Skip to main content
← Back to API Reference
String Tokens provide a secure way to tokenize sensitive data. Instead of storing sensitive information in your own systems, you send it to Orchestra and receive a token in return. The token can later be used to retrieve the original data or reference it in other Orchestra API calls.

What Can You Tokenize?

You can tokenize any string up to 16,384 characters, including:
  • Card PANs - Store card numbers securely and reference them in payment requests
  • CVVs - Tokenize CVV codes separately for enhanced security
  • Personal identifiers - Social security numbers, national IDs, passport numbers
  • Addresses - Billing or shipping addresses containing PII
  • JSON objects - Store structured data as a JSON string
  • Any sensitive string - Anything you want to keep out of your systems
Security Best Practice: Store each piece of sensitive data in its own individual token rather than combining multiple values. For example, create separate tokens for the card PAN and CVV. This limits exposure if a token is compromised.

Why Use String Tokens?

  • Reduce PCI scope - Keep card data out of your systems by storing it in Orchestra’s PCI-compliant vault
  • Simplify compliance - Avoid storing sensitive PII directly in your databases
  • Flexible storage - Tokens persist until you delete them, with no expiration
  • Easy integration - Use tokens in payment requests by prefixing with @ (e.g., @your-token-id)
Compliance note: Retrieving tokenized card data exposes your system to raw card details, putting you in scope for PCI compliance. Consider using tokens only for storage and referencing them in payment requests without retrieval.

Endpoints

Store String

Tokenize any string and receive a token reference.

Retrieve Content

Get the original string from a token.

Retrieve Metadata

Get token metadata (creation time, etc.) without exposing the content.

Delete Token

Permanently remove a token and its stored data.
Deleting a token is permanent and cannot be undone. Ensure no active integrations reference the token before deleting.