Beginner architecture

The control plane signs the rulebook. The application enforces it locally.

TokenMesh is like a signed rulebook from headquarters. Each application verifies the rulebook and applies it locally. Headquarters does not need to touch every customer record.

How it works

Seven-step flow

Step 1 — Define policy

Admins define fields to tokenize, allowed workloads, algorithm id, key reference, and environment.

Step 2 — Sign bundle

The control plane signs a canonical policy bundle that SDKs can verify.

Step 3 — Fetch and verify

The SDK verifies the signature, expiry, and workload authorization.

Step 4 — Tokenize in-process

The producer app calls tokenmesh.tokenize(field, value), and the SDK evaluates policy locally.

Step 5 — Store or send tokens

Producer apps store tokens in databases or send tokenized events downstream.

Step 6 — Audit safely

Audit logs contain policy version, field name, workload id, timestamp, result, and bundle hash.

Step 7 — Detect drift

Regions compare policy_version, bundle_id, bundle_hash, algorithm_id, and key_version.

SDK call

The developer surface is intentionally simple.

illustrative SDK call

token = tokenmesh.tokenize("bank_account_number", value)

The SDK verifies the signed bundle, checks workload scope, resolves the customer key reference, tokenizes locally, and writes safe audit metadata.

Safe audit

Audit metadata should prove behavior without storing cleartext.

No raw sensitive value in audit rows

Audit rows describe what happened: policy version, field name, workload id, timestamp, result, and bundle hash. They should not contain account numbers, SSNs, bank data, or customer secrets.

redacted audit event

{
  "event_type": "tokenization_success",
  "policy_version": "policy-bank-demo-v1",
  "field": "bank_account_number",
  "workload_id": "payment-api-demo",
  "bundle_hash": "sha256:8a9f2c4d...",
  "result": "success",
  "cleartext_logged": false
}

Drift detection

Regions compare signed bundle facts, not guesswork.

East 1

policy_version: policy-bank-demo-v1
bundle_hash: sha256:8a9f2c4d7b13e6a91
key_version: 2026-01
algorithm_id: mvp-deterministic-tokenization-v1

Drift detected

East 2

policy_version: policy-bank-demo-v1
bundle_hash: sha256:41bd9f00de77aa12
key_version: 2026-02
algorithm_id: mvp-deterministic-tokenization-v1