Download OpenAPI specification:Download
Strac (Y Combinator backed) offers No-Code solutions and APIs to businesses so that they don't have to worry about handling PII (Personally Identifiable Information), PHI (Protected Health Information) and PCI (Payments Card Industry) data like SSN, Drivers License, Address, Date of Birth, Employment History, Credit Card, Patient Data, Bank Accounts, API Keys, and more.
Strac offers detection and redaction APIs where developers can detect or redact sensitive data in text or documents.
Configure Strac in any of your SaaS or Cloud (AWS, Azure, GCP) app and automatically detect and redact sensitive data. Define Custom Policies on what data elements to redact, when to redact, who should access, get audit reports and more.
Here are the list of all integrations: https://strac.io/integrations
This API features Cross-Origin Resource Sharing (CORS) implemented in compliance with the W3C spec. It allows cross-domain communication from the browser.
Strac uses API keys to authenticate requests. Pass an API Key in passed in HTTP Header as X-Api-Key
.
API Key is prefixed with sk_
Please do not share your secret API key in publicly accessible areas
such as GitHub, client-side code, and so forth. Securely Keep it on the server side.
All API requests must be made over HTTPS. Calls made over plain HTTP will fail.
API requests without authentication will also fail.
Under test mode, API keys will have the prefix sk_test_
and requests will use
endpoint https://api.test.tokenidvault.com
.
Under live mode, API keys will have the prefix sk_live_
and requests will use
endpoint https://api.live.tokenidvault.com
.
Sensitive document that you can upload, redact, or download. Examples include an identity document like a driver's licenses or passport, tax documents, medical records, and employment verification documents.
Uploads a document to the vault, handing back a reference ID. The document is immutable: repeating this operation results in a new stored document and reference ID.
OK
Bad Request
Unauthorized
Request Entity Too Large
Internal Server Error
curl --location --request POST 'https://api.test.tokenidvault.com/documents' \ --header 'X-Api-Key: <your API key>' \ --form document=@/Users/sensitive-document.pdf
{- "id": "doc_jgP1m98fdsnzBQh43uzCpt",
- "content_type": "image/jpeg",
- "creation_time": "2021-02-10T06:34:39.000Z",
- "size": 31403
}
Download the original document given the document ID
OK
Bad Request
Unauthorized
Internal Server Error
curl --location --request GET 'https://api.test.tokenidvault.com/documents/doc_65T78zexKxbqUz34gbLGiX' \ --header 'X-Api-Key: <your API key>'
{- "error_code": "InvalidDocumentId"
}
Delete a document with a given ID
No Content
Bad Request
Unauthorized
Internal Server Error
curl --location --request DELETE 'https://api.test.tokenidvault.com/documents/doc_65T78zexKxbqUz34gbLGiX' \ --header 'X-Api-Key: <your API key>' \ --header 'Content-Type: application/json'
{- "error_code": "InvalidDocumentId"
}
Sensitive data elements that you can create, search or detokenize. Examples include credentials like api keys or passwords, social security numbers, national ids, credit card numbers, name and phone numbers.
Send sensitive data to the vault, handing back a reference identifier. The token is immutable after
creation unless your API key grants additional permissions to perform an update or deletion.
By default, a new token is generated for each request unless idempotent: true
is specified.
Success
Bad Request
Unauthorized
Internal Server Error
{- "type": "ssn",
- "data": "111-22-3333",
- "tags": [
- "Human Resources",
- "R&D"
], - "idempotent": false
}
{- "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
- "type": "ssn"
}
Delete an existing token. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.
No Content
curl --request DELETE 'https://api.test.tokenidvault.com/tokens-modify/tkn_jgP1m98fdsnzBQh43uzCpt' \ --header 'X-Api-Key: <your_api_key>' \ --header 'Content-Type: application/json'
Update an existing token's value and type. Updates to tokens created with idempotency, as well as updates to tags, are not supported. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.
Success
Bad Request
Unauthorized
Internal Server Error
{- "type": "ssn",
- "data": "123-45-6789"
}
{- "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
- "type": "ssn"
}
Send up to 200 sensitive data elements to the vault, handing back reference identifiers for each data element. The tokens are immutable after creation unless your API key grants additional permission to perform an update or deletion. Each requests produces a new set of tokens. If any of the data elements in the request fail to be created, the entire request will fail.
Array of objects Tokens to be created. |
Success
Bad Request
Unauthorized
Internal Server Error
{- "tokens": [
- {
- "type": "ssn",
- "data": "111-22-3333",
- "idempotent": true
}, - {
- "type": "ssn",
- "data": "111-22-3333",
- "idempotent": true
}, - {
- "type": "first-name",
- "data": "John",
- "tags": [
- "Human Resources"
]
}, - {
- "type": "first-name",
- "data": "John"
}
]
}
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
- "type": "ssn"
}, - {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
- "type": "ssn"
}, - {
- "id": "tkn_86n6bHIt7iueUB046ynwaX",
- "type": "first-name"
}, - {
- "id": "tkn_dGtuX2pnUDFtOThmZHNuekJ",
- "type": "first-name"
}
]
}
Search for tokens by data. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.
Search for a Token
Success
Bad Request
Unauthorized
Internal Server Error
{- "type": "ssn",
- "data": "111-22-3333"
}
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt"
}
]
}
Search for tokens by tag. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live.
Success
Bad Request
Unauthorized
Internal Server Error
{- "tags": [
- "Human Resources",
- "R&D"
]
}
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt"
}
]
}
Extract information about the token without revealing the original sensitive data in full. For example, last four digits of a social security number. See HTTP 200 Success response schema for supported token types and attributes that can be revealed.
Success
Bad Request
Unauthorized
Not Found
Internal Server Error
{- "id": "tkn_jgP1m98fdsnzBQh43uzCpt"
}
{- "type": "ssn",
- "last4": "2912"
}
Retrieve the original sensitive data for up to 10 tokens. Access to this API is restricted to server-to-server connections. Please contact Strac to add your IP addresses to the allowlist only for live. For browser-to-server use cases, see Detokenize Proxy.
Detokenize Tokens
Array of objects Tokens that will be detokenized. |
Success
Bad Request
Unauthorized
Internal Server Error
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt"
}, - {
- "id": "tkn_86n6bHIt7iueUB046ynwaX"
}
]
}
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
- "type": "ssn",
- "data": "111-22-3333"
}, - {
- "id": "tkn_86n6bHIt7iueUB046ynwaX",
- "type": "first-name",
- "data": "John",
- "tags": [
- "Human Resources"
]
}
]
}
Detect sensitive data elements from text and documents. Sensitive data elements include credentials like api keys or passwords, social security numbers, national ids, credit card numbers, name and phone numbers.
Detect sensitive data from a document or text
Detect document input
OK
Bad Request
Unauthorized
Internal Server Error
{- "document_type": "generic",
- "document_id": "doc_jgP1m98fdsnzBQh43uzEzb",
- "document_content": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAICAMAAADDXV+YAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAABDlBMVEUTERsRDxgQDhYREBkSEBoVExwVEx0aFykhHjUaFSIKCBIHBRAQDhkUEh0YFycVFSMrJUMdGCkkGScPDRdBP0dOTFQaGCIRDxkGBA4IBhAIBhE9Om9TS45nQ3S5YZ9SKkENDxiioKR9fIGPjpJ2dXthX2VfXWRxb3VUUllnZmwWFB4RDxc5OGuPbcpxRHOJRGtiMUwZFR9ram+dnJ+SkZWJiI2FhIiKiY6amZ24uLpjYmgaGCETEh0dGSwkGCc9JDkaEx0jFyQUEBtQT1ZXVl0zMToiIClDQkpbWmA7OUFaWV8RDxocFiQtHCwfFiIREBoHBQ8MChQJBxILCBMODxgQEBkTEBsUEhwWFB3////wejLLAAAAAWJLR0RZmrL0GAAAAAd0SU1FB+cFDxMiMMgddRkAAACTSURBVAjXJY3VEoJgGAWP8vupIBYq2K2I3d3dHe//JDJ6LvZiZ2cOAIORAzMRwPAfg9li5cALNpCJiHQh2h1Ol1vyeH2ywvsDvJ6KwVA4Eo3FE8lUOpNVc5qMfKFYKleqtXqj2Wp3ur2+DYPhaDyZzuaLpbpab7Y7bQ/GDsfTmQmXqyDdlLvyu+UeT7yI3gT66GBfnrcQ+Js9hyEAAAAldEVYdGRhdGU6Y3JlYXRlADIwMjMtMDUtMTVUMTk6MzQ6MjYrMDA6MDBd90//AAAAJXRFWHRkYXRlOm1vZGlmeQAyMDIzLTA1LTE1VDE5OjM0OjI2KzAwOjAwLKr3QwAAAABJRU5ErkJggg=="
}
{- "detectedEntities": [
- {
- "type": "TAX_ID_NUMBER",
- "text": "58-3234931"
}, - {
- "type": "TAX_ID_NUMBER",
- "text": "534-12-5932"
}, - {
- "type": "DRIVER_LICENSE_NUMBER",
- "text": "190234931"
}, - {
- "type": "NATIONAL_ID_NUMBER",
- "text": "3977 8800 0234"
}, - {
- "type": "PASSPORT_NUMBER",
- "text": "583234931"
}
]
}
Redact (a.k.a Mask) sensitive data elements from text and documents. Sensitive data elements include credentials like api keys or passwords, social security numbers, national ids, credit card numbers, name and phone numbers.
Performs redaction against a document in the vault. To retrieve the redacted document you will need to call Get redacted document API.
Here is an example of a W2 Tax Return and how it looks like after redaction:
Redact document input
OK
Bad Request
Unauthorized
Internal Server Error
{- "document_id": "doc_65T78zexKxbqUz34gbLGiX",
- "document_type": "generic",
- "ux_config": { }
}
{- "status": "completed"
}
Performs redaction against inline text content. The way text is redacted depends on the redact field mode; for modes that replace sensitive text with a link to the Strac document vault, you must onboard with the Strac vault website and supply a base strac endpoint.
For example, with input text: Please onboard the user with SSN 123-45-6789
and type text, the redaction would produce: Please onboard the user with SSN <sensitive_data: https://test.strac.io/#/detokenize/tkn_0QLgEGZSerpfuFSEbotIN75o>
.
Redact text input
OK
Bad Request
Unauthorized
Internal Server Error
{- "content": "Hello, please process the user with SSN 123-45-6789. The user's DL number is 12345678901",
- "type": "text",
- "redact_field_mode": "REDACTED"
}
{- "detectedEntities": [
- {
- "type": "TAX_ID_NUMBER",
- "text": "123-45-6789",
- "begin_index": 40,
- "end_index": 51
}, - {
- "type": "DRIVER_LICENSE_NUMBER",
- "text": 12345678901,
- "begin_index": 77,
- "end_index": 88
}
], - "redacted_content": "Hello, please process the user with SSN [REDACTED]. The user's DL number is [REDACTED]"
}
Download the redacted document given the document ID
OK
Bad Request
Unauthorized
Internal Server Error
curl --location --request GET 'https://api.test.tokenidvault.com/redacted-documents/doc_65T78zexKxbqUz34gbLGiX' \ --header 'X-Api-Key: <your API key> > myFile.png'
{- "error_code": "InvalidDocumentId"
}
Retrieve token identifiers within a redacted document.
OK
Bad Request
Unauthorized
Internal Server Error
curl --location --request GET 'https://api.test.tokenidvault.com/redacted-documents/doc_65T78zexKxbqUz34gbLGiX/tokens' \ --header 'X-Api-Key: <your API key>'
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt"
}, - {
- "id": "tkn_86n6bHIt7iueUB046ynwaX"
}
]
}
Anonymize sensitive data elements from text and documents. Sensitive data elements include credentials like api keys or passwords, social security numbers, national ids, credit card numbers, name and phone numbers.
Performs anonymization against a Google Sheet document. This API aims to provide an extra layer of privacy and security to your spreadsheets by replacing sensitive fields like phone numbers, names, emails, and ZIP codes with pseudonyms or tokens. It integrates seamlessly with your Google Workspace through domain-wide delegation and can run on a recurring basis.
To integrate with your Google Workspace, please reach out to hello@strac.io.
Success
Bad Request
Unauthorized
Internal Server Error
{- "spreadSheetId": "1P0VVIBJBvC0_Tw1xjNaidhjUKr6pVCEuEPtfVXS8Bsw",
- "outputDriveId": "1BM06v7Q40zunrjGh45RmDFXLYY9vLPrt",
- "majorDimension": "COLUMNS",
- "spreadSheetUser": "john@example.com",
- "anonymizationFormat": "CATEGORY_TOKEN",
- "fields": [
- {
- "firstIndex": "B2",
- "type": "NUMBER",
- "lowThreshold": 15.3,
- "highThreshold": 395.2,
- "precision": 2
}
], - "jobName": "HR Payroll Monthly Report",
- "recurringPeriodSeconds": 86400
}
{- "jobId": "LN7RjDG6rgON52LQcnKviBpz",
- "outputSpreadSheetId": "1P0VVIBJBvC0_Tw1xjNaidhjUKr6pVCEuEPtfVXS8Bsw"
}
Restores an anonymized Google Sheet document in a specified Google Drive folder. This API reverses the effects of the anonymize Google Sheets operation.
To integrate with your Google Workspace, please reach out to hello@strac.io.
Success
Bad Request
Unauthorized
Internal Server Error
{- "spreadSheetId": "1P0VVIBJBvC0_Tw1xjNaidhjUKr6pVCEuEPtfVXS8Bsw",
- "outputDriveId": "1BM06v7Q40zunrjGh45RmDFXLYY9vLPrt",
- "spreadSheetUser": "john@example.com",
- "anonymizationFormat": "CATEGORY_TOKEN"
}
{- "outputSpreadSheetId": "10w8Q88cRVFe0zmVF_qzK_r2I0kP31MEChcvLAgm1DyU"
}
Retrieves recurring anonymization jobs.
Success
Unauthorized
Internal Server Error
curl 'https://api.test.tokenidvault.com/anonymize-gsheets/jobs' \ --header 'X-Api-Key: <your_api_key>'
{- "jobs": [
- {
- "id": "67R0GH7xSERiHgh1ADb19Yrg",
- "name": "HR Payroll Monthly Report",
- "recurringPeriodSeconds": 86400,
- "nextExecutionTime": "2023-09-12T16:41:16.340Z",
- "lastExecutionStatus": "SUCCESS",
- "creationTime": "2023-08-30T23:22:58.702Z"
}
]
}
Securely offload movement of sensitive data to third-party (outbound), end-users (inbound) or your servers (webhook).
Send any HTTP request (e.g., POST
, PUT
, PATCH
, GET
, DELETE
,
and OPTIONS
) to third-party using tokens in place of sensitive data. Please contact
Strac to add the third-party URL and schema into the allow list.
Call flow from your back-end servers (client) to third-party does not change except for the following:
(1) you will call Strac's proxy instead of the third-party directly
(2) you can send tokens instead of sensitive data such as API keys and SSN
(3) you can receive tokens for sensitive data you expect in the response
The diagram below illustrates the standard call flow:
If an error occurs due to integration with Strac (e.g., authentication, configuration, outage),
a x-strac-error
header will be set with the value true
. This header will not be set if the failure
is caused by third-party errors.
Success response from the third-party endpoint that proxy connected to
Bad Request
Not Authorized Request
Internal Server Error
curl --location --request <your verb> 'https://api.test.tokenidvault.com/proxy' \ --header 'X-Api-Key: <your API key>' \ --header 'Content-Type: application/json' \ --header 'Target-Url: <third-party endpoint>' --data-raw '{ "bankdata": { "ip_address": "127.0.0.40" }, "citizenship": "US", "date_of_birth": "1980-02-22", "email_address": "gwash@whitehouse.gov", "first_name": "George", "last_name": "Washington", "phone_number": "2025551111", "physical_address": { "street_line_1": "1600 Pennsylvania Ave", "city": "Washington", "state": "DC", "postal_code": "20500" }, "tin": "tkn_lT8RtnYLfpmfecvAfWqzlMnO" }'
{- "error_code": "InvalidRequest"
}
Send any HTTP request (e.g., POST
, PUT
, PATCH
, GET
, DELETE
,
and OPTIONS
) to a third-party service but with sensitive data replaced by redacted, non-sensitive
equivalents. This ensures the security and privacy of the original information while still
enabling interactions with third-party services such as Large Language Models (LLMs).
Please contact Strac to add the third-party URL and schema into the allow list.
Call flow from your back-end servers (client) to third-party does not change except for the following:
(1) you will call Strac's proxy instead of the third-party directly
(2) your sensitive data such as SSN, passport numbers will be replaced with a non-sensitive equivalent (e.g., [REDACTED])
The diagram below illustrates the standard call flow:
If an error occurs due to integration with Strac (e.g., authentication, configuration, outage),
a x-strac-error
header will be set with the value true
. This header will not be set if the failure
is caused by third-party errors.
Success response from the third-party endpoint that proxy connected to
Bad Request
Not Authorized Request
Internal Server Error
curl --location --request <your verb> 'https://api.test.tokenidvault.com/proxy-redact' \ --header 'X-Api-Key: <your API key>' \ --header 'Content-Type: application/json' \ --header 'Target-Url: <third-party endpoint>' --data-raw '{ "bankdata": { "ip_address": "127.0.0.40" }, "citizenship": "US", "date_of_birth": "1980-02-22", "email_address": "gwash@whitehouse.gov", "first_name": "George", "last_name": "Washington", "phone_number": "2025551111", "physical_address": { "street_line_1": "1600 Pennsylvania Ave", "city": "Washington", "state": "DC", "postal_code": "20500" }, "tin": "153-23-4323" }'
{- "error_code": "InvalidRequest"
}
Retrieve the original sensitive data from browsers and apps for up to 10 tokens. When this API is invoked, the request headers and body are forwarded to your authorization server for end-user authorization. Once the request is authorized, the original sensitive data will be returned to the caller.
The diagram below illustrates the standard call flow:
Detokenize Proxy Input
Array of objects Tokens that will be detokenized. |
Success response from authorization server with detokenized tokens decorated into the response
Bad Request
Unauthorized
Forbidden
Internal Server Error
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt"
}
]
}
{- "tokens": [
- {
- "id": "tkn_jgP1m98fdsnzBQh43uzCpt",
- "data": "123-45-6789"
}
]
}
Receive any HTTP webhook requests from third-party using tokens in place of sensitive data. Please contact Strac to generate a webhookId and setup your API endpoint.
Call flow from third-party servers to your servers does not change except for the following:
(1) you will configure the webhook to call Strac's proxy instead of your own endpoint
(2) you can receive tokens instead of sensitive data such as SSN and bank account numbers
(3) you can send tokens instead of sensitive data such as SSN and bank account numbers
The diagram below illustrates the standard call flow:
Success response from the your server that proxy is connected to
Internal Server Error
curl --location --request POST 'https://api.test.tokenidvault.com/proxy-webhook/gjaA615z2AHhpAZa' \ --header 'Timestamp: 11/03/2021 02:13:24.543 PM' \ --header 'Signature: +xAXSIWJXUmqmoJL1vchQuhpZdCOhheIq1ECgw49STs=' \ --header 'Content-Type: application/json' \ --data-raw '{ "bankdata": { "ip_address": "127.0.0.40" }, "citizenship": "US", "date_of_birth": "1980-02-22", "email_address": "gwash@whitehouse.gov", "first_name": "George", "last_name": "Washington", "phone_number": "2025551111", "physical_address": { "street_line_1": "1600 Pennsylvania Ave", "city": "Washington", "state": "DC", "postal_code": "20500" }, "tin": "12-3456789" }'
{- "error_code": "InternalServerError"
}
Send any request to third-party using tokens in place of sensitive data through your function hosted on Strac. Please contact Strac to upload your function and enable communication with the third-party.
Functions are small programs (e.g., NodeJS function) that send sensitive data to third-party APIs. Hosted functions give you the power of standard
programming languages to perform advanced integrations that are harder to do using Strac's default schema based outbound proxy API. Suitable use cases include
integrations that rely on thick clients or custom protocols.
Your call flow from your back-end servers (client) to third-party will need to change in the following ways when hosting functions on Strac:
(1) you will call Strac's proxy instead of the third-party directly
(2) your function will need to take inputs from Strac instead of directly from your back-end servers
(3) you can send tokens instead of sensitive data such as crypto keys and SSN
(4) you can receive tokens for sensitive data you expect in the response
The diagram below illustrates the standard call flow:
In order for the hosted functions to interoperate with Strac, it must make the following changes:
(1) it must expose a single handler that takes in an object that represents the request.
(2) it must return a JSON payload that represent the HTTP response for the calling client.
The example below illustrate this for a NodeJS function:
// Imports will need to be declared in a standard package.json file not shown here
const fooClient = require('foo-thick-lib');
// Request is a dictionary that contains detokenized input sent by the calling client,
// we will use the curl example here
async function run(request) {
// string containing plaintext tin after token tkn_lT8RtnYLfpmfecvAfWqzlMnO has been detokenized (see curl example)
const tin = request.tin;
// the number 26 (see curl example)
const age = request.citizenship.age;
return await fooClient.call(tin, age);
}
exports.handler = async (request) => {
const result = await run(request);
return {
statusCode: 200,
headers: {"Content-Type": "application/json"},
body: JSON.stringify(result)
}
}
Success response from the function that connect to third party APIs
Bad Request
Not Authorized Request
Internal Server Error
curl --location --request <your verb> 'https://api.test.tokenidvault.com/proxy-function' \ --header 'X-Api-Key: <your API key>' \ --header 'Content-Type: application/json' \ --header 'Function-Id: 6faa0aed-2b1b-4e41-9feb-664ce514d62f' --data-raw '{ "bankdata": { "ip_address": "127.0.0.40" }, "citizenship": "US", "date_of_birth": "1980-02-22", "email_address": "gwash@whitehouse.gov", "first_name": "George", "last_name": "Washington", "age": 42, "phone_number": "2025551111", "physical_address": { "street_line_1": "1600 Pennsylvania Ave", "city": "Washington", "state": "DC", "postal_code": "20500" }, "tin": "tkn_lT8RtnYLfpmfecvAfWqzlMnO" }'
{- "error_code": "InvalidRequest"
}
The widget component framework allows you to securely collect and display customer data. A widget orchestrates one or more components, where each corresponds to one data element and one inline frame ('iframe') hosted on Strac's domain.
The same-origin policy protects the sensitive data within the component's iframe from your page that initializes the components. The widget supports a series of events to allow the client to interact with each component; e.g. to perform form validation or know when creation of a token has finished.
Page requirements
The widget requires jQuery 3.6.0 or higher. You can host on your own CDN or leverage a trusted CDN like CloudFlare; e.g.
https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
.
The page will have to reference the Strac widget JavaScript at https://api.live.tokenidvault.com/widgets/component-1.0.0.js
.
Widget API
To initialize a widget, you supply your Strac API key as the first argument to a global StracWidget
:
const stracWidget = new StracWidget('<your API key>');
The widget allows registration of events which return back a widget reference to allow chaining. The following are supported:
EVENT_READY
: fires when the widget has been initialized.const stracWidget = new StracWidget('<your API key>')
.on(window.StracWidget.events.EVENT_READY, () => console.log('Widget ready'));
To create a component: stracWidget.createComponent(componentType, componentOptions)
. See below for component API.
To collect tokens from components (creating or updating a value): stracWidget.getTokenizedValues(options)
where
options
requires a tokens
structure referencing each token's type and corresponding component. For example,
in a form that collects a first, middle, and last name:
const tokens = await stracWidget.getTokenizedValues({
tokens: [{
type: 'FIRST_NAME',
data: firstNameComponent
}, {
type: 'MIDDLE_NAME',
data: middleNameComponent
}, {
type: 'LAST_NAME',
data: lastNameComponent
}]
});
Component API
You can configure a component to view data (do not collect data from a customer), create data (a form input with no
initial value), or edit data (provide an existing value that the customer can change). A widget creates a component using
stracWidget.createComponent(componentType, componentOptions)
.
Valid component types:
label
: a view-only display where the element within the iframe corresponds to a <div>
.text
: a one-line text input with a corresponding <input>
element within the iframe.textarea
: a multi-line text input with a corresponding <textarea>
within the iframe.Component options:
token
: allows the viewing of an existing value. Required for a view-only display and an edit display.placeholder
: a placeholder value to display within the form element.style
: allows injection of CSS properties for a variety of contexts which include base
(the default), empty
(when an input element is empty), and complete
(when an input element is valid).The following styles are allowed: backgroundColor
, color
, fontFamily
, fontSize
,
border
, textAlign
, fontStyle
, margin
, fontWeight
, lineHeight
, letterSpacing
, borderRadius
, verticalAlign
,
padding
, textDecoration
, textShadow
, textTransform
, height
, minHeight
Component events
EVENT_READY
: the component HTML is ready.EVENT_FOCUS
: the component has the user's focus (focus
event).EVENT_BLUR
: the component has lost focus (blur
event).EVENT_KEYDOWN
: the user has entered text within the input (keydown
event).EVENT_CHANGE
: change to the event value; event.complete
indicates if the value is valid.Component actions
mount(elementName)
: install the component HTML within the element on your page.unmount()
: remove the component HTML.Example of an edit component:
const firstNameComponent = stracWidget.createComponent('text', {
'token': '<your token value>',
'placeholder': 'Your first name',
'style': {
'base': {
'border': '0px solid rgb(0, 0, 0)',
'backgroundColor': '#302c3f',
},
'empty': {
'backgroundColor': '#ff7586',
}
}
}).on(window.StracWidget.events.EVENT_READY, () => console.log('textComponent ready'))
.on(window.StracWidget.events.EVENT_FOCUS, () => console.log('textComponent focus'))
.on(window.StracWidget.events.EVENT_BLUR, () => console.log('textComponent blur'))
.on(window.StracWidget.events.EVENT_KEYDOWN, () => console.log('textComponent keydown'))
.on(window.StracWidget.events.EVENT_CHANGE, (event) => {
console.log('textComponent change');
componentsValid['textComponent'] = event.complete;
updateForm();
})
.mount('#firstName');
Complete integration example
This example features one editable component for a first name, complete with a spinner on a submit button and error messages.
<html>
<head>
<title>Strac Component Demo</title>
<script type="text/javascript" src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
<script type="text/javascript" src="https://api.live.tokenidvault.com/widgets/component-1.0.0.js"></script>
<script type="text/javascript">
const API_KEY = '<your API key>';
const FIRST_NAME = 'firstName';
$(document).ready(async () => {
const stracWidget = new StracWidget(API_KEY)
.on(window.StracWidget.events.EVENT_READY, () => console.log('Widget ready'));
const componentsValid = {
'firstNameComponent': false,
}
const updateForm = (buttonOnly) => {
if (!buttonOnly) {
$('#text_error').css('display', componentsValid['firstNameComponent'] ? 'none' : '');
}
$('#saveButton').prop('disabled', Object.values(componentsValid).some(valid => !valid));
}
// Sample token: tkn_IHpILSUk015BNHqvlAJ8W4tN
const firstNameComponent = stracWidget.createComponent('text', {
'token': window.sessionStorage.getItem(FIRST_NAME),
'placeholder': 'Your first name',
'style': {
'base': {
'boxSizing': 'border-box',
'minHeight': '53px',
'width': '200px',
'border': '0px solid rgb(0, 0, 0)',
'backgroundColor': '#302c3f',
'borderRadius': '30px',
'fontSize': '18px',
'fontWeight': '500',
'color': 'rgb(255, 255, 255)',
'padding': '0px 24px',
'fontFamily': 'Thicccboi, sans-serif'
},
'empty': {
'backgroundColor': '#ff7586',
}
}
}).on(window.StracWidget.events.EVENT_READY, () => console.log('firstNameComponent ready'))
.on(window.StracWidget.events.EVENT_FOCUS, () => console.log('firstNameComponent focus'))
.on(window.StracWidget.events.EVENT_BLUR, () => console.log('firstNameComponent blur'))
.on(window.StracWidget.events.EVENT_KEYDOWN, () => console.log('firstNameComponent keydown'))
.on(window.StracWidget.events.EVENT_CHANGE, (event) => {
console.log('firstNameComponent change');
componentsValid['firstNameComponent'] = event.complete;
updateForm();
})
.mount('#text');
$('#saveButton').on('click', async () => {
// Start Spinner
const saveButton = $('#saveButton');
saveButton.addClass('button-loading');
const tokens = await stracWidget.getTokenizedValues({
tokens: [
{
type: FIRST_NAME,
data: firstNameComponent
}
]
});
// End Spinner
saveButton.removeClass('button-loading')
console.log(tokens);
tokens.forEach(({ type, data }) => window.sessionStorage.setItem(type, data));
});
updateForm(true);
});
</script>
<style type="text/css">
body {
background-color: #13111a;
font-family: Thicccboi, sans-serif;
color: #b7b4c7;
font-size: 18px;
line-height: 1.667em;
font-weight: 500;
margin: 15px;
}
div.title {
margin-bottom: 16px;
}
div.gradient-background {
display: inline-block;
border-radius:30px;
padding: 2px;
background-image: linear-gradient(270deg, #6f86ff, #ff7586);
}
button[type='button']#saveButton {
padding: 15px 16px;
font-size: 16px;
line-height: 1.125em;
border-style: solid;
border-width: 1px;
border-color: #d9d7e6;
border-radius: 30px;
background-color: #302c3f;
color: #fff;
line-height: 1.111em;
font-weight: 700;
text-align: center;
letter-spacing: 0.01em;
width: 100px;
position: relative;
}
button[type='button']#saveButton:disabled {
color: #676467;
}
.button-loading .button-text {
visibility: hidden;
opacity: 0;
}
.button-loading::after {
content: "";
position: absolute;
width: 16px;
height: 16px;
top: 0;
left: 0;
right: 0;
bottom: 0;
margin: auto;
border: 4px solid transparent;
border-top-color: #ffffff;
border-radius: 50%;
animation: button-loading-spinner 1s ease infinite;
}
@keyframes button-loading-spinner {
from {
transform: rotate(0turn);
}
to {
transform: rotate(1turn);
}
}
</style>
</head>
<body>
<div class="title">Enter your first name below.</div>
<div id="text" width='200' height='20'></div>
<div id="text_error" style="color: #fff; display: none; font-weight: 700;">Please enter your first name.</div>
<div style="margin-top: 12px">
<div class="gradient-background">
<button type="button" id="saveButton">
<span class="button-text">Save</span>
</button>
</div>
</div>
</body>
</html>
The Credit Card Widget allows you to display values stored by Strac tokens, with special behavior for a credit card: it will display the value in the form ****-tail and provide a clipboard which will copy the full value.
The display of this sensitive data occurs within an iFrame on a Strac-owned domain, which prevents the page referencing the iFrame from accessing it due to the same-origin policy.
Page requirements
The widget requires a modern version of jQuery.
Widget inputs
To load the widget, you must provide:
1. A Strac API key.
2. A declaration of type 'credit-card' which indicates the type of display within the iFrame. This is currently the only supported variant.
3. A Strac token ID which stores the credit card value.
4. Authorization header(s) which Strac will proxy to your authorization endpoint to allow safe detokenization. This endpoint is associated with your API key and not exposed when invoking the widget component.
Widget view and styling Widget views are represented by "components". You can instantiate one widget with as many components as you need based on your page's display requirements
Providing styles to the widget is optional, but you must provide basic styling to achieve a similar look-and-feel with your page as the widget's iFrame won't have context of the outer page's fonts. The widget will install the iFrame into a container on your page; you must style this container to control the iFrame's size. By default, the iFrame will expand to fit any area given to it and not provide any margin of its own.
The credit card widget includes an icon that lets the user copy the whole card value to the clipboard when clicked. Within
display
, you must specify a copyImageUrl
if not using the default.
Complete integration example
The following produces this card:
<html>
<head>
<title>Card detokenize demo</title>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js" integrity="sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<script type="text/javascript" src="https://api.live.tokenidvault.com/widgets/card-detokenize-1.0.0.js"></script>
<style>
body {
font-family: Verdana,serif;
}
</style>
<script type="text/javascript">
$(document).ready(() => {
const component = {
display: {
copyImageUrl: '<your URL, if not using the default image>',
styles: {
'body': {
'color': '#fff',
'font-family': 'Verdana,serif'
},
'button': {
'background-color': 'transparent',
'border': 'none',
'vertical-align' : 'middle'
},
'img': {
'width': '25px'
}
}
},
elementId: 'strac_viewer1',
headers: {
'Authorization': '<your authorization token>>'
},
tokens: [{
id: "<your token ID>>"
}],
type: 'credit-card'
}
const widget = new StracWidget({
apiKey: '<your API key>',
apiEndpoint: 'https://api.test.tokenidvault.com'
});
widget.createComponent(component);
widget.mountComponent(component);
});
</script>
</head>
<body>
<div style="background-image: linear-gradient(90deg, #ff3868, #714dff); width:415px; padding:4px; border-radius: 10px;">
<div style="background-color:#302c3f; padding:10px; color: #fff; border-radius: 10px;border-color:rgba(255, 255, 255, 0.21)">
Credit Card Number: <div id="strac_viewer1" style="height:25px; width: 220px; background-color:#302c3f; display:inline-block; vertical-align: middle;"></div>
</div>
</div>
</body>
</html>