How should my website or app gain access to TrueVault?

For the client application to gain access to TrueVault, a User Access Token is recommended as it is time-bound. It is typical for a client to authenticate either with the application server or directly with TrueVault to acquire an User Access Token with the Login a User endpoint. Under no circumstances should an API key with access to sensitive information be hardcoded into the app, as that is not a secure storage medium.

To learn more about authentication best practices in TrueVault, check out our Auth Primer.

We recommend that requests to TrueVault come directly from your client application, not from your server. This prevents your servers from coming into contact with sensitive data, saving you security and compliance work. See our overview of data de-identification for more information on how this works in practice.