Display Masked Data
This guide will show you how to customize your data so you can securely display it while remaining compliant. We will leverage the concept of a mask
to transform the underlying data prior to display.
Key concepts in this guide:
Getting Started
To get started, you will need a Basis Theory account.
Next you will need a Management Application in order to provision the components in this guide.
Click here to create a Management Application or login to your Basis Theory account and create a new application from the Full Management Access template.
Create a Private Application
We need to create a Private Application which will be used to tokenize some data and retrieve the masked data. We will apply an Acccess Policy to the application of mask
on the root container /
.
Access policies enable you to partition and apply granular permissions to your data.
curl "https://api.basistheory.com/applications" \
-H "BT-API-KEY: test_1234567890" \
-H "Content-Type: application/json" \
-X "POST" \
-d '{
"name": "Display Masked Data App",
"type": "private",
"rules": [{
"description": "Create and read masked data",
"priority": 1,
"container": "/",
"transform": "mask",
"permissions": [
"token:create",
"token:read"
]
}]
}'
test_1234567890
with the Private API Key you created in the Getting Started step.Create a Token
Next, we want to collect some user data in a token. This will securely store this information with Basis Theory, which will be retrieved later. To do this, we will call the Tokenize endpoint directly.
We will leverage Expressions to define the token mask
. These are Liquid template expressions to define the format of the data when retrieving the information.
Run the following in your terminal to create a token containing user information:
curl "https://api.basistheory.com/tokenize" \
-X "POST" \
-H "BT-API-KEY: test_1234567890" \
-H "Content-Type: application/json" \
-d '{
"type": "token",
"data": {
"first_name": "John",
"last_name": "Doe",
"social_security_number": "111-22-3333",
"email_address": "johndoe@basistheory.com"
},
"mask": {
"first_name": "{{ data.first_name }}",
"last_name": "{{ data.last_name | slice: 0 }}.",
"social_security_number": "{{ data.social_security_number | reveal_last: 4 }}",
"email_address": "{{ data.email_address | split: '\''@'\'' | last }}"
}
}'
test_1234567890
with the Private API Key you created in the Getting Started step.You should see a JSON response similar to:
{
"id": "90ead06a-e6d8-4061-9096-4486c5d7820a",
"type": "token",
"tenant_id": "76d4905e-ef89-46ea-9134-92ad5cd2e973",
"data": {
"first_name": "John",
"last_name": "D.",
"social_security_number": "XXX-XX-3333",
"email_address": "basistheory.com"
},
"created_by": "5f84b724-e531-4416-a39d-3e8912643999",
"created_at": "2022-12-20T20:40:32.1996963+00:00",
"fingerprint": "3CWpgMyXH3NdPxDzd47ch5uk9S6ApFTqt4cyqgwNyzYF",
"fingerprint_expression": "{{ data | stringify }}",
"mask": {
"first_name": "{{ data.first_name }}",
"last_name": "{{ data.last_name | slice: 0 }}.",
"social_security_number": "{{ data.social_security_number | reveal_last: 4 }}",
"email_address": "{{ data.email_address | split: '@' | last }}"
},
"containers": [
"/general/high/"
]
}
Retrieve the Token
Now we want to retrieve the token to view the masked information.
If you run the following in your terminal:
curl "https://api.basistheory.com/tokens/90ead06a-e6d8-4061-9096-4486c5d7820a" \
-H "BT-API-KEY: test_1234567890"
You should see a JSON response similar to:
{
"id": "90ead06a-e6d8-4061-9096-4486c5d7820a",
"type": "token",
"tenant_id": "76d4905e-ef89-46ea-9134-92ad5cd2e973",
"data": {
"first_name": "John",
"last_name": "D.",
"social_security_number": "XXX-XX-3333",
"email_address": "basistheory.com"
},
"created_by": "5f84b724-e531-4416-a39d-3e8912643999",
"created_at": "2022-12-20T20:40:32.1996963+00:00",
"fingerprint": "3CWpgMyXH3NdPxDzd47ch5uk9S6ApFTqt4cyqgwNyzYF",
"fingerprint_expression": "{{ data | stringify }}",
"mask": {
"first_name": "{{ data.first_name }}",
"last_name": "{{ data.last_name | slice: 0 }}.",
"social_security_number": "{{ data.social_security_number | reveal_last: 4 }}",
"email_address": "{{ data.email_address | split: '@' | last }}"
},
"containers": [
"/general/high/"
]
}
Conclusion
Due to the Acccess Policy we created on our Private Application, the mask
transform will be applied to all tokens in the root container /
. The result will have the token's mask
applied to the data.
Custom masks can be applied to any token type to help displaying sensitive data to users of your systems without exposing your applications and systems to increased compliance and security requirements.