# VGS Vault Basics

### What is VGS Vault?

VGS Vault helps us operate with sensitive data without the need to save that information ourselves.

It helps as an intermediary to send that sensitive information between the app and an external service without passing that raw information in our API.

For that, VGS tokenizes with aliases the sensitive information.

### Routes

To tell VGS what information to tokenize and in which endpoints, we have to create ***rules*** also called ***routes***, which will tell VGS which requests it has to intercept and what data has to be tokenized.

#### Inbound Routes

In inbound routes, VGS sits between your client (app / web) and your API.

That means it can intercept the requests that your client does to your API. It can also intercept the response that your API gives to your client.

#### **Outbound Routes**

In outbound routes VGS sits between your API and an external service (example: Rize, Unit, etc).

That means it can intercept the requests that your API does to the external service. It can also intercept the responses that the external services give to your API.

### Phases

Each message passed through a route has a phase that can be *On request* or *On response.*

#### **On request**

When you set a rule to ***On request***, it means that you want to intercept a request.

* If done in an inbound route, it will intercept the request made by the client.
* If done in an outbound route, it will intercept the request made by the API.

#### **On response**

When you set a rule to ***On response***, it means that you want to intercept a response.

* If done in an inbound route, it will intercept the response made by the API.
* If done in an outbound route, it will intercept the response made by the external service.

### Operation

#### **Redact**

When selecting ***redact***, you are tokenizing the data you have set in the body.

#### **Reveal**

When selecting ***reveal***, you are revealing the raw information of the token you have set in the body.

### Storage

#### **Persistent**

Persistent storage means that VGS will keep the relation of the token and the data permanently.

{% hint style="info" %}
**IMPORTANT**: If you ***redacted*** a token with a **persistent** **storage** and you want to ***reveal*** it, the reveal rule has to have ***persistent storage*** too.
{% endhint %}

#### **Volatile**

Volatile storage means that the VGS token of the data will expire in 1 hour.

### Practical example

Let's say you want to **tokenize** the SSN the client **sends** to an external service and that external service **returns** the SSN in the same request and you want to **show it** on the client.

For that you will have to do the following:&#x20;

* Create an ***inbound rule*** tha&#x74;**:**
  * Has ***redact operation*** because you want to tokenize the SSN that the client sends so your API doesn't receive the raw data.
  * Has ***On request*** because the client is making a request to your API.
* Create another ***inbound rule*** that:
  * Has ***reveal operation*** because you want to show back the SSN that the external service is sending in the response to your API in the client.
  * Has ***On response*** because you are responding from your API to the client an SSN token that VGS will provide you.
* Create an ***outbound rule*** that:
  * Has ***reveal operation*** because you want to reveal the raw SSN of the token that your API is sending to the external service.
  * Has ***On request*** because your API is sending the SSN token to the external service with a request.
* Create another ***outbound rule*** that:
  * Has ***redact operation*** because you want to tokenize back the SSN the external service is sending to your API.
  * Has ***On response*** because the external service is sending back a response to your API.