Skip to main content

Collect Inbound Sensitive Data

This guide will show you how to collect data sent to your API without touching the data.

Key concepts in this guide:

Getting Started

To get started, you will need a Basis Theory account.

Next you will need a Management Application in order to provision the components in this guide.

Click here to create a Management Application or login to your Basis Theory account and create a new application from the Full Management Access template.

Save the API Key from the created Management Application as it will be used in this guide to provision everything.

Create a Public Application

We need a Public Application to create tokens from the inbound data before it reaches our API:

curl "https://api.basistheory.com/applications" \
  -H "BT-API-KEY: <API_KEY>" \
  -H "Content-Type: application/json" \
  -X "POST" \
  -d '{
    "name": "Collect Public App",
    "type": "public",
    "permissions": [ "token:create" ]
  }'
Be sure to replace <API_KEY> with the Management API Key you created in the Getting Started step.
Save the application id from the created Public Application as it will be used to create the proxy.

Create the Proxy

We will create a Proxy capable of intercepting inbound calls to our API, tokenize part of the request, and send the modified request to our API.

The Basis Theory Proxy leverages a request transform, which is executed in a secure Node.js 16 runtime. The following code will handle tokenizing the request:

module.exports = async function (req) {
  const socialSecurityNumber = req.args.body.socialSecurityNumber;

  const token = await req.bt.tokens.create({
    type: "token",
    data: socialSecurityNumber
  });

  return {
    headers: req.args.headers,
    body: {
      ...req.args.body,
      socialSecurityNumber: token.id
    }
  };
};

This code will read in the socialSecurityNumber property from the request body, tokenize it with a pre-configured Basis Theory JS SDK instance, and update the request body replacing the original socialSecurityNumber value with id of the token.

We need to create an instance of a Proxy with the previous code as a request_transform.

First, let's store the JavaScript code as a variable. In your terminal, run the following:

javascript='module.exports = async function (req) {
  const socialSecurityNumber = req.args.body.socialSecurityNumber;

  const token = await req.bt.tokens.create({
    type: "token",
    data: socialSecurityNumber
  });

  return {
    headers: req.args.headers,
    body: {
      ...req.args.body,
      socialSecurityNumber: token.id
    }
  };
};'

Next, we need to create an instance of a Proxy, with the variable we created:

curl "https://api.basistheory.com/proxies" \
  -H "BT-API-KEY: <API_KEY>" \
  -H "Content-Type: application/json" \
  -X "POST" \
  -d '{
    "name": "Inbound Proxy Example",
    "destination_url": "https://echo.basistheory.com/anything",
    "request_transform": {
      "code": '"$(echo $javascript | jq -Rsa .)"'
    },
    "application": {
      "id": "45c124e7-6ab2-4899-b4d9-1388b0ba9d04"
    },
    "require_auth": false
  }'
Be sure to replace <API_KEY> with the Management API Key you created in the Getting Started step and replace 45c124e7-6ab2-4899-b4d9-1388b0ba9d04 with the id of the Public Application you created in the Getting Started step.
Save the proxy key from the response as it will be used to invoke the proxy.

This is using jq to replace the JavaScript code as a JSON escaped string value. It will create a new Proxy instance where we will run the request_transform on the inbound Proxy request against the body and headers of the request. The proxy will then send the request to our destination_url, which should be your API URL. In this guide, we are going to use https://echo.basistheory.com/anything so we can see the tokenized socialSecurityNumber.

Invoke the Proxy

Now that we have our Proxy created, we need to invoke it. In your terminal run the following:

curl "https://api.basistheory.com/proxy" \
  -H "BT-PROXY-KEY: TDEyQmkhQMpGiZd13FSRQ9" \
  -H "Content-Type: application/json" \
  -X "POST" \
  -d '{
    "socialSecurityNumber": "123-45-6789"
  }'
Be sure to replace TDEyQmkhQMpGiZd13FSRQ9 with the key of the Proxy you created in the Create the Proxy step.

If successful, you should see an output similar to this:

{
  "args": {},
  "data": "{\"socialSecurityNumber\":\"8b4f3aab-abc6-423f-86b9-c368919bdc65\"}",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Bt-Trace-Id": "0us+cYwAAAACCDkUl9kKnRY3yEEMzpsZ/Q0hHRURHRTE2MTkAMTYzY2E1ODMtNjQ3MS00MTc3LTg0ZGItZTA4MzBlZGFiODUw",
    "Content-Length": "63",
    "Content-Type": "application/json",
    "Disguised-Host": "echo.basistheory.com",
    "Host": "echo.basistheory.com",
    "User-Agent": "curl/7.85.0",
    "X-Forwarded-Tlsversion": "1.2",
    "X-Original-Url": "/anything",
    "X-Waws-Unencoded-Url": "/anything"
  },
  "json": {
    "socialSecurityNumber": "8b4f3aab-abc6-423f-86b9-c368919bdc65"
  },
  "method": "POST",
  "url": "https://echo.basistheory.com/anything"
}

Notice that the socialSecurityNumber was successfully replaced with our tokenized value.

Now that you have your token, check out our guide on how to send data to a third-party!

Learn More