Strac Developer Documentation (1.0.0)

Download OpenAPI specification:Download

Introduction

Strac (Y Combinator backed) offers No-Code solutions and APIs to businesses so that they don't have to worry about handling PII (Personally Identifiable Information), PHI (Protected Health Information) and PCI (Payments Card Industry) data like SSN, Drivers License, Address, Date of Birth, Employment History, Credit Card, Patient Data, Bank Accounts, API Keys, and more.

Strac offers detection and redaction APIs where developers can detect or redact sensitive data in text or documents.

No-Code Data Leak Prevention (DLP) Integrations

Configure Strac in any of your SaaS or Cloud (AWS, Azure, GCP) app and automatically detect and redact sensitive data. Define Custom Policies on what data elements to redact, when to redact, who should access, get audit reports and more.

Here are the list of all integrations: https://strac.io/integrations


Strac Integrations

Cross-Origin Resource Sharing

This API features Cross-Origin Resource Sharing (CORS) implemented in compliance with the W3C spec. It allows cross-domain communication from the browser.

Authentication

Strac uses API keys to authenticate requests. Pass an API Key in passed in HTTP Header as X-Api-Key. API Key is prefixed with sk_ Please do not share your secret API key in publicly accessible areas such as GitHub, client-side code, and so forth. Securely Keep it on the server side. All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

Test Mode

Under test mode, API keys will have the prefix sk_test_ and requests will use endpoint https://api.test.tokenidvault.com.

Live Mode

Under live mode, API keys will have the prefix sk_live_ and requests will use endpoint https://api.live.tokenidvault.com.

API_Key

To obtain API keys, please reach out to hello@strac.io.

Security Scheme Type: API Key
Header parameter name: X-Api-Key

Document

Sensitive document that you can upload, redact, or download. Examples include an identity document like a driver's licenses or passport, tax documents, medical records, and employment verification documents.

Create document

Uploads a document to the vault, handing back a reference ID. The document is immutable: repeating this operation results in a new stored document and reference ID.

SecurityAPI_Key
Request
Request Body schema: multipart/form-data
document
required
string <binary>

Document to uploaded. The maximum document size is 10 MB.

Responses
200

OK

400

Bad Request

401

Unauthorized

413

Request Entity Too Large

500

Internal Server Error

post/documents
Request samples
curl --location --request POST 'https://api.test.tokenidvault.com/documents' \
--header 'X-Api-Key: <your API key>' \
--form document=@/Users/sensitive-document.pdf
Response samples
application/json
{
  • "id": "doc_jgP1m98fdsnzBQh43uzCpt",
  • "content_type": "image/jpeg",
  • "creation_time": "2021-02-10T06:34:39.000Z",
  • "size": 31403
}

Get original document

Download the original document given the document ID

SecurityAPI_Key
Request
path Parameters
documentId
required
string

ID of document

Example: doc_65T78zexKxbqUz34gbLGiX
Responses
200

OK

400

Bad Request

401

Unauthorized

500

Internal Server Error

get/documents/{documentId}
Request samples
curl --location --request GET 'https://api.test.tokenidvault.com/documents/doc_65T78zexKxbqUz34gbLGiX' \
--header 'X-Api-Key: <your API key>'

Response samples
application/json
{
  • "error_code": "InvalidDocumentId"
}

Delete document

Delete a document with a given ID

SecurityAPI_Key
Request
path Parameters
documentId
required
string

ID of document

Example: doc_65T78zexKxbqUz34gbLGiX
query Parameters
redacted
boolean

Delete redacted document vs. original (default)

Example: redacted=true
Responses
204

No Content

400

Bad Request

401

Unauthorized

500

Internal Server Error

delete/documents/{documentId}
Request samples
curl --location --request DELETE 'https://api.test.tokenidvault.com/documents/doc_65T78zexKxbqUz34gbLGiX' \
--header 'X-Api-Key: <your API key>' \
--header 'Content-Type: application/json'
Response samples
application/json
{
  • "error_code": "InvalidDocumentId"
}

Token

Sensitive data elements that you can create, search or detokenize. Examples include credentials like api keys or passwords, social security numbers, national ids, credit card numbers, name and phone numbers.

Create token

Send sensitive data to the vault, handing back a reference identifier. The token is immutable after creation unless your API key grants additional permissions to perform an update or deletion. By default, a new token is generated for each request unless idempotent: true is specified.

SecurityAPI_Key
Request
Request Body schema: application/json
type
required
string (TokenType)

Type of PII Data Element

Enum: "account-number" "address-city" "address-line1" "address-line2" "address-state" "address-zip-code" "api-key" "api-secret" "dob" "dob-day" "dob-month" "dob-year" "document" "document-identification-number" "password" "ssn" "national-id-number" "first-name" "full-name" "middle-name" "last-name" "phone" "photo" "sex" "matricula-consular" "medical-record-number" "age" "routing-number" "drivers-license-number" "employer-identification-number" "email-address" "international-bank-account-number" "swift-code" "ip-address" "mac-address" "passport-number" "vehicle-identification-number"
data
required
string

Value of the PII Data Element

tags
Array of strings

Tags used to label the token.

idempotent
boolean
Default: false

A token is idempotent if an identical create token request can be made once or several times in a row with the same effect of creating a single token with the same id.

For example, creating a token with {"type": "ssn", "data": "111-22-3333"} twice will return two different tokens (e.g., {"id": "tkn_jgP1m98fdsnzBQh43uzCpt"} and {"id": "tkn_dGtuX2pnUDFtOThmZHNuek"}).

Whereas creating a token with {"type": "ssn", "data": "111-22-3333", "idempotent": true} twice will return the same tokens (e.g., {"id": "tkn_jgP1m98fdsnzBQh43uzCpt"} and {"id": "tkn_jgP1m98fdsnzBQh43uzCpt"}).

Fraud detection is a common use case for idempotent tokens. When collecting customer identity (e.g., SSN, card number), an idempotent token can be created to allow Transactional Risk Management Systems to track unique customer activity across your application.

Responses
200

Success

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/tokens
Request samples
application/json
{
  • "type": "ssn",
  • "data": "111-22-3333",
  • "tags": [
    ],
  • "idempotent": false
}
Response samples
application/json
{
  • "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
  • "type": "ssn"
}

Delete token

Delete an existing token. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.

SecurityAPI_Key
Request
path Parameters
tokenId
required
string

ID of token

Example: tkn_jgP1m98fdsnzBQh43uzCpt
Responses
204

No Content

delete/tokens-modify/{tokenId}
Request samples
curl --request DELETE 'https://api.test.tokenidvault.com/tokens-modify/tkn_jgP1m98fdsnzBQh43uzCpt' \
    --header 'X-Api-Key: <your_api_key>' \
    --header 'Content-Type: application/json'
    

Update token

Update an existing token's value and type. Updates to tokens created with idempotency, as well as updates to tags, are not supported. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.

SecurityAPI_Key
Request
path Parameters
tokenId
required
string

ID of token

Example: tkn_jgP1m98fdsnzBQh43uzCpt
Request Body schema: application/json
type
required
string (TokenType)

Type of PII Data Element

Enum: "account-number" "address-city" "address-line1" "address-line2" "address-state" "address-zip-code" "api-key" "api-secret" "dob" "dob-day" "dob-month" "dob-year" "document" "document-identification-number" "password" "ssn" "national-id-number" "first-name" "full-name" "middle-name" "last-name" "phone" "photo" "sex" "matricula-consular" "medical-record-number" "age" "routing-number" "drivers-license-number" "employer-identification-number" "email-address" "international-bank-account-number" "swift-code" "ip-address" "mac-address" "passport-number" "vehicle-identification-number"
data
required
string

Value of the PII Data Element

Responses
200

Success

400

Bad Request

401

Unauthorized

500

Internal Server Error

put/tokens-modify/{tokenId}
Request samples
application/json
{
  • "type": "ssn",
  • "data": "123-45-6789"
}
Response samples
application/json
{
  • "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
  • "type": "ssn"
}

Create tokens

Send up to 200 sensitive data elements to the vault, handing back reference identifiers for each data element. The tokens are immutable after creation unless your API key grants additional permission to perform an update or deletion. Each requests produces a new set of tokens. If any of the data elements in the request fail to be created, the entire request will fail.

SecurityAPI_Key
Request
Request Body schema: application/json
Array of objects

Tokens to be created.

Responses
200

Success

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/tokens/batch
Request samples
application/json
{
  • "tokens": [
    ]
}
Response samples
application/json
{
  • "tokens": [
    ]
}

Search for tokens (by data)

Search for tokens by data. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.

SecurityAPI_Key
Request
Request Body schema: application/json

Search for a Token

type
required
string (TokenType)

Type of PII Data Element

Enum: "account-number" "address-city" "address-line1" "address-line2" "address-state" "address-zip-code" "api-key" "api-secret" "dob" "dob-day" "dob-month" "dob-year" "document" "document-identification-number" "password" "ssn" "national-id-number" "first-name" "full-name" "middle-name" "last-name" "phone" "photo" "sex" "matricula-consular" "medical-record-number" "age" "routing-number" "drivers-license-number" "employer-identification-number" "email-address" "international-bank-account-number" "swift-code" "ip-address" "mac-address" "passport-number" "vehicle-identification-number"
data
required
string

Value of the PII Data Element

Responses
200

Success

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/tokens-search/data
Request samples
application/json
{
  • "type": "ssn",
  • "data": "111-22-3333"
}
Response samples
application/json
{
  • "tokens": [
    ]
}

Search for tokens (by tag)

Search for tokens by tag. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.

SecurityAPI_Key
Request
Request Body schema: application/json

Search for a Token

tags
Array of strings

Tags used to label the token

Responses
200

Success

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/tokens-search/tag
Request samples
application/json
{
  • "tags": [
    ]
}
Response samples
application/json
{
  • "tokens": [
    ]
}

Token info

Extract information about the token without revealing the original sensitive data in full. For example, last four digits of a social security number. See HTTP 200 Success response schema for supported token types and attributes that can be revealed.

SecurityAPI_Key
Request
Request Body schema: application/json
id
required
string

id of a token

Responses
200

Success

400

Bad Request

401

Unauthorized

404

Not Found

500

Internal Server Error

post/tokens-info
Request samples
application/json
{
  • "id": "tkn_jgP1m98fdsnzBQh43uzCpt"
}
Response samples
application/json
{
  • "type": "ssn",
  • "last4": "2912"
}

Detokenize tokens

Retrieve the original sensitive data for up to 10 tokens. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live. For browser-to-server use cases, see Detokenize Proxy.

SecurityAPI_Key
Request
Request Body schema: application/json

Detokenize Tokens

Array of objects

Tokens that will be detokenized.

Responses
200

Success

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/tokens-detokenize/batch
Request samples
application/json
{
  • "tokens": [
    ]
}
Response samples
application/json
{
  • "tokens": [
    ]
}

Detect

Detect sensitive data elements from text and documents. Sensitive data elements include credentials like api keys or passwords, social security numbers, national ids, credit card numbers, name and phone numbers.

Detect

Detect sensitive data from a document or text

SecurityAPI_Key
Request
Request Body schema: application/json

Detect document input

document_type
required
string

Format of the document to detect. Use text for all utf-8 encoded text files and use generic for images.

Enum: "text" "generic"
document_id
string

ID of the document to detect. The ID can be obtained from calling the create document API. One of document_id or document_content is required.

document_content
string

Content of the document to detect in data URL scheme. Max size is 4 MB. One of document_id or document_content is required.

Responses
200

OK

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/detect
Request samples
application/json
{
  • "document_type": "generic",
  • "document_id": "doc_jgP1m98fdsnzBQh43uzEzb",
  • "document_content": ""
}
Response samples
application/json
{
  • "detectedEntities": [
    ]
}

Redact

Redact (AKA Mask) sensitive data elements from text and documents. Sensitive data elements include credentials like api keys or passwords, social security numbers, national ids, credit card numbers, name and phone numbers.

Redact document

Performs redaction against a document in the vault.

Here is an example of a W2 Tax Return and how it looks like after redaction:


W2 Tax Return


W2 Tax Return Redacted

SecurityAPI_Key
Request
Request Body schema: application/json

Redact document input

document_id
required
string

ID of document to redact.

document_type
required
string

Format of the document to redact. Note: Use text for all utf-8 encoded text files, use generic for images and use dl for any type of state identification that isn't a national passport image.

Enum: "text" "generic" "cv" "dl" "i9" "legal" "passport" "w4" "w4_ca"
ux_config
object

JSON string to express settings to control the look and feel of the redacted document. Currently only supported for CV to render a user-supplied value in the top-right corner: { "placements": { "top_right": "your value" } }

Responses
200

OK

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/redact
Request samples
application/json
{
  • "document_id": "doc_jgP1m98fdsnzBQh43uzEzb",
  • "document_type": "passport",
  • "ux_config": { }
}
Response samples
application/json
{
  • "detectedEntities": [
    ]
}

Redact text

Performs redaction against inline text content. The way text is redacted depends on the redact field mode; for modes that replace sensitive text with a link to the Strac document vault, you must onboard with the Strac vault website and supply a base strac endpoint.

For example, with input text: Please onboard the user with SSN 123-45-6789 and type text, the redaction would produce: Please onboard the user with SSN <sensitive_data: https://test.strac.io/#/detokenize/tkn_0QLgEGZSerpfuFSEbotIN75o>.

SecurityAPI_Key
Request
Request Body schema: application/json

Redact text input

content
required
string

Inline content of text to redact.

type
required
string

Format of the text to redact.

Value: "text"
redact_field_mode
any

Determines the way the redacted portions of the string will be represented in the redactedContent. This setting can be used to create a standard redaction style throughout your application or to customize the appearance of redactions based on user preference or other criteria. The field defaults to REDACTED and accepts the following string values:

  • BLANK: redacted text is replaced with a blank string
  • MASK_SEVEN_X: redacted text is replaced with XXXXXXX
  • REDACTED: redacted text is replaced with [REDACTED]
  • TOKEN_LINK_PLAINTEXT: redacted text is replaced with <sensitive_data: https://test.strac.io/#/detokenize/tkn_0QLgEGZSerpfuFSEbotIN75o>
Enum: "BLANK" "MASK_SEVEN_X" "REDACTED" "TOKEN_LINK_PLAINTEXT"
Responses
200

OK

400

Bad Request

401

Unauthorized

500

Internal Server Error

post/redact
Request samples
application/json
{
  • "content": "Hello, please process the user with SSN 123-45-6789. The user's DL number is 12345678901",
  • "type": "text",
  • "redact_field_mode": "REDACTED"
}
Response samples
application/json
{
  • "detectedEntities": [
    ],
  • "redacted_content": "Hello, please process the user with SSN [REDACTED]. The user's DL number is [REDACTED]"
}

Get redacted document

Download the redacted document given the document ID

SecurityAPI_Key
Request
path Parameters
documentId
required
string

ID of document

Example: doc_65T78zexKxbqUz34gbLGiX
Responses
200

OK

400

Bad Request

401

Unauthorized

500

Internal Server Error

get/redacted-documents/{documentId}
Request samples
curl --location --request GET 'https://api.test.tokenidvault.com/redacted-documents/doc_65T78zexKxbqUz34gbLGiX' \
--header 'X-Api-Key: <your API key>'

Response samples
application/json
{
  • "error_code": "InvalidDocumentId"
}

Get redacted document tokens

Retrieve token identifiers within a redacted document.

SecurityAPI_Key
Request
path Parameters
documentId
required
string

ID of document

Example: doc_65T78zexKxbqUz34gbLGiX
Responses
200

OK

400

Bad Request

401

Unauthorized

500

Internal Server Error

get/redacted-documents/{documentId}/tokens
Request samples
curl --location --request GET 'https://api.test.tokenidvault.com/redacted-documents/doc_65T78zexKxbqUz34gbLGiX/tokens' \
    --header 'X-Api-Key: <your API key>'
Response samples
application/json
{
  • "tokens": [
    ]
}

Proxy

Securely offload movement of sensitive data to third-party (outbound), end-users (inbound) or your servers (webhook).

Outbound proxy

Send any HTTP request (e.g., POST, PUT, PATCH, GET, DELETE, and OPTIONS) to third-party using tokens in place of sensitive data. Please contact Strac to add the third-party URL and schema into the allow list.


Call flow from your back-end servers (client) to third-party does not change except for the following:

(1) you will call Strac's proxy instead of the third-party directly

(2) you can send tokens instead of sensitive data such as API keys and SSN

(3) you can receive tokens for sensitive data you expect in the response


The diagram below illustrates the standard call flow:


Outbound proxy


If an error occurs due to integration with Strac (e.g., authentication, configuration, outage), a x-strac-error header will be set with the value true. This header will not be set if the failure is caused by third-party errors.

SecurityAPI_Key
Request
header Parameters
Target-Url
required
string

A required target URL to which Strac proxies

Example: https://third-party-endpoint.com/sample
Responses
200

Success response from the third-party endpoint that proxy connected to

400

Bad Request

401

Not Authorized Request

500

Internal Server Error

post/proxy
Request samples
curl --location --request <your verb> 'https://api.test.tokenidvault.com/proxy' \
    --header 'X-Api-Key: <your API key>' \
    --header 'Content-Type: application/json' \
    --header 'Target-Url: <third-party endpoint>'
    --data-raw '{
        "bankdata": {
            "ip_address": "127.0.0.40"
        },
        "citizenship": "US",
            "date_of_birth": "1980-02-22",
            "email_address": "gwash@whitehouse.gov",
            "first_name": "George",
            "last_name": "Washington",
            "phone_number": "2025551111",
            "physical_address": {
            "street_line_1": "1600 Pennsylvania Ave",
                "city": "Washington",
                "state": "DC",
                "postal_code": "20500"
        },
        "tin": "tkn_lT8RtnYLfpmfecvAfWqzlMnO"
    }'
Response samples
application/json
{
  • "error_code": "InvalidRequest"
}

Outbound proxy with redaction

Send any HTTP request (e.g., POST, PUT, PATCH, GET, DELETE, and OPTIONS) to a third-party service but with sensitive data replaced by redacted, non-sensitive equivalents. This ensures the security and privacy of the original information while still enabling interactions with third-party services such as Large Language Models (LLMs). Please contact Strac to add the third-party URL and schema into the allow list.


Call flow from your back-end servers (client) to third-party does not change except for the following:

(1) you will call Strac's proxy instead of the third-party directly

(2) your sensitive data such as SSN, passport numbers will be replaced with a non-sensitive equivalent (e.g., [REDACTED])


The diagram below illustrates the standard call flow:


Outbound proxy


If an error occurs due to integration with Strac (e.g., authentication, configuration, outage), a x-strac-error header will be set with the value true. This header will not be set if the failure is caused by third-party errors.

SecurityAPI_Key
Request
header Parameters
Target-Url
required
string

A required target URL to which Strac proxies

Example: https://third-party-endpoint.com/sample
Responses
200

Success response from the third-party endpoint that proxy connected to

400

Bad Request

401

Not Authorized Request

500

Internal Server Error

post/proxy-redact
Request samples
curl --location --request <your verb> 'https://api.test.tokenidvault.com/proxy-redact' \
   --header 'X-Api-Key: <your API key>' \
   --header 'Content-Type: application/json' \
   --header 'Target-Url: <third-party endpoint>'
   --data-raw '{
       "bankdata": {
           "ip_address": "127.0.0.40"
       },
       "citizenship": "US",
           "date_of_birth": "1980-02-22",
           "email_address": "gwash@whitehouse.gov",
           "first_name": "George",
           "last_name": "Washington",
           "phone_number": "2025551111",
           "physical_address": {
           "street_line_1": "1600 Pennsylvania Ave",
               "city": "Washington",
               "state": "DC",
               "postal_code": "20500"
       },
       "tin": "153-23-4323"
   }'
Response samples
application/json
{
  • "error_code": "InvalidRequest"
}

Inbound detokenize proxy

Retrieve the original sensitive data from browsers and apps for up to 10 tokens. When this API is invoked, the request headers and body are forwarded to your authorization server for end-user authorization. Once the request is authorized, the original sensitive data will be returned to the caller.


The diagram below illustrates the standard call flow:


Inbound proxy

SecurityAPI_Key
Request
Request Body schema: application/json

Detokenize Proxy Input

Array of objects

Tokens that will be detokenized.

Responses
200

Success response from authorization server with detokenized tokens decorated into the response

400

Bad Request

401

Unauthorized

403

Forbidden

500

Internal Server Error

post/proxy-detokenize
Request samples
application/json
{
  • "tokens": [
    ]
}
Response samples
application/json
{
  • "tokens": [
    ]
}

Webhook proxy

Receive any HTTP webhook requests from third-party using tokens in place of sensitive data. Please contact Strac to generate a webhookId and setup your API endpoint.


Call flow from third-party servers to your servers does not change except for the following:

(1) you will configure the webhook to call Strac's proxy instead of your own endpoint

(2) you can receive tokens instead of sensitive data such as SSN and bank account numbers

(3) you can send tokens instead of sensitive data such as SSN and bank account numbers


The diagram below illustrates the standard call flow:


Outbound proxy

SecurityAPI_Key
Request
path Parameters
webhookId
required
string

The ID of the webhook

Responses
200

Success response from the your server that proxy is connected to

500

Internal Server Error

post/proxy-webhook/{webhookId}
Request samples
curl --location --request POST 'https://api.test.tokenidvault.com/proxy-webhook/gjaA615z2AHhpAZa' \
    --header 'Timestamp: 11/03/2021 02:13:24.543 PM' \
    --header 'Signature: +xAXSIWJXUmqmoJL1vchQuhpZdCOhheIq1ECgw49STs=' \
    --header 'Content-Type: application/json' \
    --data-raw '{
        "bankdata": {
            "ip_address": "127.0.0.40"
        },
        "citizenship": "US",
            "date_of_birth": "1980-02-22",
            "email_address": "gwash@whitehouse.gov",
            "first_name": "George",
            "last_name": "Washington",
            "phone_number": "2025551111",
            "physical_address": {
            "street_line_1": "1600 Pennsylvania Ave",
                "city": "Washington",
                "state": "DC",
                "postal_code": "20500"
        },
        "tin": "12-3456789"
    }'
Response samples
application/json
{
  • "error_code": "InternalServerError"
}

Outbound proxy function

Send any request to third-party using tokens in place of sensitive data through your function hosted on Strac. Please contact Strac to upload your function and enable communication with the third-party.


Functions are small programs (e.g., NodeJS function) that send sensitive data to third-party APIs. Hosted functions give you the power of standard programming languages to perform advanced integrations that are harder to do using Strac's default schema based outbound proxy API. Suitable use cases include integrations that rely on thick clients or custom protocols.


Your call flow from your back-end servers (client) to third-party will need to change in the following ways when hosting functions on Strac:

(1) you will call Strac's proxy instead of the third-party directly

(2) your function will need to take inputs from Strac instead of directly from your back-end servers

(3) you can send tokens instead of sensitive data such as crypto keys and SSN

(4) you can receive tokens for sensitive data you expect in the response


The diagram below illustrates the standard call flow:


Outbound proxy function


In order for the hosted functions to interoperate with Strac, it must make the following changes:

(1) it must expose a single handler that takes in an object that represents the request.

(2) it must return a JSON payload that represent the HTTP response for the calling client.


The example below illustrate this for a NodeJS function:

  // Imports will need to be declared in a standard package.json file not shown here
  const fooClient = require('foo-thick-lib');

  // Request is a dictionary that contains detokenized input sent by the calling client,
  // we will use the curl example here
  async function run(request) {
    // string containing plaintext tin after token tkn_lT8RtnYLfpmfecvAfWqzlMnO has been detokenized (see curl example)
    const tin = request.tin;
    // the number 26 (see curl example)
    const age = request.citizenship.age;
    return await fooClient.call(tin, age);
  }

  exports.handler = async (request) => {
      const result = await run(request);
      return {
        statusCode: 200,
        headers: {"Content-Type": "application/json"},
        body: JSON.stringify(result)
      }
  }
SecurityAPI_Key
Request
header Parameters
Function-Id
required
string

Identifies the hosted function which will process the request

Example: 6faa0aed-2b1b-4e41-9feb-664ce514d62f
Responses
200

Success response from the function that connect to third party APIs

400

Bad Request

401

Not Authorized Request

500

Internal Server Error

post/proxy-function
Request samples
curl --location --request <your verb> 'https://api.test.tokenidvault.com/proxy-function' \
   --header 'X-Api-Key: <your API key>' \
   --header 'Content-Type: application/json' \
   --header 'Function-Id: 6faa0aed-2b1b-4e41-9feb-664ce514d62f'
   --data-raw '{
       "bankdata": {
           "ip_address": "127.0.0.40"
       },
       "citizenship": "US",
           "date_of_birth": "1980-02-22",
           "email_address": "gwash@whitehouse.gov",
           "first_name": "George",
           "last_name": "Washington",
           "age": 42,
           "phone_number": "2025551111",
           "physical_address": {
           "street_line_1": "1600 Pennsylvania Ave",
               "city": "Washington",
               "state": "DC",
               "postal_code": "20500"
       },
       "tin": "tkn_lT8RtnYLfpmfecvAfWqzlMnO"
   }'
Response samples
application/json
{
  • "error_code": "InvalidRequest"
}

UX: Widget Components

The widget component framework allows you to securely collect and display customer data. A widget orchestrates one or more components, where each corresponds to one data element and one inline frame ('iframe') hosted on Strac's domain.

The same-origin policy protects the sensitive data within the component's iframe from your page that initializes the components. The widget supports a series of events to allow the client to interact with each component; e.g. to perform form validation or know when creation of a token has finished.

 

Page requirements

  • The widget requires jQuery 3.6.0 or higher. You can host on your own CDN or leverage a trusted CDN like CloudFlare; e.g. https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js.

  • The page will have to reference the Strac widget JavaScript at https://api.live.tokenidvault.com/widgets/component-1.0.0.js.

Widget API

To initialize a widget, you supply your Strac API key as the first argument to a global StracWidget:

const stracWidget = new StracWidget('<your API key>');

 

The widget allows registration of events which return back a widget reference to allow chaining. The following are supported:

  • EVENT_READY: fires when the widget has been initialized.
const stracWidget = new StracWidget('<your API key>')
    .on(window.StracWidget.events.EVENT_READY, () => console.log('Widget ready'));

 

To create a component: stracWidget.createComponent(componentType, componentOptions). See below for component API.

To collect tokens from components (creating or updating a value): stracWidget.getTokenizedValues(options) where options requires a tokens structure referencing each token's type and corresponding component. For example, in a form that collects a first, middle, and last name:

  const tokens = await stracWidget.getTokenizedValues({
      tokens: [{
          type: 'FIRST_NAME',
          data: firstNameComponent
      }, {
          type: 'MIDDLE_NAME',
          data: middleNameComponent
      }, {
          type: 'LAST_NAME',
          data: lastNameComponent      
      }]
  });

 

Component API

You can configure a component to view data (do not collect data from a customer), create data (a form input with no initial value), or edit data (provide an existing value that the customer can change). A widget creates a component using stracWidget.createComponent(componentType, componentOptions).

 

Valid component types:

  • label: a view-only display where the element within the iframe corresponds to a <div>.
  • text: a one-line text input with a corresponding <input> element within the iframe.
  • textarea: a multi-line text input with a corresponding <textarea> within the iframe.

Component options:

  • token: allows the viewing of an existing value. Required for a view-only display and an edit display.
  • placeholder: a placeholder value to display within the form element.
  • style: allows injection of CSS properties for a variety of contexts which include base (the default), empty (when an input element is empty), and complete (when an input element is valid).

The following styles are allowed: backgroundColor, color, fontFamily, fontSize, border, textAlign, fontStyle, margin, fontWeight, lineHeight, letterSpacing, borderRadius, verticalAlign, padding, textDecoration, textShadow, textTransform, height, minHeight

Component events

  • EVENT_READY: the component HTML is ready.
  • EVENT_FOCUS: the component has the user's focus (focus event).
  • EVENT_BLUR: the component has lost focus (blur event).
  • EVENT_KEYDOWN: the user has entered text within the input (keydown event).
  • EVENT_CHANGE: change to the event value; event.complete indicates if the value is valid.

Component actions

  • mount(elementName): install the component HTML within the element on your page.
  • unmount(): remove the component HTML.

Example of an edit component:

const firstNameComponent = stracWidget.createComponent('text', {
    'token': '<your token value>',
    'placeholder': 'Your first name',
    'style': {
        'base': {

            'border': '0px solid rgb(0, 0, 0)',
            'backgroundColor': '#302c3f',

        },
        'empty': {
            'backgroundColor': '#ff7586',
        }
    }
}).on(window.StracWidget.events.EVENT_READY, () => console.log('textComponent ready'))
    .on(window.StracWidget.events.EVENT_FOCUS, () => console.log('textComponent focus'))
    .on(window.StracWidget.events.EVENT_BLUR, () => console.log('textComponent blur'))
    .on(window.StracWidget.events.EVENT_KEYDOWN, () => console.log('textComponent keydown'))
    .on(window.StracWidget.events.EVENT_CHANGE, (event) => {
        console.log('textComponent change');
        componentsValid['textComponent'] = event.complete;
        updateForm();
    })
    .mount('#firstName');

 

Complete integration example

This example features one editable component for a first name, complete with a spinner on a submit button and error messages.

<html>
    <head>
        <title>Strac Component Demo</title>
        <script type="text/javascript" src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
        <script type="text/javascript" src="https://api.live.tokenidvault.com/widgets/component-1.0.0.js"></script>
        <script type="text/javascript">
            const API_KEY = '<your API key>';
            const FIRST_NAME = 'firstName';
    
            $(document).ready(async () => {
                const stracWidget = new StracWidget(API_KEY)
                    .on(window.StracWidget.events.EVENT_READY, () => console.log('Widget ready'));
    
                const componentsValid = {
                    'firstNameComponent': false,
                }
    
                const updateForm = (buttonOnly) => {
                    if (!buttonOnly) {
                        $('#text_error').css('display', componentsValid['firstNameComponent'] ? 'none' : '');
                    }
                    $('#saveButton').prop('disabled', Object.values(componentsValid).some(valid => !valid));
                }
    
                // Sample token: tkn_IHpILSUk015BNHqvlAJ8W4tN
                const firstNameComponent = stracWidget.createComponent('text', {
                    'token': window.sessionStorage.getItem(FIRST_NAME),
                    'placeholder': 'Your first name',
                    'style': {
                        'base': {
                            'boxSizing': 'border-box',
                            'minHeight': '53px',
                            'width': '200px',
                            'border': '0px solid rgb(0, 0, 0)',
                            'backgroundColor': '#302c3f',
                            'borderRadius': '30px',
                            'fontSize': '18px',
                            'fontWeight': '500',
                            'color': 'rgb(255, 255, 255)',
                            'padding': '0px 24px',
                            'fontFamily': 'Thicccboi, sans-serif'
                        },
                        'empty': {
                            'backgroundColor': '#ff7586',
                        }
                    }
                }).on(window.StracWidget.events.EVENT_READY, () => console.log('firstNameComponent ready'))
                    .on(window.StracWidget.events.EVENT_FOCUS, () => console.log('firstNameComponent focus'))
                    .on(window.StracWidget.events.EVENT_BLUR, () => console.log('firstNameComponent blur'))
                    .on(window.StracWidget.events.EVENT_KEYDOWN, () => console.log('firstNameComponent keydown'))
                    .on(window.StracWidget.events.EVENT_CHANGE, (event) => {
                        console.log('firstNameComponent change');
                        componentsValid['firstNameComponent'] = event.complete;
                        updateForm();
                    })
                    .mount('#text');
    
                $('#saveButton').on('click', async () => {
                    // Start Spinner
                    const saveButton = $('#saveButton');
                    saveButton.addClass('button-loading');
    
                    const tokens = await stracWidget.getTokenizedValues({
                        tokens: [
                            {
                                type: FIRST_NAME,
                                data: firstNameComponent
                            }
                        ]
                    });
    
                    // End Spinner
                    saveButton.removeClass('button-loading')
    
                    console.log(tokens);
                    tokens.forEach(({ type, data }) => window.sessionStorage.setItem(type, data));
                });
    
                updateForm(true);
            });
        </script>
        <style type="text/css">
            body {
                background-color: #13111a;
                font-family: Thicccboi, sans-serif;
                color: #b7b4c7;
                font-size: 18px;
                line-height: 1.667em;
                font-weight: 500;
                margin: 15px;
            }
    
            div.title {
                margin-bottom: 16px;
            }
    
            div.gradient-background {
                display: inline-block;
                border-radius:30px;
                padding: 2px;
                background-image: linear-gradient(270deg, #6f86ff, #ff7586);
            }
    
            button[type='button']#saveButton {
                padding: 15px 16px;
                font-size: 16px;
                line-height: 1.125em;
                border-style: solid;
                border-width: 1px;
                border-color: #d9d7e6;
                border-radius: 30px;
                background-color: #302c3f;
                color: #fff;
                line-height: 1.111em;
                font-weight: 700;
                text-align: center;
                letter-spacing: 0.01em;
                width: 100px;
    
                position: relative;
            }
    
            button[type='button']#saveButton:disabled {
                color: #676467;
            }
    
            .button-loading .button-text {
                visibility: hidden;
                opacity: 0;
            }
    
            .button-loading::after {
                content: "";
                position: absolute;
                width: 16px;
                height: 16px;
                top: 0;
                left: 0;
                right: 0;
                bottom: 0;
                margin: auto;
                border: 4px solid transparent;
                border-top-color: #ffffff;
                border-radius: 50%;
                animation: button-loading-spinner 1s ease infinite;
            }
    
            @keyframes button-loading-spinner {
                from {
                    transform: rotate(0turn);
                }
    
                to {
                    transform: rotate(1turn);
                }
            }
        </style>
    </head>
    <body>
        <div class="title">Enter your first name below.</div>
        <div id="text" width='200' height='20'></div>
        <div id="text_error" style="color: #fff; display: none; font-weight: 700;">Please enter your first name.</div>

        <div style="margin-top: 12px">
            <div class="gradient-background">
                <button type="button" id="saveButton">
                    <span class="button-text">Save</span>
                </button>
            </div>
        </div>
    </body>
</html>

UX: Credit Card Widget

The Credit Card Widget allows you to display values stored by Strac tokens, with special behavior for a credit card: it will display the value in the form ****-tail and provide a clipboard which will copy the full value.

The display of this sensitive data occurs within an iFrame on a Strac-owned domain, which prevents the page referencing the iFrame from accessing it due to the same-origin policy.

 

Page requirements

The widget requires a modern version of jQuery.

 

Widget inputs

To load the widget, you must provide:

 

1. A Strac API key.

2. A declaration of type 'credit-card' which indicates the type of display within the iFrame. This is currently the only supported variant.

3. A Strac token ID which stores the credit card value.

4. Authorization header(s) which Strac will proxy to your authorization endpoint to allow safe detokenization. This endpoint is associated with your API key and not exposed when invoking the widget component.

 

Widget view and styling Widget views are represented by "components". You can instantiate one widget with as many components as you need based on your page's display requirements

 

Providing styles to the widget is optional, but you must provide basic styling to achieve a similar look-and-feel with your page as the widget's iFrame won't have context of the outer page's fonts. The widget will install the iFrame into a container on your page; you must style this container to control the iFrame's size. By default, the iFrame will expand to fit any area given to it and not provide any margin of its own.

The credit card widget includes an icon that lets the user copy the whole card value to the clipboard when clicked. Within display, you must specify a copyImageUrl if not using the default.

 

Complete integration example

The following produces this card:

Card widget

<html>
    <head>
        <title>Card detokenize demo</title>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js" integrity="sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
        <script type="text/javascript" src="https://api.live.tokenidvault.com/widgets/card-detokenize-1.0.0.js"></script>
        <style>
            body {
                font-family: Verdana,serif;
            }

        </style>
        <script type="text/javascript">
            $(document).ready(() => {
                const component = {
                    display: {
                        copyImageUrl: '<your URL, if not using the default image>',
                        styles: {
                            'body': {
                                'color': '#fff',
                                'font-family': 'Verdana,serif'
                            },
                            'button': {
                                'background-color': 'transparent',
                                'border': 'none',
                                'vertical-align' : 'middle'
                            },
                            'img': {
                                'width': '25px'
                            }
                        }
                    },
                    elementId: 'strac_viewer1',
                    headers: {
                        'Authorization': '<your authorization token>>'
                    },
                    tokens: [{
                        id: "<your token ID>>"
                    }],
                    type: 'credit-card'
                }

                const widget = new StracWidget({
                    apiKey: '<your API key>',
                    apiEndpoint: 'https://api.test.tokenidvault.com'
                });

                widget.createComponent(component);
                widget.mountComponent(component);
            });
        </script>
    </head>

    <body>
        <div style="background-image: linear-gradient(90deg, #ff3868, #714dff); width:415px; padding:4px; border-radius: 10px;">
            <div style="background-color:#302c3f; padding:10px; color: #fff; border-radius: 10px;border-color:rgba(255, 255, 255, 0.21)">
                Credit Card Number: <div id="strac_viewer1" style="height:25px; width: 220px; background-color:#302c3f; display:inline-block; vertical-align: middle;"></div>
            </div>
        </div>
    </body>
</html>

UX: E2E Encryption Doc Share Widget

Strac vends a widget that supports upload and download of an end-to-end encrypted document. The sender can limit the number of views and period of time for which the shareable link is valid. Strac hosts a sample integration here.

 

Requirements

The widget leverages Strac's APIs to upload and download documents, so you will need a publicly-viewable Strac API key.

The hosting page must inject jQuery 3.6.

 

Widget assets

Inject the widget CSS, JavaScript, and jQuery dependency into the head of your page:

<link href="https://api.live.tokenidvault.com/strac-doc-share/strac-widget-1.0.0.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script type="text/javascript" src="https://api.live.tokenidvault.com/strac-doc-share/strac-widget-1.0.0.js"></script>

 

Widget initialization

The widget assets expose StracWidget and StracWidgetConstants globals used to instantiate new widget instances. You can place multiple widgets on a single page.

  • StracWidget.createDefault(apiProviderOptions, widgetId, widgetOptions) returns a widget instance.
  • widget.on(eventName, callback) registers a widget event and returns the instance to allow chaining of events.
  • widget.inject() installs the widget HTML into the DOM and sets up JavaScript event listeners.

Widget options for createDefault:

const apiProviderOptions = {
    apiKey: '<your API key>'
};

const widgetId = '<ID of an HTML element in which the widget is installed>';

const widgetOptions = {
    fileId: '<document ID if this is a download use case; undefined for an upload case>'
    isInline: { false | true } // 'true' if the user will write a text secret instead of uploading a file
    viewMode: { "DOWNLOAD_ONLY" | "UPLOAD_ONLY" } // One widget instance cannot perform both upload and download simultaneously        
};

 

Widget event reference

Function callbacks will all have one argument representing an object of keys and values.

StracWidgetConstants.EVENT_FILE_DOWNLOAD_FAILED: the document decryption failed
  No context returned; can be used to display a generic error message for an expired document link

StracWidgetConstants.EVENT_FILE_DOWNLOADED: the document is ready for viewing by the user
  contentType: <str> content type of the downloaded document
  document: <array buffer> with the decrypted document bytes
  documentText: <str> returned only if this is an 'inline' widget to allow the decrypted secret to be displayed
  fileName: <str> file name of the document

StracWidgetConstants.EVENT_FILE_GET: the user requested the document
  fileId: <str> ID of the downloaded file to retrieve

StracWidgetConstants.EVENT_FILE_UPLOADED: the upload of the document completed
  fileId: <str> ID of the encrypted document; this is viewable to the server.
  passphrase: <str> secret that is vended in a sharable link. This value isn't sent to the server.

 

Example

The following example uses query parameters to distinguish the upload vs. download context as well as the widget behavior.

<!DOCTYPE html>
<html>
    <head>
        <link href="https://api.live.tokenidvault.com/strac-doc-share/strac-widget-1.0.0.css" rel="stylesheet" type="text/css">
        <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
        <script type="text/javascript" src="https://api.live.tokenidvault.com/strac-doc-share/strac-widget-1.0.0.js"></script>

        <script type="text/javascript">
            const urlParams = new URLSearchParams(window.location.search);

            const isDownload = urlParams.has('id');
            const isInline = urlParams.get('inline') === 'true';
            const fileId = urlParams.get('id');

            const apiProviderOptions = {
                apiKey: '<your API key>'
            };
            
            const widgetId = 'strac_share';
            
            const widgetOptions = {
                viewMode: isDownload ? "DOWNLOAD_ONLY" : "UPLOAD_ONLY",
                isInline: isInline,
                fileId: fileId
            };

            const widget = StracWidget.createDefault(apiProviderOptions, widgetId, widgetOptions)
                .on(StracWidgetConstants.EVENT_FILE_UPLOADED, function(args) {
                    const { fileId, passphrase } = args;

                    const decryptUrl = window.location.href + "?id=" + fileId + '&inline=' + isInline + '#' + passphrase;
                    $('#strac_download_link').html(
                        `Send this link to your friends: <a href="${decryptUrl}">${decryptUrl}</a>`);
                    $('#strac_download_link').off('click');
                })
                .on(StracWidgetConstants.EVENT_FILE_DOWNLOADED, function(args) {
                    const { document, documentText, fileName, contentType } = args;

                    if (documentText) {
                        $('#strac_download_link').text(documentText);
                    }
                    else {
                        $('#strac_download_link').html(`View file: <a href='#' id='strac_link' download>${fileName}</a>`);
                        $('#strac_download_link').on('click', function(evt) {
                            const url = window.URL.createObjectURL(new Blob([document], {type: contentType}));

                            $('#strac_link').prop('href', url);
                            $('#strac_link').prop('download', fileName);
                        });
                    }
                })
                .on(StracWidgetConstants.EVENT_FILE_DOWNLOAD_FAILED, function(args) {
                    $('#strac_download_error').show();
                })
                .inject();

            // Download immediately on page load
            if (fileId && isDownload) {
                $(document).ready(() =>   {
                    widget.trigger(StracWidgetConstants.EVENT_FILE_GET, { fileId: fileId });
                });                
            }
        </script>
    </head>
    <body>
        <p id="strac_share"></p>
        <p id="strac_download_link"></p>
        <p id="strac_download_error" style="display: none;">Error downloading file!</p>
    </body>
</html>