Yes, sure.

We can say TLS provides transport-level encryption and authentication.

And the application endpoints (Apigee and the client, or Apigee and the upstream endpoint) can also encrypt payloads and send ciphertext. The matter of key exchange and key management is left for the application to solve.

There are multiple ways to encrypt or sign data.

Today, GenerateJWT can be used to create a signature over a JSON payload. Today, we might often think of a JWT as a way to describe attributes associated to a subject, in other words, it's an "identity token". But the JWT specification does not stipulate that the claims in a JWT must be associated to identity. You can use GenerateJWT to sign any JSON payload. If you use the JWT as the mechanism for data protection, the receiving party must be able to verify the JWT (and there's a key management implication there). And also, today, the JWT is signed, not encrypted. So any third party can read the data, but only a party that possesses the key will be able to verify the signature.

There are not built-in ways today, in Apigee Edge, for encrypting arbitrary data within the proxy flow. Today, when people want to do that, they rely on external Java callouts to do that work. Some examples here

• AES Crypto
  https://github.com/DinoChiesa/ApigeeEdge-CustomPolicy-AesCrypto
  This will work with any type of payload. And this is encryption, it means privacy of the message payload.
• XML DSIG
  https://github.com/DinoChiesa/ApigeeEdge-Java-XMLDSIG
  Signs any XML document.
• GenerateJWS
  (built in policy)
  This can be used today to sign any arbitrary data. I haven't done a screencast on this capability, but it's really handy for *signing* anything, and the payload need not be JSON.

Also, in the future, we expect to release support for encrypted JWT (JWE) as part of the builtin Apigee policies. This would allow encryption of JSON data.