) or **raw symmetric key** (base64) | | **Write to** | default **dataset**, **KV** item, or **both** | Use it upstream of integrations: encrypt first, then move ciphertext through your downstream systems—**never commit passphrases to git**, and rotate secrets responsibly. Unlike basic “encrypt this string” snippets, outputs include manifests, ciphertext metadata, fingerprints (optional), and summary/error rows suited for audited workflows. --- ### 🔄 Supported data sources & outputs (within Apify) | Source (`sourceMode`) | When to use | |----------------------|-------------| | **`dataset`** | Encrypt items from another actor’s dataset (`sourceDatasetId` or name) | | **`kv_store`** | Encrypt a blob already stored under a KV key | | **`json_records` / `json_text`** | Quick tests or pasted uploads | Outputs land in **`outputMode`** = `dataset`, `kv_store`, or `both`. External CRMs/analytics/database targets are reached through **your** HTTP workers, exporters, warehouses, or other actors—not inside this codebase. --- ### 🔐 Security & encryption Security is foundational: - Uses **authenticated encryption** (AES-GCM default) via the `cryptography` library - Derives symmetric keys via **PBKDF2-HMAC-SHA256** or **scrypt** when using passphrases - Never logs plaintext secrets (`passphrase`, raw keys); enable **`redactLogs`** by default posture - Can strip plaintext sensitive fields after writing `*_encrypted` counterparts **Operational reality:** ciphertext is safer than plaintext—but key management remains **your responsibility** (vaults, KMS, rotating passphrases, least-privilege access on Apify runs). HTTPS applies to browser/API traffic toward Apify; encryption-at-rest semantics depend on Apify Storage configuration and enterprise controls. --- ### ⚡ Key features - Multiple input sources (dataset/KV/direct JSON text) - Three encryption scopes: selected fields / full record / full payload batch - **`preserveFields`** to keep indexing columns readable - **`removePlaintextAfterEncryption`** to minimize accidental leakage - **Manifests**: algorithm, `cryptoVersion`, KDF iterations, scopes - Optional **SHA-256 fingerprints** for deterministic matching workflows - Batched concurrency with `chunkSize` + `maxConcurrency` - Structured `__summary__` and `__error__` dataset rows --- ### 🎯 Real-world use cases | Scenario | Why this fits | |---------|----------------| | **PII masking before BI export** | Encrypt `email`, `phone`, nested paths before spreadsheets get shared | | **CRM / lead payloads** | Field-level ciphertext + fingerprints for deterministic joins | | **Data pipeline QA** | Use `failOnMissingFields` / invalid record toggles to harden ingestion | | **Secure archival bundles** | `full_payload` mode for handing off encrypted batch blobs | | **Automation hygiene** | Run on schedule whenever upstream scrapers finish | --- ### 🛠️ How to use (Apify Console) 1. Choose **`sourceMode`** (`dataset`, `kv_store`, `json_records`, or `json_text`). 2. Pick **`encryptionScope`** and declare **`fieldsToEncrypt`** for `selected_fields` mode. 3. Provide **`passphrase`** *or* **`rawKeyBase64`** (`keyMode`). 4. Decide **`removePlaintextAfterEncryption`** + optional **`preserveFields`**. 5. Set **`outputMode`** (`dataset`, `kv_store`, or `both`) and KV key names if applicable. 6. Click **Run** → inspect dataset rows (`__summary__`). 7. Optional: Schedule runs for repeatable encryption jobs after upstream actors finish. #### Quick input snippet ```json { "sourceMode": "json_records", "sourceJsonRecords": [ { "id": "1", "email": "user@company.com", "notes": "Confidential memo" } ], "encryptionScope": "selected_fields", "fieldsToEncrypt": ["email", "notes"], "preserveFields": ["id"], "removePlaintextAfterEncryption": true, "algorithm": "aes_gcm", "keyMode": "passphrase", "passphrase": "USE_A_ROTATED_SECRET_FROM_A_VAULT", "keyDerivation": "pbkdf2_sha256", "iterations": 200000, "outputMode": "dataset", "includeManifest": true, "includeHashFingerprint": true } ```` Full schema lives in **`INPUT_SCHEMA.json`** (shown in Console). *** ### 📦 Output & results Depending on configuration you receive encrypted dataset rows, optional KV payload, fingerprints, manifests, `__summary__` counters, and structured `__error__` diagnostics. Exported via Apify as **JSON / CSV / Excel**—plus KV exports when you materialize ciphertext externally. Example `selected_fields` output shape: ```json { "recordId": "lead-1001", "contact": { "email_encrypted": { "algorithm": "aes_gcm", "version": "1", "nonce": "BASE64_NONCE", "salt": "BASE64_SALT", "kdf": "pbkdf2_sha256", "iterations": 200000, "ciphertext": "BASE64_CIPHERTEXT" } }, "manifest": { "cryptoVersion": "1", "encryptionScope": "selected_fields", "encryptedFields": ["contact.email"] } } ``` Final summary rows look like: ```json { "type": "__summary__", "inputRecords": 100, "processedRecords": 100, "failedRecords": 0, "encryptedFieldsCount": 230, "encryptionScope": "selected_fields", "algorithm": "aes_gcm" } ``` *** ### 📊 Performance & scalability Throughput scales with `chunkSize`, `maxItems`, concurrency, ciphertext size, and Apify Storage API limits—tune thoughtfully for heavy datasets. *** ### ❓ Frequently asked questions | Question | Answer | |---------|--------| | **Different from Zapier/low-code tools?** | This actor focuses on **cryptographic correctness** plus Apify-native IO—not generic SaaS adapters. Plug it into outbound automation with your own exporters. | | **Multiple integrations in one run?** | This actor handles **encryption**. Chain other actors/workflows for multi-hop sync across vendors. | | **Sensitive workloads?** | Yes—provided you manage secrets, storage access, rotation, and auditing. Use enterprise policies where required. | | **Coding skills?** | Console-friendly; YAML/JSON input only. Understand what fields contain secrets. | | **Recurring runs?** | Yes—Apify scheduler triggers after upstream jobs. | | **Failure handling** | Controlled via `failOnMissingFields`, `failOnInvalidRecords`; errors surface as `__error__` rows plus logs. | | **Stores data permanently?** | ciphertext persists in whichever output storage you configured (datasets/KV) until you purge it. Plaintext stripping helps reduce exposure. | *** ### Security disclaimer This actor helps protect confidentiality of configured fields—but **fingerprints ≠ encryption**. Never treat hashes as secrecy. Maintain strong passphrases, avoid committing secrets to git, rotate keys, restrict dataset access. *** ### Input configuration (reference) Full schema: `INPUT_SCHEMA.json`. Main groups: - **Sources:** `sourceMode`, `sourceDatasetId` / `sourceDatasetName`, `sourceKvStoreKey`, `sourceJsonRecords`, `sourceJsonText`, `maxItems` - **Encryption:** `encryptionScope`, `fieldsToEncrypt`, `preserveFields`, `removePlaintextAfterEncryption`, `outputEncryptedFieldSuffix` - **Crypto:** `algorithm`, `keyMode`, `passphrase`, `rawKeyBase64`, `keyDerivation`, `iterations` - **Manifests / fingerprints:** `includeManifest`, `includeHashFingerprint`, `fingerprintFields`, `deterministicFingerprintSalt` (secret) - **Output:** `outputMode`, `outputKvStoreKey`, `includeRecordId`, `recordIdField` - **Execution:** `chunkSize`, `maxConcurrency`, `failOnMissingFields`, `failOnInvalidRecords`, `includeDebugFields`, `redactLogs` *** ### Encryption modes #### `selected_fields` Encrypt only listed fields (supports dotted paths like `contact.email`). With `removePlaintextAfterEncryption: true`, originals are dropped after sibling `*_encrypted` fields exist. #### `full_record` Encrypt the entire JSON object as one ciphertext payload; typically keeps identifiers + fingerprints + manifests. #### `full_payload` Encrypt the whole batch as one blob—useful for secure handoffs or archiving. *** ### Algorithms #### AES-256-GCM (`aes_gcm`) — **default** Per-value random nonce, authenticated AEAD encryption, manifests store only safe metadata (`nonce`, `salt`, KDF iterations, algorithm version)—never plaintext. #### Fernet (`fernet`) Compatibility option when downstream tooling expects Fernet tokens; AES-GCM remains the primary recommendation. *** ### Example: encrypt from another dataset ```json { "sourceMode": "dataset", "sourceDatasetId": "YOUR_SOURCE_DATASET_ID", "maxItems": 250, "encryptionScope": "selected_fields", "fieldsToEncrypt": ["email", "phone", "notes"], "preserveFields": ["id", "name", "company"], "removePlaintextAfterEncryption": true, "algorithm": "aes_gcm", "keyMode": "passphrase", "passphrase": "USE_A_ROTATED_SECRET", "keyDerivation": "pbkdf2_sha256", "iterations": 200000, "includeManifest": true, "includeHashFingerprint": true, "fingerprintFields": ["email", "phone"], "outputMode": "dataset", "chunkSize": 100, "maxConcurrency": 5 } ``` Keep `passphrase` / raw key material **only** in Apify secret input fields—not in repos. *** ### Apify run notes - Use `sourceDatasetId` or `sourceDatasetName` when reading sibling actor output. - KV input/output keys must **differ** when both read/write KV to avoid overwriting. - Prefer `aes_gcm` unless you have a downstream compatibility constraint for Fernet. *** ### Error handling Invalid configuration fails fast (`ActorConfigurationError`). Per-record failures can emit `type="__error__"` rows depending on modes; summaries still report aggregates. *** ### Local run & validation ```bash cd encrypted-data-integration python -m pip install -r requirements.txt python main.py ``` Loads `INPUT.json` when platform input storage is absent. Round-trip cryptography checks: ```bash python scripts/roundtrip_validation.py ``` Uses fixtures under `testdata/` — validates decrypt round-trips for scopes and nested dotted paths. *** ### Limitations - Encrypted output is not plaintext-searchable inside datasets. - Key management stays **outside** the actor—you bring passphrases/keys securely. - Fingerprints are for matching diagnostics; **not** secrecy. - Dotted-path selection targets nested objects; complex array gymnastics may need preprocessing. *** ### 📈 Why use this? Manual handling of sensitive payloads is risky. This actor provides automated, explainable cryptography with manifests, structured errors, fingerprints, dedupe-ready metadata—all inside reproducible runs. *** ### 🚀 Start now Configure input, encrypt your dataset batches, inspect `__summary__`, and orchestrate downstream secure sync from there. # Actor input Schema ## `sourceMode` (type: `string`): Where the input records come from. ## `sourceDatasetId` (type: `string`): Dataset ID to read records from if sourceMode=dataset. ## `sourceDatasetName` (type: `string`): Optional dataset name to read records from if sourceMode=dataset. ## `sourceKvStoreKey` (type: `string`): Key-value store key to read from if sourceMode=kv\_store. ## `sourceJsonText` (type: `string`): Raw JSON array/object text (or CSV) when sourceMode=json\_text. May contain sensitive plaintext — stored as a secret input. ## `sourceJsonRecords` (type: `array`): Direct JSON records when sourceMode=json\_records. May contain sensitive plaintext — stored as a secret input. ## `maxItems` (type: `integer`): Maximum number of input records to process. ## `encryptionScope` (type: `string`): Choose whether to encrypt selected fields, each full record, or the full exported payload. ## `fieldsToEncrypt` (type: `array`): List of field names or dotted paths to encrypt when encryptionScope=selected\_fields. ## `preserveFields` (type: `array`): Fields to always leave plaintext for indexing or operational visibility. ## `removePlaintextAfterEncryption` (type: `boolean`): Whether to remove original plaintext field after encrypted version is created. ## `outputEncryptedFieldSuffix` (type: `string`): Suffix for field-level encrypted outputs. ## `algorithm` (type: `string`): Preferred encryption implementation. AES-GCM is the secure default. ## `keyMode` (type: `string`): How the encryption key material is supplied. ## `passphrase` (type: `string`): Secret passphrase for key derivation. Change this in production — the prefilled value is for demo runs only. ## `rawKeyBase64` (type: `string`): Raw symmetric key in base64 form. Stored as a secret input. ## `keyDerivation` (type: `string`): Key derivation function used when keyMode=passphrase. ## `iterations` (type: `integer`): KDF iterations for PBKDF2 or cost-like tuning for scrypt. ## `includeManifest` (type: `boolean`): Include encryption metadata per record or payload. ## `includeHashFingerprint` (type: `boolean`): Include deterministic SHA-256 fingerprints for configured fields or records. Fingerprints are not encryption. ## `fingerprintFields` (type: `array`): Optional fields to fingerprint before encryption. ## `includeRecordId` (type: `boolean`): Include a normalized recordId field in the encrypted output when available. ## `recordIdField` (type: `string`): Field name or dotted path used to derive recordId in output rows. ## `outputMode` (type: `string`): Where to write encrypted output. ## `outputKvStoreKey` (type: `string`): Key used when saving encrypted output to the default key-value store. ## `chunkSize` (type: `integer`): Number of records to process per batch during loading and encryption. ## `maxConcurrency` (type: `integer`): Maximum number of records processed concurrently within each batch. ## `failOnMissingFields` (type: `boolean`): If true, stop the run when a configured field to encrypt is missing. ## `failOnInvalidRecords` (type: `boolean`): If true, stop the run when a record is not a valid JSON object for the chosen mode. ## `includeDebugFields` (type: `boolean`): Include safe debug metadata such as which fields were encrypted, but never plaintext or secrets. ## `redactLogs` (type: `boolean`): Force strict redaction of sensitive values in logs. ## `deterministicFingerprintSalt` (type: `string`): Optional secret salt used only for fingerprints, not for encryption. ## Actor input object example ```json { "sourceMode": "json_records", "sourceDatasetId": "", "sourceDatasetName": "", "sourceKvStoreKey": "", "sourceJsonRecords": [ { "id": "demo-1001", "name": "Amina Yusuf", "email": "amina.yusuf@example.test", "phone": "+1-202-555-0141", "company": "Northwind Analytics", "notes": "Priority lead for regional expansion." }, { "id": "demo-1002", "name": "Luca Moretti", "email": "luca.moretti@example.test", "phone": "+39-06-5550-0142", "company": "Blue Cedar Systems", "notes": "Interested in quarterly exports only." } ], "maxItems": 1000, "encryptionScope": "selected_fields", "fieldsToEncrypt": [ "email", "phone" ], "preserveFields": [], "removePlaintextAfterEncryption": true, "outputEncryptedFieldSuffix": "_encrypted", "algorithm": "aes_gcm", "keyMode": "passphrase", "passphrase": "Apify-demo-passphrase-change-in-production", "keyDerivation": "pbkdf2_sha256", "iterations": 200000, "includeManifest": true, "includeHashFingerprint": true, "fingerprintFields": [], "includeRecordId": true, "recordIdField": "id", "outputMode": "dataset", "outputKvStoreKey": "ENCRYPTED_OUTPUT", "chunkSize": 100, "maxConcurrency": 5, "failOnMissingFields": false, "failOnInvalidRecords": false, "includeDebugFields": false, "redactLogs": true } ``` # Actor output Schema ## `records` (type: `string`): Encrypted rows and structured error rows in the default dataset. ## `kvBundle` (type: `string`): Combined encrypted output when outputMode is kv\_store or both (default key ENCRYPTED\_OUTPUT). # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "sourceJsonRecords": [ { "id": "demo-1001", "name": "Amina Yusuf", "email": "amina.yusuf@example.test", "phone": "+1-202-555-0141", "company": "Northwind Analytics", "notes": "Priority lead for regional expansion." }, { "id": "demo-1002", "name": "Luca Moretti", "email": "luca.moretti@example.test", "phone": "+39-06-5550-0142", "company": "Blue Cedar Systems", "notes": "Interested in quarterly exports only." } ], "fieldsToEncrypt": [ "email", "phone" ], "passphrase": "Apify-demo-passphrase-change-in-production" }; // Run the Actor and wait for it to finish const run = await client.actor("sovanza.inc/encrypted-data-integration").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "sourceJsonRecords": [ { "id": "demo-1001", "name": "Amina Yusuf", "email": "amina.yusuf@example.test", "phone": "+1-202-555-0141", "company": "Northwind Analytics", "notes": "Priority lead for regional expansion.", }, { "id": "demo-1002", "name": "Luca Moretti", "email": "luca.moretti@example.test", "phone": "+39-06-5550-0142", "company": "Blue Cedar Systems", "notes": "Interested in quarterly exports only.", }, ], "fieldsToEncrypt": [ "email", "phone", ], "passphrase": "Apify-demo-passphrase-change-in-production", } # Run the Actor and wait for it to finish run = client.actor("sovanza.inc/encrypted-data-integration").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "sourceJsonRecords": [ { "id": "demo-1001", "name": "Amina Yusuf", "email": "amina.yusuf@example.test", "phone": "+1-202-555-0141", "company": "Northwind Analytics", "notes": "Priority lead for regional expansion." }, { "id": "demo-1002", "name": "Luca Moretti", "email": "luca.moretti@example.test", "phone": "+39-06-5550-0142", "company": "Blue Cedar Systems", "notes": "Interested in quarterly exports only." } ], "fieldsToEncrypt": [ "email", "phone" ], "passphrase": "Apify-demo-passphrase-change-in-production" }' | apify call sovanza.inc/encrypted-data-integration --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=sovanza.inc/encrypted-data-integration", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Encrypted Data Integration", "description": "Encrypted Data Integration encrypts sensitive Apify data before export or automation. It supports selected fields, full records, or full payload encryption with AES-GCM, manifests, fingerprints, and dataset or key-value store output.", "version": "0.0", "x-build-id": "KuAtERK0QVq4xrE69" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/sovanza.inc~encrypted-data-integration/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-sovanza.inc-encrypted-data-integration", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/sovanza.inc~encrypted-data-integration/runs": { "post": { "operationId": "runs-sync-sovanza.inc-encrypted-data-integration", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/sovanza.inc~encrypted-data-integration/run-sync": { "post": { "operationId": "run-sync-sovanza.inc-encrypted-data-integration", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "sourceMode": { "title": "Source mode", "enum": [ "dataset", "kv_store", "json_records", "json_text" ], "type": "string", "description": "Where the input records come from.", "default": "json_records" }, "sourceDatasetId": { "title": "Source dataset ID", "type": "string", "description": "Dataset ID to read records from if sourceMode=dataset.", "default": "" }, "sourceDatasetName": { "title": "Source dataset name", "type": "string", "description": "Optional dataset name to read records from if sourceMode=dataset.", "default": "" }, "sourceKvStoreKey": { "title": "Source key-value store key", "type": "string", "description": "Key-value store key to read from if sourceMode=kv_store.", "default": "" }, "sourceJsonText": { "title": "Source JSON text", "type": "string", "description": "Raw JSON array/object text (or CSV) when sourceMode=json_text. May contain sensitive plaintext — stored as a secret input." }, "sourceJsonRecords": { "title": "Source JSON records", "type": "array", "description": "Direct JSON records when sourceMode=json_records. May contain sensitive plaintext — stored as a secret input." }, "maxItems": { "title": "Max items", "minimum": 1, "maximum": 100000, "type": "integer", "description": "Maximum number of input records to process.", "default": 1000 }, "encryptionScope": { "title": "Encryption scope", "enum": [ "selected_fields", "full_record", "full_payload" ], "type": "string", "description": "Choose whether to encrypt selected fields, each full record, or the full exported payload.", "default": "selected_fields" }, "fieldsToEncrypt": { "title": "Fields to encrypt", "type": "array", "description": "List of field names or dotted paths to encrypt when encryptionScope=selected_fields.", "items": { "type": "string" } }, "preserveFields": { "title": "Preserve fields", "type": "array", "description": "Fields to always leave plaintext for indexing or operational visibility.", "default": [], "items": { "type": "string" } }, "removePlaintextAfterEncryption": { "title": "Remove plaintext after encryption", "type": "boolean", "description": "Whether to remove original plaintext field after encrypted version is created.", "default": true }, "outputEncryptedFieldSuffix": { "title": "Encrypted field suffix", "type": "string", "description": "Suffix for field-level encrypted outputs.", "default": "_encrypted" }, "algorithm": { "title": "Algorithm", "enum": [ "aes_gcm", "fernet" ], "type": "string", "description": "Preferred encryption implementation. AES-GCM is the secure default.", "default": "aes_gcm" }, "keyMode": { "title": "Key mode", "enum": [ "passphrase", "raw_key_base64" ], "type": "string", "description": "How the encryption key material is supplied.", "default": "passphrase" }, "passphrase": { "title": "Passphrase", "type": "string", "description": "Secret passphrase for key derivation. Change this in production — the prefilled value is for demo runs only." }, "rawKeyBase64": { "title": "Raw key (base64)", "type": "string", "description": "Raw symmetric key in base64 form. Stored as a secret input." }, "keyDerivation": { "title": "Key derivation", "enum": [ "pbkdf2_sha256", "scrypt" ], "type": "string", "description": "Key derivation function used when keyMode=passphrase.", "default": "pbkdf2_sha256" }, "iterations": { "title": "Iterations / cost", "minimum": 1, "maximum": 2000000, "type": "integer", "description": "KDF iterations for PBKDF2 or cost-like tuning for scrypt.", "default": 200000 }, "includeManifest": { "title": "Include manifest", "type": "boolean", "description": "Include encryption metadata per record or payload.", "default": true }, "includeHashFingerprint": { "title": "Include hash fingerprints", "type": "boolean", "description": "Include deterministic SHA-256 fingerprints for configured fields or records. Fingerprints are not encryption.", "default": true }, "fingerprintFields": { "title": "Fingerprint fields", "type": "array", "description": "Optional fields to fingerprint before encryption.", "default": [], "items": { "type": "string" } }, "includeRecordId": { "title": "Include record ID", "type": "boolean", "description": "Include a normalized recordId field in the encrypted output when available.", "default": true }, "recordIdField": { "title": "Record ID field", "type": "string", "description": "Field name or dotted path used to derive recordId in output rows.", "default": "id" }, "outputMode": { "title": "Output mode", "enum": [ "dataset", "kv_store", "both" ], "type": "string", "description": "Where to write encrypted output.", "default": "dataset" }, "outputKvStoreKey": { "title": "Output key-value store key", "type": "string", "description": "Key used when saving encrypted output to the default key-value store.", "default": "ENCRYPTED_OUTPUT" }, "chunkSize": { "title": "Chunk size", "minimum": 1, "maximum": 5000, "type": "integer", "description": "Number of records to process per batch during loading and encryption.", "default": 100 }, "maxConcurrency": { "title": "Max concurrency", "minimum": 1, "maximum": 100, "type": "integer", "description": "Maximum number of records processed concurrently within each batch.", "default": 5 }, "failOnMissingFields": { "title": "Fail on missing fields", "type": "boolean", "description": "If true, stop the run when a configured field to encrypt is missing.", "default": false }, "failOnInvalidRecords": { "title": "Fail on invalid records", "type": "boolean", "description": "If true, stop the run when a record is not a valid JSON object for the chosen mode.", "default": false }, "includeDebugFields": { "title": "Include debug fields", "type": "boolean", "description": "Include safe debug metadata such as which fields were encrypted, but never plaintext or secrets.", "default": false }, "redactLogs": { "title": "Redact logs", "type": "boolean", "description": "Force strict redaction of sensitive values in logs.", "default": true }, "deterministicFingerprintSalt": { "title": "Fingerprint salt", "type": "string", "description": "Optional secret salt used only for fingerprints, not for encryption." } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```