Vaults overview
KnoxCall’s Vaults feature is a data tokenization service. You exchange a sensitive value (a credit card number, an SSN, an email, an arbitrary blob) for a token — a shorter, opaque string. Your databases and analytics pipelines store the token. Whenever you need the original value, you call KnoxCall’s detokenize endpoint. The Vault parallel: this is what HashiCorp calls a Tokenization Engine. The competitor parallel: Basis Theory and Skyflow. Use it for:- PCI scope reduction — store tokens that pass card-shape validation in your DB. KnoxCall holds the real PANs in scope.
- PII lifecycle controls — set TTLs so emails / SSNs auto-expire; cryptographic erasure when a customer requests deletion.
- Format preservation — tokens that pass the same format checks as the originals (e.g. Luhn-valid for cards, NNN-NN-NNNN for SSNs), so existing systems keep working without schema changes.
- Centralised audit — every detokenize lands in the audit log with the user/key that read it.
Why use it
How it works
- Create a vault with a chosen token format. The format is locked at creation — changing it later would invalidate every existing token.
- Tokenize values:
POST /v1/vaults/{name}/tokenswith{ value, metadata?, ttl_seconds? }. KnoxCall returns a token string + an internal id. Store the token in your DB. - Detokenize when you need the original:
GET /v1/vaults/{name}/tokens/{token}. Audited every time. - Rotate the vault’s encryption key when you want to bump versions. Existing tokens still decrypt under their original version; new tokens encrypt under the new version. No re-encryption of stored data needed.
- Destroy a vault to cryptographically shred every token in it. Permanently unreadable.
Quick start (UI)
- Go to Protect → Vaults in the admin UI and click New Vault.
- Pick a token format:
generic— opaque token, safe for any value type. Default.pan— credit card numbers (16 digits, Luhn-valid, BIN + last4 preserved).ssn— US SSNs (9XX-XX-XXXX, last 4 preserved).email— local-part tokenised, domain preserved.
- Optional: set a default TTL so tokens auto-expire.
- Save. Use the Playground tab to tokenize / detokenize a few values.
Quick start (API)
All responses use the standard{ data: ..., meta: { request_id: "..." } } envelope. The examples below show the data fields.
Token formats
The
pan and ssn generators solve the math so the resulting token validates: PAN tokens pass the Luhn check, SSN tokens fit the regex your form already enforces. You drop the token into the same column the original would have gone in.
Encryption + rotation
Each vault has its own encryption key (managed via Crypto Keys). Tokens carry the key version they were encrypted under. When you rotate:- A new key version becomes active.
- New tokens encrypt under the new version.
- Existing tokens still decrypt under their original version (no migration needed).
Bulk and TTL
- Bulk tokenize: up to 1000 values per call via
POST /v1/vaults/{name}/tokens/bulk. Wraps each tokenize in the same DB transaction. - TTL: per-vault default + per-call override. Expired tokens 404 on detokenize and get pruned by an hourly cron.
- Metadata: attach a small JSON object alongside each token (read back on detokenize). Encrypted at rest.
Plan limits
Next steps
- Crypto Keys overview → — the encryption layer Vaults builds on
- API reference →