The AuricVault® API allows you to define multiple credentials for access to the tokenized data. Each set of credentials has an associated set of permissions. Permissions control what actions a set of credentials can perform. Permissions include:

  • read

  • write

  • delete

  • encrypt

  • decrypt

  • update

  • reencrypt

  • info

  • touch

  • session (browser) based decrypt

  • token swap

  • payments

One or two credentials are sufficient to meet most situations. If you have a web service and a billing system, Auric recommends that the web service have permission to encrypt using the session_encrypt method, but not have the ability to do any decryption. Your back-office billing system could have the ability to decrypt data, but perhaps not update or delete it.


session_decrypt (or browser-side decryption) is a unique feature that allows you to return decrypted data directly to a user’s browser without having the decrypted information touch your servers. By default, this feature is disabled.