For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
DocsAPI Reference
  • Fundamentals
    • Home
    • Why Skyflow?
    • Get started with Skyflow
    • Explore what Skyflow can do
    • Authenticate
    • Accounts and environments
    • Deployment models
    • Security best practices
    • Compliance and certifications
    • Get data into Skyflow
    • Platform FAQs
  • Governance
    • Overview
  • Tokenization
    • Overview
  • Connections
    • Overview
  • Processing
  • AI and data sanitization
    • Overview
  • SDKs
    • Overview
  • Elements
    • Collect and reveal data with Skyflow Elements
LogoLogo
Login
Login
On this page
  • Outbound connections
  • URL whitelisting
  • Inbound connections
  • Connection configuration
  • Next steps
Connections

Connections overview

Was this page helpful?
Previous

Functions

Next
Built with

Skyflow connections is a gateway service that uses Skyflow’s underlying tokenization capabilities to securely send and receive data between your connection to first- and third-party services.

You can configure a Skyflow connection in two modes:

  • Outbound connection: An outbound connection integrates your backend server with a third-party service provider. The configuration lets your server securely extract data from the vault and send it to third-party services for processing.
  • Inbound connection: Inbound connections sit between your client and server. Client services can invoke an inbound connection to tokenize sensitive data, pass the tokenized data to your server, and prevent downstream services from containing the sensitive data.

Outbound connections

Outbound connection requests originate internally and are outbound from Skyflow. For example, if you’re a credit card issuing company with a Visa partnership, you need to securely integrate with Visa DPS to issue debit card IDs on your customer’s behalf.

To create a custom connection to a third-party service, you need the following information to complete a third-party API call:

  • Third-party service documentation for the structure, authentication method, and authorization header to invoke a Skyflow connection
  • Detokenization settings for sensitive API request fields, data tokens in your vault, and access to those sensitive data tokens
  • Your Skyflow connection URL, Skyflow bearer token (X-SKYFLOW-AUTHORIZATION header), and Skyflow account ID (X-SKYFLOW-ACCOUNT-ID header)
  • Connection URL (available once you create the connection)
  • Skyflow bearer token sent as the X-SKYFLOW-AUTHORIZATION header (generates when using service account credentials)
  • Skyflow account ID sent as the X-SKYFLOW-ACCOUNT-ID header

URL whitelisting

To preserve the privacy, security, and integrity of your vault data, Skyflow needs to review and whitelist all third-party URLs (outbound base URLs) before you can use them in production environments. URLs must be individually whitelisted for each region and environment. Reach out to Skyflow Support to whitelist URLs.

Inbound connections

Inbound connection requests originate externally and are inbound to Skyflow. For example, you’re a company that collects PII data and use MuleSoft as the middleware through which your data flows. As such, you need to natively integrate your MuleSoft API gateway with your Skyflow vault to make sure sensitive data is tokenized and only tokens for the PII data make it into MuleSoft.

To establish an inbound connection, evaluate the following information about your Skyflow inbound connection for incoming data requests:

  • Tokenization settings for sensitive API request fields, data tokens in your vault, and access to those sensitive data tokens
  • Connection URL (available once you create the connection)
  • Connection ID
  • Skyflow bearer token

Connection configuration

When you configure a connection, there are several key components of establishing a connection:

  • Routes: Routes let you create a relative path and select an HTTP method to invoke your connection’s endpoint.
  • Service accounts: To authenticate with service accounts, you must generate a bearer token first. At the connection level, the service account assigns the Connection Invoker role when invoking a connection.
  • Authentication, encryption and signing: The connection-level advanced configuration accepts authentication parameters and keys if the service you connect to requires mTLS, message encryption, or digital signatures.
  • Select and transform data: Use regular expressions to select specific portions of data, transform data formats, and find and replace sensitive information before tokenization or after detokenization.

Next steps

Visit the routes overview to learn more about configuration options. Learn about the business need for Skyflow connections, explore connections tips and best practices, or get started with the following guides to create an outbound connection or build your own.

  • Custom outbound connections
  • Plaid
  • Stripe
  • VISA DPS
  • MuleSoft