AssistantsTools

Tool Arguments Encryption

Learn to encrypt tool arguments and protect sensitive data

Overview

Tool argument encryption protects sensitive data like Social Security Numbers, Credit Card Numbers, and other PII by encrypting specific fields before they’re sent to your server.

In this guide, you’ll learn to:

  • Create and configure a custom credential with encryption enabled
  • Generate RSA public/private key pairs
  • Configure tools to encrypt specific argument fields
  • Decrypt encrypted data on your server

Prerequisites

  • A Vapi account with access to the dashboard
  • OpenSSL or a similar tool for generating RSA keys
  • A server endpoint that can receive and decrypt encrypted data
1

Create a custom credential with encryption

Navigate to the custom credentials page and enable encryption settings.

  1. Go to https://dashboard.vapi.ai/settings/integrations/custom-credential and click “Add Custom Credential”
  2. Check Enable Encryption
  3. Select RSA-OAEP-256 as the algorithm
  4. Select SPKI-PEM as the format
Custom credential encryption settings
Enable encryption in custom credential settings
2

Generate RSA key pair

Use OpenSSL to generate a public/private key pair in PEM format.

Run this command in your terminal to generate both keys:

$# Generate a 2048-bit RSA private key
>openssl genrsa -out private-key.pem 2048
>
># Extract the public key in SPKI format
>openssl rsa -in private-key.pem -pubout -out public-key.pem

This creates two files:

  • private-key.pem - Keep this secure on your server for decryption
  • public-key.pem - Copy this to Vapi for encryption

Never share or commit your private key. Store it securely in your server’s environment variables.

3

Add public key to credential

Copy and paste your public key into the Vapi dashboard.

  1. Open public-key.pem and copy the entire contents
  2. Paste the public key PEM into the Public Key PEM field
  3. Click Save
Public key PEM field
Paste the public key into the credential

Your credential is now ready to use with encrypted tool arguments.

4

Select a tool to configure

Navigate to your tools and choose which tool should use encryption.

  1. Go to the Tools page
  2. Select an existing Custom Tool or API Request Tool
  3. Alternatively, create a new tool if needed
5

Configure credential and encryption settings

Link your encryption credential and specify which fields to encrypt.

  1. In the tool settings, find the Credential dropdown
  2. Select the credential you created in Step 1
  3. Scroll to Encryption Settings
  4. Add the exact JSON paths to the arguments you want encrypted

Example JSON paths:

  • ssn - Encrypts the ssn field
  • payment.cardNumber - Encrypts nested fields

JSON paths are relative to the tool’s argument structure. Only specified fields will be encrypted.

Tool encryption settings configuration
Configure credential
Tool encryption settings configuration
Configure encryption settings
6

Save and test the configuration

Save your tool configuration and verify encryption works with a test call.

  1. Click Save to apply your changes
  2. Make a test call using an assistant with this tool
  3. Trigger the tool during the call
  4. Check your server logs to confirm encrypted data arrives

When your server receives the webhook, encrypted fields will appear as base64-encoded strings:

1{
2    "fullName": "John Doe",
3    "dateOfBirth": "ZCT0EvFkJRHShBd06Ldu7ImHgl7YCuX8l8IF/7xuQSydafVWRR2eCGqTeXK7HyMaXyDc3hHyaTwTKyd0kJH0TCgQEJwviTLSlt7IzH4BIVXIadYcmCUbcSN77R6HoYtGE/De8hEYZ0t+bfuKnDY1IyiQXViI1oE+A2hiscrl4x9Or+n3CUSvxXQ3fJREsCHVN4Y4jbLtQOh0bhlsKLol7GEXBGnOG+oBlXvIzEgyco/peusg7Vzeq42F9odQyZZop9u8+ynwz3DOCm9JBZdOuf7iCKKos0NU+VeWanUHvJ2aJfGPck7qleFWDFsCb+F6QcIcn3fkiKTqoYa44vQ+NA=="
4}
7

Decrypt data on your server

Use your private key to decrypt the base64-encoded encrypted values.

Here’s how to decrypt the data in your server code:

1import crypto from 'crypto';
2import fs from 'fs';
3
4function decryptToolArgument(encryptedBase64: string): string {
5  // Load your private key
6  const privateKey = fs.readFileSync('private-key.pem', 'utf8');
7  
8  // Decode from base64
9  const encryptedBuffer = Buffer.from(encryptedBase64, 'base64');
10  
11  // Decrypt using RSA-OAEP with SHA-256
12  const decrypted = crypto.privateDecrypt(
13    {
14      key: privateKey,
15      padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
16      oaepHash: 'sha256',
17    },
18    encryptedBuffer
19  );
20  
21  return decrypted.toString('utf8');
22}
23
24// Example usage
25const encryptedDateOfBirth = "ZW5jcnlwdGVkX2RhdGFfaGVyZQ==...";
26const decryptedDateOfBirth = decryptToolArgument(encryptedDateOfBirth);
27console.log(decryptedDateOfBirth); // Original value

Store your private key in environment variables rather than hardcoding the file path. Use process.env.PRIVATE_KEY or os.getenv("PRIVATE_KEY").

Security best practices

Follow these guidelines to maintain secure encryption:

  • Never commit private keys - Use environment variables or secret management systems
  • Rotate keys periodically - Generate new key pairs and update credentials regularly
  • Encrypt selectively - Only encrypt fields that contain sensitive data to minimize overhead
  • Validate decrypted data - Always validate and sanitize decrypted values before use
  • Use HTTPS - Ensure your server endpoint uses HTTPS for transport security

Next steps

Now that you have tool argument encryption configured: