@piiano/vault-client

import type { Count } from '../models/Count'; import type { DetokenizedToken } from '../models/DetokenizedToken'; import type { ImportTokensBulkResponse } from '../models/ImportTokensBulkResponse'; import type { QueryToken } from '../models/QueryToken'; import type { RotatedTokens } from '../models/RotatedTokens'; import type { Tag } from '../models/Tag'; import type { TokenData } from '../models/TokenData'; import type { TokenDataPage } from '../models/TokenDataPage'; import type { TokenizeRequest } from '../models/TokenizeRequest'; import type { TokenMetadata } from '../models/TokenMetadata'; import type { TokenType } from '../models/TokenType'; import type { TokenValue } from '../models/TokenValue'; import type { TransactionID } from '../models/TransactionID'; import type { UpdateTokenRequest } from '../models/UpdateTokenRequest'; import type { CancelablePromise } from '../core/CancelablePromise'; import type { BaseHttpRequest } from '../core/BaseHttpRequest'; export declare class TokensClient { readonly httpRequest: BaseHttpRequest; constructor(httpRequest: BaseHttpRequest); /** * Get token count * Gets the number of tokens in a collection. * * The role performing this operation must have at least one allowing policy and no denying policies for the `stats` operation. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how Vault uses policies to control access to data. * @returns Count The request is successful. * @throws ApiError */ getTokensCount({ collection, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { /** * The name of the collection containing the tokens. */ collection: string; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<Count>; /** * Tokenize * Creates a token that reference the values of an object's properties. The token ID is partially or wholly randomly-generated and, therefore, is not sensitive. Supports bulk operations. * * The returned token IDs are in the same order as the object IDs in the request. No tokens are created if any object IDs are invalid or not found. * * If this operation is called for an object ID and properties that have a token: * - Any token tags are appended to the existing token. * - If an expiration is specified, then the token expiry is updated. If an expiration is not specified, the token expiry is updated if the default settings result in an expiry date after the token's current expiry date. * * The operation can optionally include a transaction ID. This is an arbitrary string included in the request using the `transaction_id` query parameter. If a transaction ID is included, the token is associated with the transaction ID. The transaction ID can be used to retrieve the token ID by calling the [get by transaction ID](/api/operations/get-by-transaction-id) operation. A transaction ID is unique to the operation and collection. It cannot be used again on future calls to the `tokenize` operation on the same collection. If multiple tokens are created in the `tokenize` operation (bulk), all the tokens are associated with the transaction ID. * * The role performing this operation must have both of these: * - The `CapTokensWriter` capability. * - At least one allowing policy and no denying policies for the `tokenize` operation for each of the collection properties specified in the call. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * @returns TokenValue The request is successful. * @throws ApiError */ tokenize({ collection, requestBody, expirationSecs, xTenantId, transactionId, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { collection: string; /** * Details of the tokenization request. */ requestBody: Array<TokenizeRequest>; /** * Token expiration time in seconds. If not set, the default expiration time is used. See the `PVAULT_EXPIRATION_TOKENS` variable. If set to an empty value, the token will be marked to not expire. */ expirationSecs?: string; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; /** * The transaction ID to attach to the token. */ transactionId?: string; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<Array<TokenValue>>; /** * Detokenize tokens * Returns the object property values for tokens. * * The tokens returned by this operation are defined using three query parameters: `token_ids`, `object_ids`, and `tags`. The operation returns an empty response if it finds no matches. See the [Retrieve a token](/guides/tokenize-personal-data/retrieve-a-token) guide for more information about how to match tokens for this operation. * * The role performing this operation must have all of these: * - The `CapTokensDetokenizer` capability. * - Policies: * + At least one allowing policy and no denying policies for the `detokenize` operation for each of the collection properties that are tokenized by tokens specified in the query. * + At least one allowing policy and no denying policies for the `read` operation for each of the collection properties that are tokenized by tokens specified in the query. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * @returns DetokenizedToken The request is successful. * @throws ApiError */ detokenize({ collection, objectIds, tags, tokenIds, props, options, xTenantId, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { collection: string; /** * Comma-separated list of object IDs. */ objectIds?: Array<string>; /** * Comma-separated list of tags. */ tags?: Array<Tag>; /** * Comma-separated list of token IDs. */ tokenIds?: Array<string>; /** * The list of property names and transformations. To include multiple names and transformations, provide a comma-separated list. For example, `props=first_name,last_name,email.mask`. */ props?: Array<string>; /** * Options for the operation. Options include: * - `include_metadata` - show token metadata in the response. * - 'include_aggregated_data' - whether to include aggregated data in the response. If not specified, aggregated data is not included. Only applicable if `include_metadata` is set. * */ options?: Array<'include_metadata' | 'include_aggregated_data'>; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<Array<DetokenizedToken>>; /** * Delete tokens * Deletes tokens. * * The tokens deleted are those that match all the criteria in the `token_ids`, `object_ids`, `tags`, and `tenant_id` parameters. `tenant_id` is matched against the tenant ID of the object owning the token. If the token query finds no matches, the operation returns a 404 error. See [delete tokens](/guides/tokenize-personal-data/delete-a-token) for more details. * * The role performing this operation must have both of these: * - The `CapTokensWriter` capability. * - At least one allowing policy and no denying policies for the `delete` operation for the `tokens` resource of the specified collection. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * @returns any The request is successful. * @throws ApiError */ deleteTokens({ collection, objectIds, tags, tokenIds, tenantId, options, xTenantId, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { collection: string; /** * Comma-separated list of object IDs. */ objectIds?: Array<string>; /** * Comma-separated list of tags. */ tags?: Array<string>; /** * Comma-separated list of token IDs. */ tokenIds?: Array<string>; /** * A Tenant ID. Can only be provided as an additional filter to `tokens_ids`, `object_ids`, or `tags`. DEPREDATED: Use X-Tenant-Id header instead. * @deprecated */ tenantId?: string; /** * Options for the operation. Options include: * - `archived` – whether to delete only archived tokens. If not specified, delete only active tokens. * */ options?: Array<'archived'>; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<any>; /** * Update tokens * Updates token data or token metadata `tags` and `expiration` properties. * * ### Update token metadata * * See the [Update a token](/guides/tokenize-personal-data/update-a-token) guide for more information about updating a token's metadata. * * ### Update token data * * To update token data, all the tokens must: * * have the same token ID. * * be token types `pci`, `pci_oneway`, or `randomized` (metadata can be updated in all token types). * * To update a token's data, set the `object` parameter to contain one of these: * 1. Objects stored in Vault by providing their ID. * 2. Fields not stored in Vault by providing a map of their properties and property values. These fields must conform to the schema of the collection specified in the request. * 3. Ciphertext. This enables you to update a token's data with a subset of another ciphertext's properties or with a different encryption type or scope. * * Updates to the token's data do not change the token's metadata, token ID, ownership, or lifecycle of the token . However, the data update may affect subsequent tokenizations. For example, if a token of type `pci` with ID "X" is updated, subsequent tokenizations of the new data have the same token ID "X," while tokenizations of the previous data results in a new token ID. See [Tokenization](/data-security/tokenization) for more information on token types. * * :::note * Update to the token's data overrides the entire existing data. * ::: * * ### Permissions * * The role performing this operation must have both of these: * - The `CapTokensWriter` capability. * - At least one allowing policy and no denying policies for the `write` operation for the `tokens` resource of the collection specified in the call. * - Updating a token's metadata requires the `write` operation for the `tokens` resource of the collection specified in the call. * - Updating a token's data requires the `tokenize` operation for each of the collection properties specified in the call. * - For updating both the metadata and the data of a token, only the `tokenize` operation permission is required. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * ### Query * * The tokens returned by this operation are defined using three query parameters: `token_ids`, `object_ids`, and `tags`. If no tokens are matched, status code 404 is returned. See the [Retrieve a token](/guides/tokenize-personal-data/retrieve-a-token) guide for more information about how to match tokens for this operation. * * @returns any The request is successful. * @throws ApiError */ updateTokens({ collection, requestBody, expirationSecs, objectIds, tags, tokenIds, options, xTenantId, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { collection: string; /** * Update token request details. */ requestBody: UpdateTokenRequest; /** * Expiration time in seconds for the tokens. If not set, the expiry dates of the tokens are not changed. If set to an empty value, the token will be marked to not expire.' */ expirationSecs?: string; /** * Comma-separated list of object IDs. */ objectIds?: Array<string>; /** * Comma-separated list of tags. */ tags?: Array<string>; /** * Comma-separated list of token IDs. */ tokenIds?: Array<string>; /** * Options for the operation. Options include: * - `archived` – whether to update only archived tokens. If not specified, update only active tokens. * */ options?: Array<'archived'>; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<any>; /** * Rotate tokens * Generates new token IDs for a list of tokens. * * The role performing this operation must have both of these: * - The `CapTokensWriter` capability. * - At least one allowing policy and no denying policies for the `write` operation for the `tokens` resource of the specified collection. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * @returns RotatedTokens The request is successful. * @throws ApiError */ rotateTokens({ tokenIds, collection, xTenantId, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { /** * Comma-separated list of token IDs. */ tokenIds: Array<string>; collection: string; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<RotatedTokens>; /** * Search tokens * Lists tokens with their metadata. * * The tokens returned by this operation are defined using three query parameters: `token_ids`, `object_ids`, and `tags`. The operation returns an empty response if it finds no matches. See the [Retrieve a token](/guides/tokenize-personal-data/retrieve-a-token) guide for more information about how to match tokens for this operation. * * The role performing this operation must have all of these: * - The `CapTokensReader` capability. * - At least one allowing policy and no denying policies for the `read` operation for the `tokens` resource of the specified collection. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * @returns TokenMetadata The request is successful. * @throws ApiError */ searchTokens({ collection, requestBody, options, xTenantId, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { collection: string; /** * The token query. */ requestBody: QueryToken; /** * Options for the operation. Options include: * - `archived` – whether to search only archived tokens. If not specified, search only active tokens. * - 'include_aggregated_data' - whether to include aggregated data in the response. If not specified, aggregated data is not included. * */ options?: Array<'archived' | 'include_aggregated_data'>; /** * List of tenant IDs to enforce on the request. */ xTenantId?: Array<string>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<Array<TokenMetadata>>; /** * Get tokens by transaction ID * Returns the list of token IDs associated with a transaction ID, an optional identifier passed to the [tokenize](/api/operations/tokenize) operation. * * The role performing this operation must have the `CapTransactionIdReader` capability, or another capability that matches the URL, such as the `CapDataReader` capability. * @returns TransactionID The request is successful. * @throws ApiError */ getByTransactionId({ id, collection, adhocReason, reason, customAudit, reloadCache, additionalHeaders, }: { /** * The transaction ID. */ id: string; collection: string; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; additionalHeaders?: Record<string, string>; }): CancelablePromise<TransactionID>; /** * Export tokens * Internal operation that lists token details for export by the CLI. * * Limitations: * - Export of tokens of type `pci_oneway` is not supported. * * The role performing this operation must have: * - The `CapTokensExporter` capability. * - At least one allowing policy and no denying policies for the `detokenize` operation for each of the collection properties that are tokenized in tokens specified in the query. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * @returns TokenDataPage The request is successful. * @throws ApiError */ exportTokens({ collection, adhocReason, reason, customAudit, reloadCache, pageSize, cursor, tokenTypes, additionalHeaders, }: { collection: string; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; /** * The maximum number of items to return in this request. If not specified, the default value is used. The default value is specified in the [`PVAULT_SERVICE_DEFAULT_PAGE_SIZE` environment variable](/guides/configure/environment-variables#service-and-features). Must not exceed the value specified in the [`PVAULT_SERVICE_MAX_PAGE_SIZE` environment variable](/guides/configure/environment-variables#service-and-features). */ pageSize?: number; /** * The cursor represents the state of consecutive queries for the same request parameters. In the first call, the cursor may be omitted or specified as an empty string. In consecutive calls, it should be set to the value of the cursor field of the objectFieldsPage returned by the previous call. Note: when the `id` is specified, paging is not supported. In this case, if the number of `id` values specified exceeds the maximum page size, the method returns 400 (BAD REQUEST). */ cursor?: string; /** * Comma-separated list of token types. */ tokenTypes?: Array<TokenType>; additionalHeaders?: Record<string, string>; }): CancelablePromise<TokenDataPage>; /** * Import tokens * Internal operation that imports token details that were previously exported by the CLI. * * Limitations: * - Import of tokens of type `pci_oneway` and `deterministic` is not supported. * - Import of tokens of type 'pci' is supported only if the token data is not present in the Vault. * * The role performing this operation must have: * - The `CapTokensImporter` capability. * - At least one allowing policy and no denying policies for the `write` operation for the `tokens` resource of the specified collection. * * See [identity and access management](/data-security/identity-and-access-management) for more information about how capabilities are used to control access to operations and policies are used to control access to data. * * @returns ImportTokensBulkResponse The request is successful. * However, this status doesn't indicate that the operation imported all the tokens. * Check the response body for the status of each token. * * @throws ApiError */ importTokens({ collection, requestBody, adhocReason, reason, customAudit, reloadCache, exportKey, additionalHeaders, }: { collection: string; /** * Details of the tokens to import. */ requestBody: Array<TokenData>; /** * An ad-hoc reason for accessing the Vault data. Required when `reason` is set to `Other`. */ adhocReason?: string; /** * Details of the reason for requesting the property. The default is set when no access reason is provided and PVAULT_SERVICE_FORCE_ACCESS_REASON is false. */ reason?: 'AppFunctionality' | 'Analytics' | 'Notifications' | 'Marketing' | 'ThirdPartyMarketing' | 'FraudPreventionSecurityAndCompliance' | 'AccountManagement' | 'Maintenance' | 'DataSubjectRequest' | 'Other'; /** * Custom audit information to be included in the audit log. */ customAudit?: string; /** * Reloads the cache before the action. */ reloadCache?: boolean; /** * The encrypted copy of the key used to encrypt exported data. The key is encrypted using the export KMS key defined by the [`PVAULT_KMS_EXPORT_URI` or `PVAULT_KMS_EXPORT_SEED` environment variables](/guides/configure/environment-variables#key-management-service). When importing data, the key is decrypted by the KMS, then used to decrypt the data. This parameter is not intended to be used manually, but through the CLI command `pvault import`. */ exportKey?: string; additionalHeaders?: Record<string, string>; }): CancelablePromise<ImportTokensBulkResponse>; } //# sourceMappingURL=TokensClient.d.ts.map