Build your solution | Skyflow

Now that you’ve defined your solution, you can start building it. During this stage, you’ll build your solution in your Sandbox instance of Skyflow, test integrations with the other components of your architecture, and review the security of your solution with Skyflow to harden compliance requirements before moving to production.

Integrate Skyflow into your systems

Integrating Skyflow into your systems is a multi-step process that involves setting up authentication, configuring roles and policies, integrating server-side and client-side components, and implementing additional processing/external integration features as needed.

Implement authentication and configure data governance together to minimize gaps in access control and data management. Start by identifying the necessary personas or roles for your solution and set up users or service accounts accordingly. This approach allows you to define specific roles and permissions, ensuring users access only the data and functionalities they need. As you establish authentication, you may uncover additional needs or constraints that can refine your data governance policies, and vice versa.

API References

Comprehensive reference for all Skyflow API endpoints.

OpenAPI & Postman Collections

Explore and test APIs using OpenAPI definitions and Postman collections.

Step 1: Set up authentication

To use Skyflow’s Management API, Data API, or SDKs, you need a JWT bearer token (recommended) or an API Key to authenticate your API calls.
You can generate a bearer token using one of the following:

Unless your use case requires you to use an API key, use bearer tokens. Bearer tokens are time-limited—they’re valid for only 60 minutes—and are therefore considered more secure than traditional API keys, which are long-lived.

Authentication overview

An overview of authentication in Skyflow.

Generating a bearer token

Learn how to generate a bearer token using an SDK, a Python script, or Studio.

Step 2: Configure roles and policies

Data Governance is a set of capabilities that enable customers to finely control access to sensitive data. Skyflow lets you define custom roles and policies for access control to ensure compliance and security.

During this process, you must do the following:

Create new custom roles as needed to specify exactly who gets which privileges.

Refer to the policy expression language reference and define custom access policies in Skyflow Studio or via the Create Policy API.

Sample policies:

A frontend service account with permissions to create/insert and tokenize:

1 ALLOW CREATE, ALLOW TOKENIZATION TABLE.*

A back-end service account with permissions to read and detokenize:

1 ALLOW READ ON TABLE.COLUMN WITH REDACTION = MASKED

1 ALLOW DETOKENIZATION ON TABLE.COLUMN WITH REDACTION = MASKED

For more examples of policies to use, refer to the policy catalog.

Attach your policies to your roles.
Assign your custom roles to users and service accounts, as needed.

If you generate a bearer token with a Get Bearer Token request, you can enhance security by limiting the token’s permissions through role specification. Define the scope of the request by specifying a subset of available roles, using a string format to include the desired roles, such as ‘role:{roleID1} role:{roleID2}’.

Security tip: As you define additional access controls for your data, keep the following best practices in mind:

Differentiate between user and application accounts.
Build your service accounts and user permissions to follow the principle of least privilege. Give the lowest privileges possible so that you grant access only for necessary permissions.
Create separate service accounts for administration and for application runtime.

Resource architecture

Assign roles across resources

Roles overview

Policy enforcement decision logic

Step 3: Integrate server-side components

When it comes to integrating Skyflow with server-side components, you have two options:

APIs: Manage your data, your vaults, and your account with Skyflow’s APIs.
Server-Side SDKs: Skyflow’s server-side SDKs offer seamless integration for your back-end systems, making it easier to securely manage sensitive data. These server-side SDKs facilitate secure data retrieval and management, ensuring that sensitive data remains protected throughout its lifecycle.

Server-Side SDKs	GitHub Repository	GitHub SDK Samples
Python	Skyflow SDK for Python	https://github.com/skyflowapi/skyflow-python/tree/main/samples
NodeJS	Skyflow SDK for Node.js	https://github.com/skyflowapi/skyflow-node/tree/main/samples
Java	Skyflow SDK for Java	https://github.com/skyflowapi/skyflow-java/tree/main/samples
GoLang	Skyflow SDK for Go	https://github.com/skyflowapi/skyflow-go/tree/main/samples

Step 4: Integrate client-side components

You also have two options available when integrating Skyflow in client-side components:

Elements: Skyflow Elements are building blocks for creating UI forms that collect sensitive data, such as credit card information, without exposing it to the back-end.

Security tip: If your use case requires storing payment data, Skyflow Elements, client-side SDKs, and Server-side SDKs can help reduce the complexity of PCI compliance and enhance data security.
Client-Side SDKs: Skyflow’s client-side SDKs enable you to securely collect, tokenize, and reveal sensitive data directly in the browser, all without exposing your frontend infrastructure to any sensitive information.

Client-Side SDKs	GitHub Repository	GitHub SDK Samples
Javascript	Skyflow SDK for JavaScript	https://github.com/skyflowapi/skyflow-js/tree/main/samples
React	Skyflow SDK for React JS	https://github.com/skyflowapi/skyflow-react-js/tree/main/samples/SkyflowElements
React Native	Skyflow SDK for React Native	https://github.com/skyflowapi/skyflow-react-native/tree/main/example
Android	Skyflow SDK for Android	https://github.com/skyflowapi/skyflow-android/tree/main/samples
iOS	Skyflow SDK for iOS	https://github.com/skyflowapi/skyflow-iOS/tree/main/Samples

Handling sensitive data client-side

Learn how to handle sensitive data in your client-side applications.

Collect and reveal data with Skyflow Elements

Learn how to collect and reveal sensitive data using Skyflow Elements.

Step 5: Insert test data

Skyflow offers various options to easily get data into vaults, providing various ways to control data ingestion. You can transfer data into vaults with Skyflow Studio, APIs or SDKs.

You can import data into your vault in several ways:

Insert records in Studio
Insert data using the Insert Records API
Upload files
Bulk import records
Connections
Pipelines

Important: When you add data to your Sandbox vault for testing, only include data necessary for testing purposes. Don’t use production data.

How to get data into Skyflow?

An overview of how to get data into Skyflow.

Step 6: Implement additional features as needed

Implement processing and integration features as needed to meet your solution requirements.

Securely integrate with external APIs

Skyflow Connections is an HTTPS gateway service that uses Skyflow’s tokenization capabilities to securely connect to first-party and third-party services. You can configure a Skyflow Connection in two modes:

Outbound connection: Outbound connections bridge the integration between your back-end server and a third-party service provider. The configuration lets your server securely extract data from the vault and send it to third-party services for processing.
Inbound connection: Inbound connections serve as an intermediary between your client and back-end infrastructure. Client services can invoke an inbound connection to tokenize sensitive data, pass the tokenized data to your server, and prevent downstream services from containing the sensitive data.

Note: Skyflow needs to review and whitelist all third-party URLs (outbound base URLs) for Connections before you can use them in production environments. If your solution uses Connections, reach out to your point of contact at Skyflow to whitelist the required outbound third-party URLs.

Connections overview

Tips and best practices for using Connections

Add custom logic for your data

Functions let you process sensitive data by adding custom logic to your Connections. With functions, you can develop custom code using Node.js to perform tasks such as:

Data validations
Data transformations
Data processing
File creation or modification

Once you upload your custom code, you can deploy this code to your environment and invoke the deployment using a Connection.

Functions overview

Tips and best practices for using Functions

Process large volumes of data securely with your vault

Pipelines are a prescriptive solution that can securely transfer large volumes of sensitive data from a source system to your vault. Pipelines enable batch workflows that securely transfer large volumes of sensitive data from a source system to a vault.

Pipelines can also de-identify sensitive data during migration. By calling Skyflow APIs, you can create and trigger pipelines without hosting or provisioning compute resources while minimizing the risk of exposing your infrastructure to sensitive data.

Pipelines support the following features:

Sources and destinations: Pipelines connect to S3 buckets, FTPS servers, and SFTP servers.
Formats: Pipelines support CSV and JSON files.
Mappings: Pipelines map CSV, JSON, ACH, and METRO2 values to columns in your vault.
Triggers: Pipelines trigger on-demand for one-time or ad-hoc pipeline runs.

Here are some examples of how you can use pipelines:

Migrate PCI data in bulk from existing payment processors to prevent PCI vendor lock-in.
Tokenize data in Skyflow vaults when consuming ACH and METRO2 financial services files so that you don’t expose your backend to any PCI data.
Migrate PII data in bulk from existing customer data sources into a vault.
Migrate PII data tokens from existing tokenization vendors.

Pipelines overview

Creating a pipeline

Test and validate your solution

Once you have completed development, test your solution to make sure it meets security and compliance requirements.

While you should be testing throughout the development process, it’s especially important to thoroughly test everything in Sandbox before you can move to Production. Comprehensive testing validates that your solution functions as needed and fits securely into your architecture.

During this process, you must do the following:

Conduct thorough end-to-end testing for your solution.
Address any issues found during testing.
Update your custom roles and policies, as needed.

After testing your solution, the next step is to conduct a quick security review with Skyflow to review your solution and security best practices.

Querying data from Skyflow

Common errors

Understand and troubleshoot common errors encountered while using Skyflow.

Complete security review

Before you migrate to your production instance, it’s important make your solution is as secure as possible before going live.

During this process, you must do the following:

Review the recommended security best practices checklist for your solution.

Note: See PCI compliance walkthrough if you store payment data.
After you complete the checklist, schedule a security review with Skyflow to validate compliance with security standards. During this meeting, Skyflow reviews your solution and provides guidance to help improve compliance and security.
Implement the suggested changes.

Security best practices checklist

A checklist of security best practices to follow when building your solution.

Next steps

Once you’ve built and tested your end-to-end solution in your Sandbox instance of Skyflow, the final step is to go live.