Resolve a token

Of course, sometimes, tokens aren't sufficient. Your email marketing partner can’t send emails to a tokenized email address. When a teammate, partner or application needs the original sensitive data, they can request to exchange the token for the sensitive data, by calling the ResolveToken API.

Resolve Token API

The ResolveToken API receives a token and context from the client. The server automatically provides additional context about the request, like where it came from and who the authenticated user was. Tokenizer will then run the token's access policy against the context to evaluate whether access is allowed or denied. If access is allowed, ResolveToken returns the token. If not, it raises an error.

The server data is completed trusted, while the trust level afforded to client data depends on your architecture. Between the two, Tokenizer can support exceptionally sophisticated policy decisions.

Resolution for Accessor-Generated Tokens

When tokens are generated by an accessor, they can be created using a Tokenize By Value Transformer or a Tokenize By Reference Transformer.

  • If the token was generated with a Tokenize By Value Transformer, the token will resolve to the value of the data as it was at the time of the tokenization.
  • If the token was generated with a Tokenize By Reference Transformer, the token will resolve to the latest value of the data. Furthermore, the resolution will only succeed if the user still consents to the data accessor's data processing purpose(s).

For more detail on token resolution, see our API reference for Resolve Token.