Detokenize tokens
Returns the object property values for tokens.
The tokens returned by this operation are defined using three query parameters: token_ids
, object_ids
, and tags
. The operation returns an empty response if it finds no matches. See the Retrieve a token guide for more information about how to match tokens for this operation.
The role performing this operation must have all of these:
- The
CapTokensDetokenizer
capability. - Policies:
- At least one allowing policy and no denying policies for the
detokenize
operation for each of the collection properties that are tokenized by tokens specified in the query. - At least one allowing policy and no denying policies for the
read
operation for each of the collection properties that are tokenized by tokens specified in the query.
- At least one allowing policy and no denying policies for the
See identity and access management for more information about how capabilities are used to control access to operations and policies are used to control access to data.
Request
Header parameters
X-Tenant-Id
- array of stringsList of tenant IDs to enforce on the request.
Path parameters
collection
- string required*The name of a collection.
Query parameters
object_ids
- array of stringsComma-separated list of object IDs.
Each string:tags
- array of stringsComma-separated list of tags.
Each string:token_ids
- array of stringsComma-separated list of token IDs.
props
- array of stringsThe list of property names and transformations. To include multiple names and transformations, provide a comma-separated list. For example,
Each string:props=first_name,last_name,email.mask
.The name of a property or a transformation in the format
<property-name>.<transformer-name>
.options
- array of stringsOptions for the operation. Options include:
include_metadata
- show token metadata in the response.- 'include_aggregated_data' - whether to include aggregated data in the response. If not specified, aggregated data is not included. Only applicable if
include_metadata
is set.
adhoc_reason
- stringAn ad-hoc reason for accessing the Vault data. Required when
reason
is set toOther
.reason
- string required*Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false.
custom_audit
- stringCustom audit information to be included in the audit log.
reload_cache
- booleanReloads the cache before the action.
Possible responses
- 200
- 400
- 401
- 403
- 404
- 405
- 409
- 410
- 500
- 503
The request is successful.
- application/json
fields
- object required*A list of maps of object properties and their values.
Example{
"date_of_birth": "1993-02-22",
"email": "patfar@example.com",
"first_name": "Pat",
"last_name": "Far",
"phone_number": "+11011010101"
}token_id
- string required*The token ID.
metadata
- objectagg
- objectmax_effective_expiration_time
- stringLatest expiry of all tokens with the token ID (UTC).
type
- string required*The type of the token:
randomized
– token that represent the property values as they were when the token was created. For non-format preserving tokens, the token ID is taken from the token_id parameter of the request (if applicable) or randomly assigned a unique ID.pointer
– token that represent the property values as they are when the request to detokenize is made. For non-format preserving tokens, the token ID is taken from the token_id parameter of the request (if applicable) or randomly assigned a unique ID.pci
– token that represent property values as they were when the token was created. The token ID reuses the ID of an existing token where both tokens are created on the same collection with the same values and scope. Otherwise, the token ID is either randomly assigned, or taken from the token_id parameter of the request (if applicable).pci_oneway
– PCI token that cannot be detokenized.deterministic
- token that is assigned a deterministic ID based on the collection, tokenized object, property values, and scope.
scope
- string required*The scope of the tokens.
token_id
- string required*The shared ID of the tokens.
tokens
- array of objects required*The metadata for each token.
Each object:creation_time
- string required*Creation time of the token (UTC).
effective_expiration_time
- string required*Effective expiry time of the token (UTC), being the earliest of the expiry time of the token or the object owning the token, if any.
expiration_time
- string required*Expiry time of the token (UTC).
object_id
- stringThe object this token is for.
effective_tenant_id
- stringThe tenant ID of the tokens.
tags
- array of strings required*Tags associated with the token. When token ID is reused, this is all the tags from the tokens that share the ID.
Each string:
[
{
"fields": {
"date_of_birth": "1993-02-22",
"email": "patfar@example.com",
"first_name": "Pat",
"last_name": "Far",
"phone_number": "+11011010101"
},
"token_id": "49303e72-35e3-11ed-a261-0242ac120002",
"metadata": {
"agg": {
"max_effective_expiration_time": "2019-08-24T14:15:22Z"
},
"type": "pci",
"scope": "default",
"token_id": "49303e72-35e3-11ed-a261-0242ac120002",
"tokens": [
{
"creation_time": "2019-08-24T14:15:22Z",
"effective_expiration_time": "2019-08-24T14:15:22Z",
"expiration_time": "2019-08-24T14:15:22Z",
"object_id": "463a83d0-a816-4902-abba-2486e0c0a0bb",
"effective_tenant_id": "string",
"tags": [
"credit_cards"
]
}
]
}
}
]
The request is invalid.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1001",
"message": "The access reason is missing.",
"context": {
"reason": null
}
}
Authentication credentials are incorrect or missing.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1005",
"message": "The request is unauthorized.",
"context": {}
}
The caller doesn't have the required access rights.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1007",
"message": "The operation is forbidden due to missing capabilities.",
"context": {
"username": "WebServer"
}
}
The requested resource is not found.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1004",
"message": "The collection is not found.",
"context": {}
}
The operation is not allowed.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1026",
"message": "The operation is not allowed in in-memory mode.",
"context": {}
}
A conflict occurs.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV3218",
"message": "Concurrent conflicting updates to the same object.",
"context": {}
}
Access to a resource that is no longer available occurs.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1033",
"message": "The resource is gone.",
"context": {}
}
An error occurs on the server.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1000",
"message": "Something went wrong",
"context": {}
}
The service is unavailable.
- application/json
context
- object required*The error context.
Values of additional properties are stringsExample{
"objectid": "b56dd6aa-35f0-11ed-a261-0242ac120002"
}error_code
- string required*The error code.
message
- string required*The error message.
error_url
- stringThe URL to the error documentation.
{
"error_code": "PV1009",
"message": "The operation timed out on the server.",
"context": {}
}
Path parameters
Query parameters
Headers
Code examples