Skip to main content

Tokens

Create Token

Create a new token for the Tenant.

POST
https://api.basistheory.com/tokens
Copy

Permissions

token:create

Request

curl "https://api.basistheory.com/tokens" \
-H "BT-API-KEY: <API_KEY>" \
-H "Content-Type: application/json" \
-X "POST" \
-d '{
"type": "token",
"data": "Sensitive Value",
"mask": "{{ data | reveal_last: 4 }}",
"containers": [ "/general/high/" ],
"metadata": {
"nonSensitiveField": "Non-Sensitive Value"
},
"search_indexes": [
"{{ data }}",
"{{ data | last4 }}"
],
"fingerprint_expression": "{{ data }}",
"deduplicate_token": true,
"expires_at": "8/26/2030 7:23:57 PM -07:00"
}'

Request Parameters

AttributeRequiredTypeDefaultDescription
idfalsestringnullA value or expression specifying the token's ID. If not specified, a UUID will be assigned.
typetruestringnullToken type of the token
datatrueanynullToken data. Can be an object, array, or any primitive type such as an integer, boolean, or string
maskfalseanyDepends on the token typeToken data mask. Can be an object, array, or any primitive type such as an integer, boolean, or string. See mask expressions.
containersfalsearrayDepends on the token typeArray of containers to place this token within. Each container is a path representing a logical grouping of tokens. See Token Containers for details.
metadatafalsemap<string, string>nullA key-value map of strings containing non-sensitive data.
search_indexesfalsearraynullArray of expressions used to generate indexes to be able to search against.
fingerprint_expressionfalsestring{{ data | stringify }}Expressions used to fingerprint your token.
deduplicate_tokenfalseboolnullWhether the token is deduplicated on creation.
expires_atfalsestringnullISO8601 compatible Token expiration DateTime. See Token Expiration for more details.
Never reveal sensitive information in the id of your token. See the documentation on Aliasing to learn more about best practices when specifying your own token ID.
Never store sensitive plaintext information in the metadata of your token.

Response

Returns a token if the token was created. Returns an error if there were validation errors, or the token failed to create.

{
"id": "c06d0789-0a38-40be-b7cc-c28a718f76f1",
"tenant_id": "77cb0024-123e-41a8-8ff8-a3d5a0fa8a08",
"type": "token",
"data": "XXXXXXXXXXXalue",
"mask": "{{ data | reveal_last: 4 }}",
"containers": ["/general/high/"],
"metadata": {
"nonSensitiveField": "Non-Sensitive Value"
},
"search_indexes": ["{{ data }}", "{{ data | last4 }}"],
"fingerprint_expression": "{{ data }}",
"created_by": "fb124bba-f90d-45f0-9a59-5edca27b3b4a",
"created_at": "2020-09-15T15:53:00+00:00",
"expires_at": "2030-08-26T19:23:57-07:00"
}

List Tokens

Get a list of tokens for the Tenant, supporting basic search criteria. If you need to perform a search on token data, see Search Tokens.

GET
https://api.basistheory.com/tokens
Copy

Permissions

token:read

Request

curl "https://api.basistheory.com/tokens" \
-H "BT-API-KEY: <PRIVATE_API_KEY>"

Query Parameters

ParameterRequiredTypeDefaultDescription
idfalsestringnullOne to many Token IDs to retrieve. Multiple IDs can be passed in the form ?id=<value1>&id=<value2>.
metadata.[key]falsemap{}Map of key-value pairs to filter tokens with matching metadata in the form ?metadata.key1=value1&metadata.key2=value2. Note, [key] must be unique and repeated keys will be ignored. Metadata will be searched for a case-insensitive, exact match. Multiple parameters will be ANDed together.

Response

Returns a paginated object with the data property containing an array of tokens. Token data will be returned according to the transform applied within the requesting Application's Access Controls. Providing any query parameters will filter the results. Returns an error if tokens could not be retrieved.

{
"pagination": {...},
"data": [
{
"id": "c06d0789-0a38-40be-b7cc-c28a718f76f1",
"type": "token",
"tenant_id": "77cb0024-123e-41a8-8ff8-a3d5a0fa8a08",
"data": "secret data",
"containers": ["/general/high/"],
"metadata": {
"nonSensitiveField": "Non-Sensitive Value"
},
"created_by": "fb124bba-f90d-45f0-9a59-5edca27b3b4a",
"created_at": "2021-03-01T08:23:14+00:00"
},
{...},
{...}
]
}

Get a Token

Get a token by ID in the Tenant.

GET
https://api.basistheory.com/tokens/{id}
Copy

Permissions

token:read

Request

curl "https://api.basistheory.com/tokens/c06d0789-0a38-40be-b7cc-c28a718f76f1" \
-H "BT-API-KEY: <PRIVATE_API_KEY>"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the token

Response

Returns a token with the id provided. Token data will be returned according to the transform applied within the requesting Application's Access Controls. Returns an error if the token could not be retrieved.

{
"id": "c06d0789-0a38-40be-b7cc-c28a718f76f1",
"type": "token",
"tenant_id": "77cb0024-123e-41a8-8ff8-a3d5a0fa8a08",
"data": "secret data",
"containers": ["/general/high/"],
"metadata": {
"nonSensitiveField": "Non-Sensitive Value"
},
"created_by": "fb124bba-f90d-45f0-9a59-5edca27b3b4a",
"created_at": "2021-03-01T08:23:14+00:00"
}

Update Token

Update an existing token for the Tenant.

PATCH
https://api.basistheory.com/tokens/{id}
Copy

Permissions

token:update
The Update Tokens endpoint uses a different content-type to support merge-patch operations. Requests need the Content-Type header to be set to application/merge-patch+json. Requests made with a different Content-Type header value will receive a 415 Unsupported Media Type response code. For more information on merge-patch, see RFC 7386.

Request

curl "https://api.basistheory.com/tokens/c06d0789-0a38-40be-b7cc-c28a718f76f1" \
-H "BT-API-KEY: <API_KEY>" \
-H "Content-Type: application/merge-patch+json" \
-X "PATCH" \
-d '{
"data": "Sensitive Value",
"mask": "{{ data | reveal_last: 4 }}",
"metadata": {
"nonSensitiveField": "Non-Sensitive Value"
},
"search_indexes": [
"{{ data }}",
"{{ data | last4 }}"
],
"fingerprint_expression": "{{ data }}",
"deduplicate_token": true,
}'

Request Parameters

AttributeRequiredTypeBehaviorDescription
datafalseanyMerge Patch (see RFC 7386)Token data. Can be an object, array, or any primitive type such as an integer, boolean, or string
maskfalseanyMerge Patch (see RFC 7386)Token data mask. Can be an object, array, or any primitive type such as an integer, boolean, or string. See mask expressions.
metadatafalsemap<string, string>Merge Patch (see RFC 7386)A key-value map of strings containing non-sensitive data.
containersfalsearrayReplaceArray of containers to place this token within. Each container is a path representing a logical grouping of tokens. See Token Containers for details.
search_indexesfalsearrayReplaceArray of expressions used to generate indexes to be able to search against.
fingerprint_expressionfalsestringReplaceExpressions used to fingerprint your token.
deduplicate_tokenfalseboolReplaceWhether the token is deduplicated on creation.
expires_atfalsestringReplaceISO8601 compatible Token expiration DateTime. See Token Expiration for more details.

Response

Returns the updated token if successful. Returns an error if there were validation errors, or the token failed to create.

{
"id": "c06d0789-0a38-40be-b7cc-c28a718f76f1",
"tenant_id": "77cb0024-123e-41a8-8ff8-a3d5a0fa8a08",
"type": "token",
"data": "XXXXXXXXXXXalue",
"mask": "{{ data | reveal_last: 4 }}",
"containers": ["/general/high/"],
"metadata": {
"nonSensitiveField": "Non-Sensitive Value"
},
"search_indexes": ["{{ data }}", "{{ data | last4 }}"],
"fingerprint_expression": "{{ data }}",
"created_by": "fb124bba-f90d-45f0-9a59-5edca27b3b4a",
"created_at": "2020-09-15T15:53:00+00:00"
}
If the updated token results in a duplicate of an existing token and the application does not have the original token's read permission, the data,metadata, fingerprint_expression, search_indexes and mask attributes will be redacted.

Delete Token

Delete a token by ID in the Tenant.

DELETE
https://api.basistheory.com/tokens/{id}
Copy

Permissions

token:delete
The data associated with a deleted token will be removed forever. The reference will still exist for audit purposes.

Request

curl "https://api.basistheory.com/tokens/c06d0789-0a38-40be-b7cc-c28a718f76f1" \
-H "BT-API-KEY: <PRIVATE_API_KEY>" \
-X "DELETE"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the token

Response

Returns an error if the token failed to delete.

Token Object

AttributeTypeDescription
idstringUnique identifier of the token which can be used to get a token
tenant_iduuidThe Tenant ID which owns the token
typestringToken type
dataanyToken data
maskanyAn expression defining the mask to apply when retrieving token data with restricted permissions.
enrichmentsobjectOnly available when detokenizing and with expressions.

An object containing the enrichments applied to this token. See Token Enrichments for available enrichements.
fingerprintstringUniquely identifies the contents of this token. See Token Types for the default expression for each token type.
containersarrayArray of containers to place this token within. Each container is a path representing a logical grouping of tokens. See Token Containers for details.
metadatamap<string, string>A key-value map of strings containing non-sensitive data.
search_indexesarray(Optional) Array of search index expressions used when creating the token.
fingerprint_expressionstring(Optional) An expression defining the value to fingerprint when creating the token.
expires_atstring(Optional) The token expiration date.
created_byuuidThe Application ID which created the token
created_atdateCreated date of the token in ISO 8601 format
modified_byuuid(Optional) The Application ID which last modified the token
modified_atdate(Optional) Last modified date of the token in ISO 8601 format

Token Data Validations

Bank Object

AttributeRequiredTypeDefaultDescription
routing_numbertruestringnullNine-digit ABA routing number. Its checksum is validated.
account_numbertruestringnullAccount number up to seventeen-digits

Card Object

AttributeRequiredTypeDefaultDescription
numbertruestringnullThe card number without any separators
expiration_monthfalseintegernullTwo-digit number representing the card's expiration month
expiration_yearfalseintegernullFour-digit number representing the card's expiration year
cvcfalsestringnullThree or four-digit card verification code with automatic expiration

See Test Card Numbers for suggested test data when using cards.

The cvc property automatically expires and is deleted after one hour in order to comply with PCI requirements.

If you have a business case that requires retaining cvc for longer than one hour, it may be possible to extend the expiration time while maintaining PCI compliance. Please reach out to our support team for assistance.

Token Expiration

By default a created token will not expire, however, users can optionally set the expires_at property with an ISO8601 DateTime when creating a token to determine its expiration date. An expired token is deleted from the tenant up to 1 hour after its expiration time.

Expiration Date Formats

FormatExample
DateTime String w/ Offset8/26/2030 7:23:57 PM -07:00
ShortDate String9/27/2030
If an offset is not provided with the DateTime string, it's considered that the provided time is in UTC. When using the ShortDate format, the expiration time will be set as 12AM UTC.