The SealingKey.seal and SymmetricKey.seal operations support an optional unsealingInstructions string parameter. If the parameter is provided when a message is sealed, the same value must be present when the unseal operation is called. The field is stored in plaintext (unencrypted) in the unsealingInstructions field of the PackagedSealedMessage returned by the seal operation. (If the field is not provided, it is treated as an empty string.)

The Seeded Cryptography Library is agnostic to the format and value of this string, so long as the same string is used both during sealing and unsealing.

However, since it's format mirrors JSON Format for Recipes, and the DiceKeys API Fields are currently documented here, we currently document the JSON format for Unsealing Instructions fields below.

Authentication and authorization requirements

The unsealing instructions support require authentication requirements via the allow, requireAuthenticationHandshake, and androidPackagePrefixesAllowed fields from the recipe format.