Getting started with Skyflow

You can use this guide to start using Skyflow’s APIs. If you’re setting up Skyflow for your team or business, check out our guide on Role-Based Access Control which will help you add teammates to your account and manage their permissions. By the end of this guide, you will be able to:

  • Create a vault that you can use to securely store and protect your sensitive data.
  • Create and authenticate a service account that you can use for secure API communication.

Before you begin

Log in to your Skyflow account. If you don't have one, click to request one here.

Create a vault

Vaults are data storage units where you can store your application’s sensitive data. Skyflow vaults come with several privacy-preserving mechanisms out of the box, such as polymorphic encryption and de-identification, built to keep your data secure. Skyflow APIs enable you to interact securely with the data.

To create a vault, log into your Skyflow account and go to the Vault Templates tab in Skyflow Studio, as shown below:

image alt text

Vault Templates define the high-level schema of the vault, including the fields and their relations. For instance, the Customer Identity vault comes packaged with all the sensitive fields a business would typically want to collect about a customer (email, phone number, and so on). Skyflow has a few predefined templates to choose from based on popular use cases.

Select a template and click Create. If you have multiple workspaces, select a Workspace to create the vault in.

Upon creating the vault, you’ll be taken to the Vault Browser shown below, where you can explore the structure and content of your vault. Newly created vaults come with mock data for you to explore the vault’s functionality:

image alt text

Create a Service Account

Service Accounts provide secure channels of communication between your application and your vaults. To create an API Service Account for your vault, follow the steps below:

  • You must be a Vault Owner on a vault to create a service account
  • Install Python 3.5 or later.
  • Install PyJWT, requests and cryptography libraries
Step 1 : Create an API Service Account and assign a role to it.
  • Navigate to the settings tab and select a vault for which you would like to create a service account from the drop down list on the left.
  • Select ‘Service Accounts’ under the IAM section, and then click on ‘New Service Account’
  • Enter a name and description.
  • Assign the service account a Vault Owner role from the drop down menu and click ‘Create.’ You can also assign any other role instead of the Vault Owner role in this step.
  • Upon clicking Create, a credentials.json file will be downloaded to your local machine. Store this file securely as it contains a private key that will be used to sign your JWT bearer token.
  • Here is an example of the credentials.json file:

    "clientID": "y4b0fb0991b211eb9a5e9a757ffcc4b0",
    "clientName": "Customer support agent web  app",
    "tokenURI": "",
    "keyID": "y4c9577c91b211eb9a5e9a757ffcc4b0",
    "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCihOlTU61VztBu\nDhQtEb.....oGBAMFEvPAM0arx3qn7C067\nMLVrW2H6PwGpiWNU86rHBMkuzriwzagtit130XN8KrHfYfSRUmOOw6h6T4aC85g0\nwC8SQXRntfoise0UWcSxfnyhfqlaUeN3BqhHl0zjRQjE8W9th9k16N0rTPBRmPGo\nrWELwcVHR6izoGgGBAdWAGVn\n-----END PRIVATE KEY-----\n"

Note: The Workspace URL and the Vault ID mentioned in the service account page will be required as URL paths when integrating with vault APIs.

Step 2 : Prepare your environment
  • You now need to generate a bearer token (access token).
  • We have created a python script for you that takes the credentials.json file that was downloaded in step 1, and uses the private key to sign a JWT token. This JWT token is then used to make an authentication request to the Skyflow authorization server and subsequently get a bearer token in return.
  • To run this script, you need to ensure that you have a compatible environment:

    • This step assumes you have homebrew installed.
    • Install python version 3.5 or above. To install the latest python version for your run the following command in your terminal:

      brew install python
  • Install the following libraries by running these commands in your terminal:

    pip3 install PyJWT
    pip3 install requests
    pip3 install cryptography
  • Copy paste the python script from this link to a code editor.

Note: You can request short lived access tokens in this step by adjusting the exp field. You can request an access token that is valid for no more than 60 minutes.

  • On line 45 of the code, enter the full path to the credentials.json file in your local machine:

    jwtToken, creds = getSignedJWT('/Users/aj/Downloads/credentials.json')
  • Save this file as: ‘’
Step 3: Run the script and generate an access token
  • Open your terminal and run the following command:

  • If you have performed all previous steps correctly you should see the bearer token printed out in the terminal as follows:

    "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL21hbmFnZS5za3lmbG93YXBpcy5kZXYiLCJjbGkiOiJ5NGIwZm....pOqmlI_CWY2V6MEBTqnVHuAo1-9MBSW8REp-mv_-mJqOe8TMb9dOImcXzM7jEpW79Fqs3-HCo-cUikWwy6tjjvVqHW-4pqG005pGzxrAt275Q2LU1pXwUfUM6idH9o2ydlpTp0-ujPQgVQXh8w9LsqE58Qtm4lRU8Sr8FMdx72qnuahD5Xoh1KL7D-DFZaYMrof9aTfUFUctUBzOUbL4_z2bEf2wkHouSPOZGI3uHIM54mjX013NkNXzMltP8GiP5GimC3PX-jA",
    "tokenType": "Bearer"
  • You may use this bearer token to call skyflow APIs

Note: You will only be authorized to make API calls allowed by the role assigned to the service account.

Make your first API request

You’re all set! You can now start using Skyflow’s APIs to store and process your sensitive data with unprecedented security and privacy. You can use the following links to get an overview of the APIs for our vaults, or you can jump straight into our API reference: