This guide will explain the different components that need to be configured when creating a connection in Skyflow Studio. By the end of this guide, you'll have used Skyflow Studio to create a connection with Stripe to create a payment method. You'll also learn more about the Skyflow connections features beyond this use case.
Let's assume that you are a subscription-based ecommerce service provider. You allow your customers to pay for your services using credit cards, and you're authorized to charge the card on a recurring monthly basis.
To prevent vendor lock-in and to offer multiple options for payment processing, it is in your best interest to securely store card information instead of relying on a single payment processor. To do so in a secure and compliant manner, you use Skyflow where all your customers' PII and credit card information is securely stored in a PCI compliant Skyflow data vault. In turn, your backend services store tokens that reference your customers' sensitive data in Skyflow vaults, thereby descoping the need for PCI compliance from your services. This allows you to focus on your core business and offload security and compliance requirements to Skyflow.
For this example, we'll assume that you have already collected and stored your customers' credit card information. We will now set up an outbound connection from your Skyflow vault to Stripe to create a new payment object using credit card information. Here is a link to the Stripe API reference for payment methods.
This is a sample request expected by Stripe to create a payment method using a card:
To make this call, you need to send credit card information to Stripe. You don't want your backend services to store credit card information directly—as it falls under the purview of PCI compliance. This is where Skyflow connections come into the picture.
In this guide, you'll create a Skyflow connection that accepts an https request with credit card tokens, de-tokenize them from the vault, forward the credit card information to Stripe to create a payment method and then returns the response from Stripe.
Before you start,
In this guide, we'll use the Quickstart vault.
To proceed with the connections example, you first need to set up sample data for your vault.
Create a credit card record for your Quickstart vault using the script below:
Send the request.
You should receive a response that looks similar to:
Keep the tokens for expiry_month, expiry_year, and card_number handy. You'll need them for the steps below.
Skyflow Studio simplifies the connection creation process by walking you through the set up for the connection components in three steps:
In the top menu, click the Settings tab > the Vault tab in the left menu > Connections > Create Connection as shown below.
Name the connection and provide a description.
Select Outbound Connection as the connection mode.
Set the Outbound Base URL to https://api.stripe.com.
To tell the connection which fields should be tokenized or detokenized in the request and response, you'll use routes. Routes specify a combination of the relative path and the actions that need to be performed on the configured field. You can configure one or more routes for each connection.
Enter the route details including the name, description, path, method, and content type.
Scroll down the page and complete the route mappings for the request body.
The request body is where you configure the specific fields in the request that Skyflow will process. Currently, Skyflow supports two actions that can be performed on a field: Tokenization and Detokenization.
For this example, configure the connection to Detokenize the request and extract the values associated with three fields: card.number, card.expiry_month, and card.expiry_year.
For this example, a response body will not be added. Click Continue.
For this example, we need only one route. Click Create Connection.
To authenticate to a connection endpoint and invoke it, Skyflow requires you to create a dedicated service account with the Connection Invoker role assigned to it. This keeps the identity of the client consuming the connection endpoint different from the identity of the service account or the user creating the connection.
The Connection Invoker role allows the service account to make requests only to the specified connection. It has no direct read or write access to the data in the vault. This service account is meant to be used in your environment (for example, the backend service for your customer-facing web app) to invoke the connection endpoint that is running in Skyflow's secure and compliant environment.
Enter a name and description for your new service account, then select the Connection Invoker role.
Now that you have created a connection, let's invoke it.
In the Connections section of the Settings tab, click the connection you just created to expand it.
Click Sample Request to view the URLs and request structure that will be sent to the connection endpoint.
Construct the following http POST request to the connection endpoint:
Generate the Skyflow API bearer token required for the X-Skyflow-Authorization header using the service account credentials from Step 3 and paste it into the
BEARER_TOKEN parameter. Alternatively, if you are in a Skyflow trial environment, you may use the bearer token retrieved from the profile section in Skyflow Studio.
Paste the tokens you received from the Vault Sample Data Setup section into the three
TOKEN_FOR parameters. For this example, we assume that the CVV number is not stored in Skyflow and is passed from your front end client with each connection request.
Update the other parameters, including the
Send the request.
You should receive a response from Stripe similar to the following:
Learn connections tips and best practices or how to create another connection:
In this article
© 2022 Skyflow, Inc. All rights reserved.
Terms and Conditions