Overview

The Detokenization API is used to convert a token back into its original or protected data value.

Depending on the configured OneDB template, the returned value may be the original sensitive data or a masked version of the data. This allows organizations to control how much sensitive information is revealed to applications, users, or services.

This API should only be used by authorized applications or services that are allowed to retrieve protected data based on the configured OneDB policy.

How Detokenization Works

When an application sends a token to OneDB, OneDB checks the selected template and returns the corresponding value based on the configured policy.

For example, a token such as:

3324-1991-5516-0208

may be returned as:

4111-2222-3333-4444

or, depending on the template policy:

41**-****-****-**44

Detokenization Modes

OneDB provides two detokenization modes:

Articles

Single

Use Single Detokenization when the application needs to detokenize one token at a time.

Example use case:

3324-1991-5516-0208

is converted into:

4111-2222-3333-4444

Multiple

Use Multiple Detokenization when the application needs to detokenize several tokens in one API call.

This is useful for batch processing, transaction lookup, customer record retrieval, reporting, or services that need to retrieve multiple protected values at the same time.

Important Notes

• Detokenization requires a valid Bearer token.
• The templateName must match an existing template configured in OneDB.
• The token value must be a valid token generated by OneDB.
• The trxId should be unique for each request.
• Depending on the template configuration, OneDB may return the original value or a masked value.
• Access to detokenization should be strictly controlled because it may expose sensitive data.
• Applications should avoid exposing detokenized values in logs, frontend code, error messages, or unsecured downstream systems.