Of course, sometimes, tokens aren't sufficient. Your email marketing partner can’t send emails to a tokenized email address. When a teammate, partner or application needs the original sensitive data, they can request to exchange the token for the sensitive data, by calling the ResolveToken API.
The ResolveToken API receives a token and context from the client. The server automatically provides additional context about the request, like where it came from and who the authenticated user was. Tokenizer will then run the token's access policy against the context to evaluate whether access is allowed or denied. If access is allowed, ResolveToken returns the token. If not, it raises an error.
The server data is completed trusted, while the trust level afforded to client data depends on your architecture. Between the two, Tokenizer can support exceptionally sophisticated policy decisions.
For more detail on token resolution, see our API reference for Resolve Token.
Updated 29 days ago