Skip to main content

Create hash

post
/api/pvlt/1.0/data/collections/{collection}/hash/objects

Creates a deterministic hash based on an object's property values, collection, and scope. Supports bulk operations.

This operation is similar to using the tokenize operation for a token of type deterministic. The hash value is identical to the token ID generated for the same combination of collection, object, property values, and scope. However, unlike the token, this hash is not stored in Vault's storage and, as such, cannot be detokenized, searched, or invalidated.

The role performing this operation must have both of these:

  • The CapCryptoHasher capability.
  • At least one allowing policy and no denying policies for the hash operation for each of the collection properties specified in the call.

See identity and access management for more information about how Vault uses capabilities to control access to operations and policies to control access to data. ``

Request

Path parameters

  • collection - string required*

    The name of a collection.

Query parameters

  • adhoc_reason - string

    An ad-hoc reason for accessing the Vault data. Required when reason is set to Other.

  • reason - string required*

    Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false.

  • custom_audit - string

    Custom audit information to be included in the audit log.

  • reload_cache - boolean

    Reloads the cache before the action.

Request body

Details of the hashing request.

array of objects required*
Each object:
  • object - object required*

    The input object, defined as one and only one of the following properties.

    • id: the ID of an object.
    • fields: property values of an object.
    • encrypted: an encrypted object.
    • request_index: the index of the object in the request array.

    In stateless mode, id is not supported and either fields or encrypted must be supplied.

    • id - string

      The ID of an object.

    • fields - object

      A list of maps of object properties and their values.

      Example
      {
        "date_of_birth": "1993-02-22",
        "email": "patfar@example.com",
        "first_name": "Pat",
        "last_name": "Far",
        "phone_number": "+11011010101"
      }
    • encrypted - object

      An encrypted object.

      • ciphertext - string required*

        The encrypted object base64 cipher text.

      • scope - string

        The scope used to encrypt the object. By default, it uses the scope of the encrypted object.

    • request_index - integer

      The index of the object in the request array.

    Example
    {
      "fields": {
        "first_name": "John",
        "email": "patfar@example.com"
      }
    }
  • props - array of strings

    A list of the properties to tokenize.

    Each string:
  • scope - string

    A classification for the hash.

  • fpprops - array of strings

    Properties used by the format preserving template for the ID generation. The templates require these properties:

    • the primary_account_number template requires a property of type CC_NUMBER. The token ID is generated from this property by retaining the first six and last four digits and randomizing the remaining digits.
    Each string:
  • fptemplate - string

    The template used to format the generated ID. Supports:

    • primary_account_number that generates an ID that is a valid 16-digit PAN (credit card number). If empty, the format of the ID is a UUID.
Example
{
  "object": {
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08"
  },
  "props": [
    "phone_number"
  ],
  "scope": "default"
}
Example
[
  {
    "object": {
      "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08"
    },
    "props": [
      "phone_number"
    ],
    "scope": "default"
  }
]

Possible responses

The request is successful.

array of objects required*
Each object:
  • token_id - string required*

    The ID of the token.

  • object_id - string

    The ID of the newly added object, applicable for tokenizing with store_object is true.

Example
[
  {
    "token_id": "de15a638-354a-11ed-a261-0242ac120002",
    "object_id": "cc9a39c5-4734-4786-b317-e16705d5128f"
  }
]

Try the API

Authorization

Path parameters

Query parameters

Request body

Navigate to the docs of your local Vault installation to try the API directly from there.

Code examples

Example