GuidesAPI ReferenceRelease Notes
Guides

Proxy Tokenization Encryption

Suggest Edits

This functionality can be leveraged if a partner API will be sending encrypted data within a payload that TokenEx will need to decrypt before performing tokenization.

🚧

HEADS-UP!

The data will need to be encrypted using a TokenEx public RSA or PGP key, unless AES encryption is being used.

Order of Operations

After a third-party API sends a payload containing encrypted data to the proxy endpoint, the following steps are taken:

  1. The encrypted data is located using the Encryption RegEx specified in the Proxy Profile
  2. The encrypted data is decrypted using the relevant private key
  3. Regular Expressions to locate sensitive data (e.g. PAN, CVV, etc) are evaluated and matches are tokenized
  4. The payload containing decrypted and tokenized data is sent to the API specified in the Proxy Profile
  5. The API specified in the Proxy Profile is replies back to the Proxy endpoint
  6. If any tokens are included the reply and wrapped in three curly braces (e.g. {{{token}}}), they will be detokenized
  7. The reply will be sent to the originating third-party API

Encryption Types Supported

BASE64 encoded AES 256 CBC

Before using this functionality, an encryption profile must be created by the TokenEx support team so that an AES key can be associated with your TokenEx account

  • Select AES-256-CBC in the Encryption Operations field
  • The AES Initialization Vector (IV) must be specified in the tx-proxy-encryption-iv header when sent from the partner API
  • An Encryption Regex should be specified for this decryption type, unless the entire payload is the cipher text.

Barclay’s Hybrid Encryption with Signature

Before using this functionality, Barclay’s public key for signature validation must be associated with the relevant Proxy Profile IDs by the TokenEx support team

  • Select Barclays Hybrid Decryption w/ Signature in the Encryption Operations field
  • An Encryption Regex should not be specified for this decryption type.
  • RegEx for PAN:
    (?<=%22cardNumber%22%3a%22)([^%]+)

Note: When testing, the content type of the request needs to be application/x-www-form-urlencoded and the payload will need to be formatted as such

JWE Encryption using RSA 256 OAEP

  • Select JWE Decryption - RSA-OAEP-256 in the Encryption Operations field
  • An Encryption Regex should be specified for this decryption type, unless the entire payload is the cipher text.

RSA Encryption using SHA1 OAEP

  • Select RSA-OaepSHA1 in the Encryption Operations field
  • An Encryption Regex should be specified for this decryption type, unless the entire payload is the cipher text.

PGP Encryption

  • Select PGP in the Encryption Operations field
  • An Encryption Regex should be specified for this decryption type, unless the entire payload is the cipher text.

Updated 3 months ago