Skip to main content

Update tokens


Updates token data or token metadata tags and expiration properties.

Update token metadata

See the Update a token guide for more information about updating a token's metadata.

Update token data

To update token data, all the tokens must:

  • have the same token ID.
  • be token types pci, pci_oneway, or randomized (metadata can be updated in all token types).

To update a token's data, set the object parameter to contain one of these:

  1. Objects stored in Vault by providing their ID.
  2. Fields not stored in Vault by providing a map of their properties and property values. These fields must conform to the schema of the collection specified in the request.
  3. Ciphertext. This enables you to update a token's data with a subset of another ciphertext's properties or with a different encryption type or scope.

Updates to the token's data do not change the token's metadata, token ID, ownership, or lifecycle of the token . However, the data update may affect subsequent tokenizations. For example, if a token of type pci with ID "X" is updated, subsequent tokenizations of the new data have the same token ID "X," while tokenizations of the previous data results in a new token ID. See Tokenization for more information on token types.


Update to the token's data overrides the entire existing data.


The role performing this operation must have both of these:

  • The CapTokensWriter capability.
  • At least one allowing policy and no denying policies for the write operation for the tokens resource of the collection specified in the call.
    • Updating a token's metadata requires the write operation for the tokens resource of the collection specified in the call.
    • Updating a token's data requires the tokenize operation for each of the collection properties specified in the call.
    • For updating both the metadata and the data of a token, only the tokenize operation permission is required.

See identity and access management for more information about how capabilities are used to control access to operations and policies are used to control access to data.


The tokens returned by this operation are defined using three query parameters: token_ids, object_ids, and tags. If no tokens are matched, status code 404 is returned. See the Retrieve a token guide for more information about how to match tokens for this operation.


Header parameters

  • X-Tenant-Id - array of strings

    List of tenant IDs to enforce on the request.

Path parameters

  • collection - string required*

    The name of a collection.

Query parameters

  • expiration_secs - string

    Expiration time in seconds for the tokens. If not set, the expiry dates of the tokens are not changed. If set to an empty value, the token will be marked to not expire.'

  • object_ids - array of strings

    Comma-separated list of object IDs.

    Each string:
  • tags - array of strings

    Comma-separated list of tags.

  • token_ids - array of strings

    Comma-separated list of token IDs.

  • options - array of strings

    Options for the operation. Options include:

    • archived – whether to update only archived tokens. If not specified, update only active tokens.
    Each string:
  • adhoc_reason - string

    An ad-hoc reason for accessing the Vault data. Required when reason is set to Other.

  • reason - string required*

    Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false.

  • reload_cache - boolean

    Reloads the cache before the action.

Request body

Update token request details.

object required*
  • tags - array of strings

    Replacement tags for the tokens.

    Each string:
  • ensure_unique_tenant_tags - array of strings

    Tags to validate as unique in tenant scope. Must be a subset of 'tags'. Note: The need to ensure the uniqueness of the tags prior to insertion means this feature impacts the operation's performance.

    Each string:
  • object - object

    The input object, defined as one and only one of the following properties.

    • id: the ID of an object.
    • fields: property values of an object.
    • encrypted: an encrypted object.
    • request_index: the index of the object in the request array.

    In stateless mode, id is not supported and either fields or encrypted must be supplied.

    • id - string

      The ID of an object.

    • fields - object

      A list of maps of object properties and their values.

      "date_of_birth": "1993-02-22",
      "email": "",
      "first_name": "Pat",
      "last_name": "Far",
      "phone_number": "+11011010101"
    • encrypted - object

      An encrypted object.

      • ciphertext - string required*

        The encrypted object base64 cipher text.

      • scope - string

        The scope used to encrypt the object. By default, it uses the scope of the encrypted object.

    • request_index - integer

      The index of the object in the request array.

    "fields": {
    "first_name": "John",
    "email": ""
  • props - array of strings

    A list of the properties to update.

    Each string:

    The name of a property.

"tags": [
"ensure_unique_tenant_tags": [
"object": {
"fields": {
"first_name": "John",
"email": ""
"props": [

Possible responses

The request is successful.

Try the API


Path parameters

Query parameters


Request body

Navigate to the docs of your local Vault installation to try the API directly from there.

Code examples