Skip to main content
Securely store and manage sensitive PII data like Social Security Numbers, Tax IDs, and passport numbers.

Overview

The Identity Vault provides enterprise-grade encryption for PII. Data is encrypted with AES-256-GCM before storage and can only be retrieved by authorized services. Your servers only ever receive a token.

Supported Identity Types

TypeFormatDescription
ssnXXX-XX-XXXXSocial Security Number
ssn_last4XXXXLast 4 digits of SSN
einXX-XXXXXXXEmployer Identification Number
itin9XX-XX-XXXXIndividual Taxpayer ID
passportAlphanumericPassport Number
drivers_licenseVariesDriver’s License Number
national_idVariesNational ID Number
tax_idVariesGeneric Tax ID
customAnyCustom sensitive field

React SDK Integration

Use the IdentityElement component to collect PII in your React app: 
import { AtlasProvider, IdentityElement } from '@atlas/react';

function CustomerOnboarding() {
  const handleTokenize = async (token) => {
    console.log('SSN tokenized:', token.token_id);
    console.log('Masked value:', token.masked_value); // •••-••-6789

    // Send token_id to your server
    await fetch('/api/customers/update', {
      method: 'POST',
      body: JSON.stringify({ ssn_token: token.token_id })
    });
  };

  return (
    <AtlasProvider publishableKey="pk_test_xxx">
      <form>
        <label>Social Security Number</label>
        <IdentityElement
          type="ssn"
          placeholder="123-45-6789"
          onTokenize={handleTokenize}
          onError={(error) => console.error(error)}
        />

        <label>Employer ID (EIN)</label>
        <IdentityElement
          type="ein"
          placeholder="12-3456789"
          onTokenize={handleTokenize}
        />

        <button type="submit">Continue</button>
      </form>
    </AtlasProvider>
  );
}

API Reference

Tokenize Identity

Securely tokenize PII data. The value is encrypted with AES-256-GCM before storage. 
curl -X POST https://api.atlas.co/functions/v1/tokenize-identity \
  -H "Authorization: Bearer sk_test_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "ssn",
    "value": "123-45-6789",
    "field_name": "primary_ssn",
    "metadata": {
      "customer_id": "cus_abc123"
    }
  }'
Response: 
{
  "token_id": "id_a1b2c3d4e5f6...",
  "type": "ssn",
  "masked_value": "•••-••-6789",
  "field_name": "primary_ssn",
  "created_at": "2025-01-21T12:00:00Z",
  "environment": "test"
}

Retrieve Identity (Server-side only)

Decrypt and retrieve the original PII value. Requires a secret key - only call from your backend. 
curl -X POST https://api.atlas.co/functions/v1/retrieve-identity \
  -H "Authorization: Bearer sk_test_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "token_id": "id_a1b2c3d4...",
    "reason": "tax_filing_1099",
    "format": "formatted"
  }'
Response: 
{
  "token_id": "id_a1b2c3d4...",
  "type": "ssn",
  "value": "123-45-6789",
  "field_name": "primary_ssn",
  "masked_value": "•••-••-6789",
  "created_at": "2025-01-21T12:00:00Z"
}

Proxy Identity to Third Parties

Send PII directly to partners without your servers ever seeing the raw data. 
curl -X POST https://api.atlas.co/functions/v1/proxy-identity \
  -H "Authorization: Bearer sk_test_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "token_id": "id_a1b2c3d4...",
    "destination": "https://api.checkr.com/v1/candidates",
    "headers": {
      "Authorization": "Bearer checkr_api_key"
    },
    "body_template": {
      "ssn": "{{value}}",
      "first_name": "John",
      "last_name": "Doe"
    },
    "reason": "background_check"
  }'
Response: 
{
  "success": true,
  "token_id": "id_a1b2c3d4...",
  "destination": {
    "host": "api.checkr.com",
    "status": 201,
    "response": {
      "id": "candidate_abc123",
      "status": "pending"
    }
  }
}
Allowed Destinations:
  • api.checkr.com
  • api.plaid.com
  • api.gusto.com
  • api.persona.com
  • api.alloy.com
  • api.onfido.com
Contact support to add custom destinations.

Delete Identity (GDPR/CCPA)

Delete tokenized PII for privacy compliance. Soft Delete (keeps audit trail): 
curl -X POST https://api.atlas.co/functions/v1/delete-identity \
  -H "Authorization: Bearer sk_test_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "token_id": "id_a1b2c3d4...",
    "reason": "customer_request"
  }'
Hard Delete (GDPR right to be forgotten): 
curl -X POST https://api.atlas.co/functions/v1/delete-identity \
  -H "Authorization: Bearer sk_test_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "token_ids": ["id_abc123", "id_def456"],
    "mode": "hard",
    "reason": "gdpr_erasure_request"
  }'

List Identity Tokens

Query tokens with filtering and pagination. Returns metadata only - never returns decrypted values. 
curl -X GET "https://api.atlas.co/functions/v1/list-identity-tokens?type=ssn&is_active=true&limit=50" \
  -H "Authorization: Bearer sk_test_xxx"
Response: 
{
  "tokens": [
    {
      "token_id": "id_a1b2c3d4...",
      "type": "ssn",
      "field_name": "employee_ssn",
      "masked_value": "•••-••-6789",
      "is_active": true,
      "created_at": "2025-01-21T12:00:00Z",
      "last_accessed_at": "2025-01-21T14:30:00Z"
    }
  ],
  "pagination": {
    "total": 150,
    "limit": 50,
    "offset": 0,
    "has_more": true
  }
}

Node.js SDK

import { Atlas } from '@atlas/node';

const atlas = new Atlas('sk_test_xxx');

// Tokenize
const token = await atlas.identity.tokenize({
  type: 'ssn',
  value: '123-45-6789',
  field_name: 'employee_ssn',
});

// Retrieve
const data = await atlas.identity.retrieve(token.token_id);

// Proxy to third party
await atlas.identity.proxy({
  token_id: token.token_id,
  destination: 'https://api.checkr.com/v1/candidates',
  body_template: { ssn: '{{value}}' },
});

// Delete
await atlas.identity.delete(token.token_id);

// List
const result = await atlas.identity.list({ type: 'ssn' });

Security

  • AES-256-GCM encryption - Data encrypted before storage
  • Audit logging - All access is logged with reason
  • Access controls - Retrieval requires secret key
  • GDPR/CCPA compliant - Hard delete removes all data
  • SOC 2 Type II - Enterprise security controls