VGS Vault Basics

What is VGS Vault?

VGS Vault helps us operate with sensitive data without the need to save that information ourselves.

It helps as an intermediary to send that sensitive information between the app and an external service without passing that raw information in our API.

For that, VGS tokenizes with aliases the sensitive information.

Routes

To tell VGS what information to tokenize and in which endpoints, we have to create rules also called routes, which will tell VGS which requests it has to intercept and what data has to be tokenized.

Inbound Routes

In inbound routes, VGS sits between your client (app / web) and your API.

That means it can intercept the requests that your client does to your API. It can also intercept the response that your API gives to your client.

Outbound Routes

In outbound routes VGS sits between your API and an external service (example: Rize, Unit, etc).

That means it can intercept the requests that your API does to the external service. It can also intercept the responses that the external services give to your API.

Phases

Each message passed through a route has a phase that can be On request or On response.

On request

When you set a rule to On request, it means that you want to intercept a request.

If done in an inbound route, it will intercept the request made by the client.
If done in an outbound route, it will intercept the request made by the API.

On response

When you set a rule to On response, it means that you want to intercept a response.

If done in an inbound route, it will intercept the response made by the API.
If done in an outbound route, it will intercept the response made by the external service.

Operation

Redact

When selecting redact, you are tokenizing the data you have set in the body.

Reveal

When selecting reveal, you are revealing the raw information of the token you have set in the body.

Storage

Persistent

Persistent storage means that VGS will keep the relation of the token and the data permanently.

IMPORTANT: If you redacted a token with a persistent storage and you want to reveal it, the reveal rule has to have persistent storage too.

Volatile

Volatile storage means that the VGS token of the data will expire in 1 hour.

Practical example

Let's say you want to tokenize the SSN the client sends to an external service and that external service returns the SSN in the same request and you want to show it on the client.

For that you will have to do the following:

Create an inbound rule that:
- Has redact operation because you want to tokenize the SSN that the client sends so your API doesn't receive the raw data.
- Has On request because the client is making a request to your API.
Create another inbound rule that:
- Has reveal operation because you want to show back the SSN that the external service is sending in the response to your API in the client.
- Has On response because you are responding from your API to the client an SSN token that VGS will provide you.
Create an outbound rule that:
- Has reveal operation because you want to reveal the raw SSN of the token that your API is sending to the external service.
- Has On request because your API is sending the SSN token to the external service with a request.
Create another outbound rule that:
- Has redact operation because you want to tokenize back the SSN the external service is sending to your API.
- Has On response because the external service is sending back a response to your API.

PreviousRize Route Configuration NextVGS Show

Last updated 1 year ago