Connections tips and best practices

Here are a few key things to know about Skyflow connections:

    Each vault can have multiple connections associated with it.Only the Vault Owner for each vault can create and manage connections.To make a request to the connection endpoint, you need a service account created at the connection level. Additionally, this service account needs to be assigned the Connection Invoker role.When deciding between an inbound or outbound connection:
      Use an outbound connection if the request must be forwarded to another URL. You only need the base URL of the third party API (for example,, not the full path. The relative path will be configured in the next step under Route Configuration. Use an inbound connection if the request must be returned to the requesting URL. Inbound routes currently don't support forwarding URLs.
    On the routes summary page, you can configure more than one route and their respective relative paths to be associated with a single connection.

Advanced configuration

Response body

Connections have the capability to handle the response from a third party service. For example, if you make a call to Stripe and the response contains any PII or PCI data, you could choose to tokenize it in the Skyflow vault so that your backend services only receive the tokens instead of the sensitive data. In this case, the route mapping would look like the following:


When the action is Tokenization, the table and column names are required to store and tokenize the sensitive data in the right vault location.

Outbound encryption

Outbound encryption is an optional configuration fully dependent on the signing requirements from the third party service. Skyflow connections currently supports three options for signing outbound requests:

    None: Select if outbound encryption is not needed (or you can skip this step altogether).mTLS: Upload the private key and public key associated with the mTLS certificate from the third party service.Shared key: Upload a shared key provided by the third party service.

To access the outbound encryption settings for a connection, go to the Connections section of the Settings tab and click the connection. Then click Edit and click the Outbound Encryption tab.

Nested fields

Currently, connections don't support the tokenization or insertion of data into a nested field in the vault.

If your request or response body contains a field that is nested, Skyflow connections support accessing the nested elements in the fields to be mapped to a specific column in the vault.

Here is a sample request to explain this concept:

Sample request/response:

  "data": {
    "id": "qEnOZ5Oh0poWluFBfVw_0000",
    "full_name": "Alice",
    "phone_numbers": [
    "emails": [
        "address": "",
        "type": null
        "address": "",
        "type": "professional"
    "experience": [
        "title": {
          "name": "co-founder",
          "levels": [
        "is_primary": false

Skyflow connections mappings:

    To tokenize the id value, enter "" under the field name. To tokenize the phone_number value, enter "data.phone_numbers.*" under the field name. To tokenize the address value, enter "data.emails.*.address" under the field name. To tokenize levels, enter "data.experience..title.levels." under the field name.

Message Level Encryption (MLE)

Some third party services like Visa may also require Message Level Encryption (MLE) on a per route basis. To configure MLE, enter your key ID, private key, and public key. Then click the Route tab and toggle on the MLE switch for each route you want to encrypt.

Next steps

In this article