Product

What is Basis Theory’s Proxy?

The Basis Theory Proxy provides developers and organizations a powerful tool for sending sensitive data via HTTP without your application needing to decrypt the data.

What is the Proxy?

Tokenizing your data is only the first step. Once your data is safe and secure in your vault, you need to use that data in a meaningful way. The Basis Theory Proxy provides a simple interface to send HTTP requests containing sensitive data without your system needing the plaintext value. The Proxy requires minimal changes to your existing code and logic.

In its simplest form, the Proxy is simply a regular HTTP proxy: it receives a request, forwards the request to the intended destination, then passes the response back from the destination. 

For example, let's assume a third-party platform for credit checks needs Personally Identifiable Information (PII), such as a user's social security and driver's license numbers. Sending a simple HTTP request with a body is simple in most frameworks today. The only additional headers you need are the <span class="code">BT-PROXY-URL</span>, which is the intended destination, and your <span class="code">BT-API-KEY</span>.


curl "https://api.basistheory.com/proxy" \
  -H "Content-Type: application/json" \
  -H "Authorization: <BEARER-TOKEN>" \
  -H "BT-PROXY-URL: https://creditchecker.com/api"
  -H "BT-API-KEY: <BT-API-KEY>"
  -X "POST"  \
  -d '{
      "name": "John Doe",
      "ssn": "123-45-6789",
      "licenseNumber": "L123456789"
  }'

To make this request, you would first need to decrypt your tokens! This is where the real power of the Proxy comes: You don't need to pass the raw value, only the Token identifier.


curl "https://api.basistheory.com/proxy" \
  -H "Content-Type: application/json" \
  -H "Authorization: <BEARER-TOKEN>" \
  -H "BT-PROXY-URL: https://creditchecker.com/api" \
  -H "BT-API-KEY: <BT-API-KEY>" \
  -X "POST"  \
  -d '{
      "name": "John Doe",
      "ssn": "{{918b87ad-9fef-4593-9a2a-81ab6b1801a2}}",
      "licenseNumber": "{{e7a00936-926a-422c-b686-3b19514d1ebd}}"
  }'

When the Proxy receives the request, it replaces the Token identifiers with the raw values (detokenization). The response is then passed straight through to you, regardless of whether it was successful or not. So you have now sent the sensitive data without the raw value touching your system!

Complex Data

A social security or driver’s license number is just a single value. What if you need to pass a complex object like a credit card? First, let’s look at what a fictional charge request might look like:


curl "https://api.creditcardcompany.com/charge" \
  -H "Content-Type: application/json" \
  -H "Authorization: <BEARER-TOKEN>" \
  -X "POST"  \
  -d '{
    "card": {
      “number”: “4242424242424242”,
      “expiration_month”: 12,
      “expiration_year”: 2022,
      “cvc”: 123
    }
  }'

Once you have a `card` Token, passing this request through the Proxy is just as simple as passing a social security number:


curl "https://api.basistheory.com/proxy" \
  -H "Content-Type: application/json" \
  -H "Authorization: <BEARER-TOKEN>" \
  -H "BT-PROXY-URL: https://api.creditcardcompany.com/charge" \
  -H "BT-API-KEY: <BT-API-KEY>" \
  -X "POST"  \
  -d '{
      "card": “{{a323f9fd-2334-490c-b3c5-ef2657b066d6}}”
  }'

When the request hits the Proxy, the Token Identifier replaces the entire card object. This example is admittedly convenient: the properties on the <span class="code">card</span> object in the request match the schema for the Basis Theory <span class="code">card</span> Token Type. 

So what if the merchant required the expiration date to be in <span class="code">YYYY/MM</span> format?

Data Expression and Transformation

Detokenization occurs on requests when a detokenization expression is detected. As we’ve seen above, the simplest form of a detokenization expression is <span class="code">&#123;&#123;token-identifier&#125;&#125;</span>. 

When detokenized, the plaintext data in the token replaces the expression with a simple string or a complex object in the earlier examples. (Note: only Token Identifiers are detokenized, anything else inside of <span class="code">&#123;&#123;&#125;&#125;</span> will be ignored.)

Basis Theory supports JSON Path transformations to further work with complex data types. These transformations allow you to grab only the pieces of data you need for a request. Using these transformations, you can easily format the expiration date as <span class="code">YYYY/MM</span>:


curl "https://api.basistheory.com/proxy" \
  -H "Content-Type: application/json" \
  -H "Authorization: <BEARER-TOKEN>" \
  -H "BT-PROXY-URL: https://api.creditcardcompany.com/charge" \
  -H "BT-API-KEY: <BT-API-KEY>" \
  -X "POST"  \
  -d '{
    "card": {
      "number": "{{a323f9fd-2334-490c-b3c5-ef2657b066d6 | $.card.number}}",
      "expiration": "{{a323f9fd-2334-490c-b3c5-ef2657b066d6 | $.card.expiration_year}}/{{a323f9fd-2334-490c-b3c5-ef2657b066d6 | $.card.expiration_month}}",			
      "cvc": "{{a323f9fd-2334-490c-b3c5-ef2657b066d6 | $.card.cvc}}",
    }
  }'

Migrating Your App to Use the Proxy

One concern for any development team when considering a new product is the effort involved in migrating the existing app to use that new product. The Basis Theory Proxy is designed to make that transition as simple as possible.

Instead of having to build custom Reactor Formulas and alter your business logic to call the Reactor, you can simply repurpose your existing HTTP call. The only code changes required to use the proxy are to pass the Token Identifier in the body instead of the raw value and add the <span class="code">BT-API-KEY</span> and <span class="code">BT-PROXY-URL</span> headers. 

By changing only a few lines of code, your system is now that much closer to compliance!

Interested in trying Proxy? Register for a free account and get to production without a credit card today. 

BASIS THEORY NEWSLETTER

Want product news and updates?

Receive the latest posts directly in your inbox.