SDK-first tokenization for modern application teams.
TokenMesh is designed around an in-process SDK contract: verify the signed bundle, resolve the customer-owned key reference, tokenize locally, and emit safe audit metadata.
SDK examples
Illustrative developer surface
from tokenmesh import TokenMeshClient
client = TokenMeshClient(
workload_id="payment-api-prod",
bundle_path="./tokenmesh-policy.json",
key_resolver="customer-kms"
)
token = client.tokenize("bank_account_number", "SYNTHETIC-DEMO-VALUE")
print(token)Python reflects the current SDK-first direction for local enforcement.
SDK contract
A TokenMesh SDK is more than a thin API wrapper.
verify signed policy bundles
fail closed on invalid policy
cache valid bundles
enforce workload scope
resolve customer-owned key references
emit redacted audit metadata
avoid logging cleartext
Outage behavior
The SDK does not need the control plane for every call.
Control plane online
SDK fetches the latest signed bundle.
Control plane offline
SDK uses a valid cached bundle.
No valid bundle
SDK fails closed.
Architecture fit
Built for application boundaries.
The SDK is the local worker inside the customer application.
It fetches and verifies signed policies, checks workload authorization, resolves key references, tokenizes locally, writes safe audit metadata, and fails closed when policy or key access is invalid.