v0.3 — Generally Available

Format-Preserving
Tokenization at Scale

Replace sensitive data with cryptographically secure, format-identical tokens — no schema changes, no broken validations, no regex rewrites. Built on FF3-1 / AES (NIST SP 800-38G Rev 1).

Admin Console Get Started → Explore the API
bash — tokenize a Chilean RUT 
curl -X POST http://localhost:8000/tokenize \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $API_KEY" \
  -d '{
    "plaintext": "13301430-6",
    "encoding": "numeric"
  }'

# Response
{
  "token":     "35240589-5",
  "algorithm": "FF3-1/AES",
  "encoding":  "numeric"
}
3
Encoding modes
256
Max chars (text)
16
Max digits (numeric)
100%
Format preserved
149
Test cases
AES
FIPS 197 compliant

What is it

Tokenize without breaking anything

AgileTrust Tokenization replaces names, IDs, and numeric identifiers with cryptographically secure tokens that look exactly like the original data. A Chilean RUT 13301430-6 becomes 35240589-5 — same format, different value, fully reversible with the key.

No schema migrations. No regex changes. No downstream breakage.

How it works →
bash — tokenize a Chilean RUT 
curl -X POST http://localhost:8000/tokenize \
  -H "Content-Type: application/json" \
  -d '{
    "plaintext": "13301430-6",
    "encoding": "numeric"
  }'

# Response
{
  "token":     "35240589-5",
  "algorithm": "FF3-1/AES",
  "encoding":  "numeric"
}

Encoding Modes

One API, three alphabets

Pick the encoding that matches your data type. The same plaintext tokenized with different encodings produces completely different tokens.

numeric

Digits in, digits out. Hyphens, spaces and brackets are preserved.

13301430-635240589-5
(555) 123-4567(555) 089-2341
45320151128303664361350344956719

utf8 default

~256 Unicode letters + digits. Covers names from Latin, Greek, IPA and more.

Juan PérezÑkrp Çmevq
María O'BrienĆŭŗĩă O'Ğŗĩŋ
Av. ProvidenciaĐq. Ħrñvcđeñčia

latin1

~127 Latin-1 chars. Tokens stay within U+00FF — safe for legacy Latin-1 systems.

Juan PérezYrfãröxÍ
José GarcíaÑkrñ Ûãröía
résuméñöxëëç

Features

Everything you need, nothing you don't

NIST FF3-1 / AES

Built on the NIST SP 800-38G Rev 1 standard. AES-128, 192, or 256. Cryptographically proven pseudorandom permutation.

Format Preservation

Token length equals input length. Symbols, spaces, hyphens and punctuation pass through unchanged at their original positions.

Fully Reversible

Detokenize recovers the original value exactly — provided the same key, encoding, and tweak are used.

Tweak Support

Field-level context via the optional tweak parameter. Same value, different field → different token. Prevents cross-field correlation.

Multi-Tenant Ready

Run single-tenant (one key, one app) or multi-tenant with the Next.js admin console: SSO login, per-app keys, RBAC, audit log, and 8 key vault providers.

PCI-Aligned Logging

Plaintext values, tokens, and key material are never written to logs. Only operation type, encoding, and input length are recorded.

Quick Start

Up and running in 60 seconds

  1. Generate an AES key

    bash
    export TOKENIZATION_KEY=$(python3 -c \
  "import os,base64; print(base64.b64encode(os.urandom(32)).decode())")
export API_KEY=$(openssl rand -hex 32)

  2. Start the container

    bash
    docker run -d --name tokenizer \
  -p 8000:8000 \
  -e TOKENIZATION_KEY="$TOKENIZATION_KEY" \
  -e API_KEY="$API_KEY" \
  tokenizer:0.2

  3. Tokenize your first value

    bash
    curl -s -X POST http://localhost:8000/tokenize \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $API_KEY" \
  -d '{"plaintext":"13301430-6","encoding":"numeric"}'

  4. Detokenize to recover the original

    bash
    curl -s -X POST http://localhost:8000/detokenize \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $API_KEY" \
  -d '{"token":"35240589-5","encoding":"numeric"}'
# → {"plaintext":"13301430-6"}
Full documentation → Interactive API →

Deployment

Container or Serverless — your choice

🐳

Container (Docker)

Run anywhere Docker runs — local, ECS, Kubernetes, Fly.io. AES key injected via TOKENIZATION_KEY environment variable at startup.

  • FastAPI + uvicorn
  • Python 3.12-slim, ~150 MB image
  • Non-root user by default
  • HTTP 422 validation errors
Container guide →
λ

Serverless (AWS Lambda)

Zero-infra deployment via AWS SAM. Key supplied per-request — either raw base64 (client mode) or KMS-encrypted (HSM-backed).

  • Lambda + API Gateway
  • KMS integration (PCI RC 4A)
  • CloudWatch alarms included
  • Multi-stage (dev / staging / prod)
Serverless guide →

Pricing

Simple, transparent plans

Start free, scale when you need to. All plans include the full FF3-1 / AES-256 tokenization API.

Free Tier

Starter

$0 / month

Perfect for prototypes and personal projects.

  • 10,000 operations / month
  • 1 API key
  • 1 application
  • System-managed AES-256 key
  • Custom key provider
  • Priority support
Get started free →
Most popular

Startup

Small Business

$49 / month

Great for growing teams that need more throughput and flexibility.

  • 100,000 operations / month
  • 10 API keys
  • 5 applications
  • System-managed AES-256 key
  • Bring your own AES-256 key
  • AWS KMS / Secrets Manager
  • Azure Key Vault / GCP / OCI Vault
  • Priority support
Start 14-day trial →

Enterprise

Enterprise

Custom

Unlimited operations, HSM-backed keys, SLA, and dedicated support.

  • Unlimited operations
  • Unlimited API keys & apps
  • All cloud KMS providers
  • CipherTrust / Thales Luna HSM / Env
  • Custom quota overrides per tenant
  • Priority support & SLA
Contact us →

Compatibility

Works with any stack

🐍 Python
🟨 JavaScript / Node.js
Java / Spring
🔷 C# / .NET
🦫 Go
💎 Ruby
🐘 PHP
🦀 Rust

Any language that can make HTTP POST requests works with AgileTrust Tokenization. See the client examples →