Authentication
All API endpoints require authentication via API Key or JWT Bearer token.
API Key
X-API-Key: demo-key-001
JWT Bearer
Authorization: Bearer <token>
Generate a JWT via POST /api/admin/generate-token
Endpoints
/api/tokenize
Tokenize a single record. The system auto-detects sensitive fields and applies appropriate strategy.
Request Body
{
"data": {
"full_name": "John Doe",
"email": "john@example.com",
"ssn": "123-45-6789"
},
"options": {
"strategy_override": "random",
"retention_days": 365
}
}
Response
{
"status": "success",
"results": {
"full_name": { "action": "passthrough", "value": "John Doe" },
"email": { "action": "tokenize", "token": "dtk_a3f9...", "strategy": "deterministic" },
"ssn": { "action": "tokenize", "token": "tok_7b2e...", "strategy": "random" }
}
}
/api/batch-tokenize
Batch-tokenize multiple records in a single request.
Request Body
{
"records": [
{ "id": "rec_001", "data": { "email": "a@b.com", "phone": "555-1234" } },
{ "id": "rec_002", "data": { "ssn": "987-65-4321" } }
]
}
/api/detokenize
Controlled retrieval of original data. Requires elevated privileges and optional MFA.
Request Body
{
"tokens": ["tok_7b2e...", "dtk_a3f9..."],
"purpose": "customer_support",
"mfa_code": "123456"
}
/api/policies
List all active policy rules.
/api/policies
Create a new policy rule. See the policy manager for the full schema.
/api/policies/{rule_id}
Delete a policy rule by ID.
/api/audit/logs
Query audit logs. Supports action_type, actor, token_id,
limit, offset query params.
/api/audit/integrity
Verify the full audit chain integrity (SHA-256 hash chain).
/api/admin/dashboard
Dashboard statistics: vault counts, key counts, strategy distribution, recent audit entries.
/api/admin/shred/{token}
Cryptographically shred a token — destroys the encryption key, making data permanently irrecoverable.
/api/admin/retention-sweep
Run retention sweep to automatically destroy all expired data.