Contact Free trial Login

Detokenization Policy

Policy Name

Detokenization.

Summary

Transforms a tokenized value back into the original data.

Category

Security.

Since Mule Version

4.1.1

Returned Status Codes

400

A token is invalid, or their detokenization failed.

The provided expression is invalid or returns no result to detokenize.
NOTE: The status code to be returned can be configured.

502

Any problem regarding the connection with the tokenization service. It may be unavailable, or it might not have been configured.

This policy is designed to work only for Anypoint Runtime Fabric deployments.

Detokenization

Detokenization is the process of detokenizing a token back into its original value to redeem sensitive data to carry on with a specific business purpose. For example, an application would need to use a detokenized value to validate a specific credit card number.
Detokenized sensitive data must always be read under strict security controls.

Prerequisites

  • To create and apply policies you need the Manage Policies permission.

  • You need to have a tokenization service up and running.

    • To configure and see the tokenization service, you need the Manage Tokenization Services permission.
      See Configure and Use Tokenization for more information.

How Does This Policy Work?

The policy detokenizes some pieces of the payload with the tokenized values. To define which pieces of payload will be detokenized, you need to provide a selector expression.

Suppose that the payload that will receive the policy contains the following structure:

{
  "name":"Amun Ra",
  "socialSecurityNumber":"167-47-9268"
}

If you want to detokenize the social security number, you can use the following selector expression to specify which piece of information the policy should tokenize:

#[payload.socialSecurityNumber]

Now, every time the policy receives a request containing a socialSecurityNumber key in its top level, it will extract all the tokens that match the expression you indicated, it will establish a connection with the tokenization service, and finally it will replace the original detokenized values in your payload with the ones provided by the service.
If the detokenized value for the Social Security Number in the example were 365-93-2738, your application would receive the following payload:

{
  "name":"Amun Ra",
  "socialSecurityNumber":"365-93-2738"
}

You can configure the detokenization policy to detokenize values in your payload’s request or response.

To learn how to tokenize a value refer to the Tokenization Policy.

Detokenizing Requests

policy mule4 tokenization 67b25
  1. A user performs a request to the application protected by the policy.

  2. The request is first caught by Anypoint Security, and redirected to the application, reaching first the detokenization policy.

  3. The detokenization policy is configured to detokenize the request, so it extracts all the tokens from the payload using the selector expression.

  4. The detokenization service receives all the tokens, applies the transformation back to sensitive data, and then returns the result to the policy.

  5. The policy replaces the payload with the detokenized values, and the request reaches the Mule application.

  6. The Mule application processes the request and returns the result.

Detokenizing Responses

policy mule4 tokenization 9347d
  1. A user performs a request to the application protected by the policy.

  2. The request is first caught by Anypoint Security, and redirected to the application, reaching first the detokenization policy.

  3. The detokenization policy is configured to detokenize the Mule application’s response, so it redirects the request without extracting anything from the payload.

  4. The Mule application processes the request and returns the result.

  5. The detokenization policy extracts all the tokens from the payload using the selector expression.

  6. The tokenization service receives all the tokens, applies the transformation back to sensitive data, and then returns the result to the policy.

  7. The policy sends the response back to the user, with the detokenized values in the payload.

Policy Configuration

Element Description Required

Direction

Whether the values to detokenize should be extracted from the request or the response. The default behavior is to detokenize from the response.

Yes.

Fail on unmatched expressions

If selected, requests will fail when the rules cannot match any token.

No.

Services

The tokenization services available for the current Organization and Environment. Select the service that you need from the list, remembering that the formats available depend on the service that you choose.

Yes.

Expression

A selector expression to be used to extract the information that will be detokenized.

For example:

#[payload.people.creditCardNumber]

Only expressions using dots as field separators are allowed. While [payload.people.creditCardNumber] is valid, [payload[‘people’]] is not.

No.
Keep in mind that if you don’t specify a selector expression, the policy will be applied, but won’t detokenize anything from your payload.

Format

Type of information that will be detokenized. Formats may vary depending on the selected service. Choose one format from the list.

If you do not see any formats in the list, check that the tokenization service selected contains at least one format.
See the Tokenization Formats article for more information.

No.
Keep in mind that if you don’t specify a format, the policy will be applied, but won’t detokenize anything from your payload.

Scope and Considerations

  • One single instance of the policy supports only one tokenization service. All the formats that you configured need to be contained in the same tokenization service.

  • One single instance of the policy can be used to detokenize a value either in the request or the response, but not both.

  • The policy is not aware of the state of the tokenization service until runtime: If by mistake, you delete your tokenization service, or if the service is down for some reason, the policy won’t be able to establish a communication with the service, causing all the requests to fail until the service is available again.

  • During policy configuration, your services drop-down menu only displays the tokenization services that are ready to use. If you do not see the service you want, check if it is already deployed.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.