Skip to main content

Encoding

FunctionDescriptionMeta
base64.decode

y := base64.decode(x)

Deserializes the base64 encoded input string.

Arguments:
x (string)

string to decode

Returns:
y (string)

base64 deserialization of x

Wasm
base64.encode

y := base64.encode(x)

Serializes the input string into base64 encoding.

Arguments:
x (string)

string to encode

Returns:
y (string)

base64 serialization of x

Wasm
base64.is_valid

result := base64.is_valid(x)

Verifies the input string is base64 encoded.

Arguments:
x (string)

string to check

Returns:
result (boolean)

true if x is valid base64 encoded value, false otherwise

v0.24.0 Wasm
base64url.decode

y := base64url.decode(x)

Deserializes the base64url encoded input string.

Arguments:
x (string)

string to decode

Returns:
y (string)

base64url deserialization of x

Wasm
base64url.encode

y := base64url.encode(x)

Serializes the input string into base64url encoding.

Arguments:
x (string)

string to encode

Returns:
y (string)

base64url serialization of x

Wasm
base64url.encode_no_pad

y := base64url.encode_no_pad(x)

Serializes the input string into base64url encoding without padding.

Arguments:
x (string)

string to encode

Returns:
y (string)

base64url serialization of x

v0.25.0-rc2 SDK-dependent
hex.decode

y := hex.decode(x)

Deserializes the hex-encoded input string.

Arguments:
x (string)

a hex-encoded string

Returns:
y (string)

deserialized from x

v0.25.0-rc2 SDK-dependent
hex.encode

y := hex.encode(x)

Serializes the input string using hex-encoding.

Arguments:
x (string)

string to encode

Returns:
y (string)

serialization of x using hex-encoding

v0.25.0-rc2 SDK-dependent
json.is_valid

result := json.is_valid(x)

Verifies the input string is a valid JSON document.

Arguments:
x (string)

a JSON string

Returns:
result (boolean)

true if x is valid JSON, false otherwise

json.marshal

y := json.marshal(x)

Serializes the input term to JSON.

Arguments:
x (any)

the term to serialize

Returns:
y (string)

the JSON string representation of x

Wasm
json.marshal_with_options

y := json.marshal_with_options(x, opts)

Serializes the input term JSON, with additional formatting options via the opts parameter. opts accepts keys pretty (enable multi-line/formatted JSON), prefix (string to prefix lines with, default empty string) and indent (string to indent with, default \t).

Arguments:
x (any)

the term to serialize

opts (object<indent: string, prefix: string, pretty: boolean>[string: any])

encoding options

Returns:
y (string)

the JSON string representation of x, with configured prefix/indent string(s) as appropriate

v0.64.0 SDK-dependent
json.unmarshal

y := json.unmarshal(x)

Deserializes the input string.

Arguments:
x (string)

a JSON string

Returns:
y (any)

the term deserialized from x

Wasm
urlquery.decode

y := urlquery.decode(x)

Decodes a URL-encoded input string.

Arguments:
x (string)

the URL-encoded string

Returns:
y (string)

URL-encoding deserialization of x

SDK-dependent
urlquery.decode_object

object := urlquery.decode_object(x)

Decodes the given URL query string into an object.

Arguments:
x (string)

the query string

Returns:
object (object[string: array[string]])

the resulting object

v0.24.0 SDK-dependent
urlquery.encode

y := urlquery.encode(x)

Encodes the input string into a URL-encoded string.

Arguments:
x (string)

the string to encode

Returns:
y (string)

URL-encoding serialization of x

SDK-dependent
urlquery.encode_object

y := urlquery.encode_object(object)

Encodes the given object into a URL encoded query string.

Arguments:
object (object[string: any<string, array[string], set[string]>])

the object to encode

Returns:
y (string)

the URL-encoded serialization of object

SDK-dependent
yaml.is_valid

result := yaml.is_valid(x)

Verifies the input string is a valid YAML document.

Arguments:
x (string)

a YAML string

Returns:
result (boolean)

true if x is valid YAML, false otherwise

v0.25.0-rc1 SDK-dependent
yaml.marshal

y := yaml.marshal(x)

Serializes the input term to YAML.

Arguments:
x (any)

the term to serialize

Returns:
y (string)

the YAML string representation of x

SDK-dependent
yaml.unmarshal

y := yaml.unmarshal(x)

Deserializes the input string.

Arguments:
x (string)

a YAML string

Returns:
y (any)

the term deserialized from x

SDK-dependent

The json.marshal_with_options builtin's opts parameter accepts the following properties:

FieldRequiredTypeDefaultDescription
prettyNobooltrue if indent or prefix are declared,
false otherwise
Enables multi-line, human-readable JSON output ("pretty-printing").
If this property is true, then objects will be marshaled into multi-line JSON with either user-specified or default indent/prefix options. If this property is false, indent/prefix will be ignored and this builtin functions identically to json.marshal().
indentNostring"\t"
(Horizontal tab, character 0x09)
The string to use when indenting nested keys in the emitted JSON. One or more copies of this string will be included before child elements in every object or array.
prefixNostring""
(empty)
The string to prefix lines with in the emitted JSON. One copy of this string will be prepended to each line.

Default values will be used if:

  • opts is an empty object.
  • opts does not contain the named property.

Examples

OPA Envoy Header Manipulation

This example shows how base64.encode acts as a utility function to bridge communication between client and server when they don't speak the same language.

Suppose that some legacy client sends credentials in custom headers (x-username, x-password), but the downstream service expects HTTP Basic Authentication. This example policy uses the base64 function to deliver this transparently to the downstream caller.

This might be useful in an API gateway where you need to adapt between different authentication schemes without the option of editing clients and downstream servers.

policy.rego
package envoy.authz

# Extract credentials from request header
headers := input.attributes.request.http.headers

username := headers["x-username"]
password := headers["x-password"]

# Default deny - only allow if credentials are provided
default allow := false

allow if {
username != ""
password != ""
}

# Add Authorization header to downstream request using base64 encoding
response_headers_to_add := {
"Authorization": sprintf(
"Basic %s", [
base64.encode(sprintf(
"%s:%s", [username, password])
)
]
)
}
input.json
{
"attributes": {
"request": {
"http": {
"headers": {
"x-username": "alice",
"x-password": "secret123"
}
}
}
}
}
data.json
"{}"