Getting started with Skyflow

You can use this guide to start using Skyflow’s APIs. If you’re setting up Skyflow for your team or business, check out our guide on Role-Based Access Control which will help you add teammates to your account and manage their permissions. By the end of this guide, you will be able to:

  • Create a vault that you can use to securely store and protect your sensitive data.
  • Create and authenticate a service account that you can use for secure API communication.

Before you begin

Log in to your Skyflow account. If you don’t have one, you can sign up for a free sandbox account here.

Create a vault

Vaults are data storage units where you can store your application’s sensitive data. Skyflow vaults come with several privacy-preserving mechanisms out of the box, such as polymorphic encryption and de-identification, built to keep your data secure. Skyflow APIs enable you to interact securely with the data.

To create a vault, log into your Skyflow account and go to the Vault Templates tab in Skyflow Studio, as shown below:

image alt text

Vault Templates define the high-level schema of the vault, including the fields and their relations. For instance, the Customer Identity vault comes packaged with all the sensitive fields a business would typically want to collect about a customer (email, phone number, and so on). Skyflow has a few predefined templates to choose from based on popular use cases.

Select a template and click Create. If you have multiple workspaces, select a Workspace to create the vault in.

Upon creating the vault, you’ll be taken to the Vault Browser shown below, where you can explore the structure and content of your vault. Newly created vaults come with mock data for you to explore the vault’s functionality:

image alt text

Create a Service Account

Service Accounts provide secure channels of communication between your application and your vaults. To create an API Service Account for your vault, follow the steps below:

  1. Go to the Vault Browser.
  2. Click on Service Accounts in the top right corner.
  3. Make sure to select the API Service Account in the drop-down menu.
  4. Click Add a new Service Account.
  5. Enter a name and description and click Create.

image alt text

Upon clicking Create, a credentials.json file will be downloaded to your local machine. Store this file securely as you will need it to access your vault via the API.

To start using the APIs, you’ll need to generate a Bearer token. To do so, follow the steps below. Click here for the full Python code referenced in this section.

1. Create a JWT Token

The credentials.json file downloaded earlier contains critical information needed to access your vault. Use the credentials.json file to create a ‘claims’ object as shown below. Then, sign the ‘claims’ object with the private key, which is also contained in the credentials file. Refer to the Python code sample below:

import requests # Requests lib installation: 'pip install requests'
import jwt # PyJWT lib installation: 'pip install pyjwt'
import json
import time

def getSignedJWT(credsFile):
  # credsFile is the filepath to your credentials.json file
  # Load the credentials.json file into an object called creds
  fd = open(credsFile)
  creds = json.load(fd)
  # Create the claims object with the data in the creds object
  claims = {
      "iss": creds["clientID"],
      "key": creds["keyID"],
      "aud": creds["tokenURI"],
      "exp": int(time.time()) + (3600), # JWT expires in Now + 60 minutes
      "sub": creds["clientID"],

  # Sign the claims object with the private key contained in the creds object
  signedJWT = jwt.encode(claims, creds["privateKey"], algorithm='RS256')
  return str(signedJWT, "utf-8"), creds

2. Get a Bearer Token

You can now exchange your JWT token for a Bearer token by making a POST request to The Bearer token is used to authenticate your API requests. Refer to the code sample below:

def getBearerToken(signedJWT, creds):
  # Request body parameters
  body = {
      'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
      'assertion': signedJWT,

  # Request URI (==
  tokenURI = creds["tokenURI"]
  # Send the POST request using your favorite Python HTTP request lib
  r =, json=body)
  return r.text

You’ll receive a Bearer token that grants access to the vault specified by the credentials.json file. Note that the token expiration is configurable. We recommend 60 minutes for security purposes, so you may need to refresh it periodically. A sample token looks as follows:


Make your first API request

You’re all set! You can now start using Skyflow’s APIs to store and process your sensitive data with unprecedented security and privacy. You can use the following links to get an overview of the APIs for our vaults, or you can jump straight into our API reference: