A control plane for policy. A data plane inside your apps.
TokenMesh separates policy management from tokenization execution. The control plane publishes signed bundles; SDKs enforce them locally.
Primary diagram
Signed bundle down. Tokenized data out.
TokenMesh local enforcement architecture
TokenMesh Control Plane
- Policy Authoring
- Bundle Signing
- Audit Evidence
- Drift Detection
signed policy bundle
bundle_id · policy_version · allowed_workloads · field_rules · algorithm_id · key_ref · key_version · signature
Producer Application + TokenMesh SDK
- receives sensitive data
- verifies signed policy
- resolves customer key reference
- tokenizes locally
Consumer Application + TokenMesh SDK
- receives tokenized data
- verifies policy if needed
- uses token
- future authorized detok
Customer KMS / HSM / Vault
- customer-owned key material
- SDK resolves key reference
- control plane publishes reference only
Producer DB / Stream / API
- stores tokenized data only
- raw sensitive data stays near producer
Audit / Drift Evidence
- policy version
- bundle hash
- workload id
- cleartext_logged: No
Control plane
The TokenMesh control plane is the rulebook publisher.
The governance layer manages policies, bundle signing, audit metadata, and drift evidence. It is not the place where raw PII needs to be sent for every tokenization call.
Which fields should be tokenized
Which workloads are allowed
Which policy version is active
Which algorithm id should be used
Which key reference should be used
Which bundle version is deployed
Policy bundle
Policy becomes a signed artifact.
A bundle is a signed, portable rulebook. SDKs verify it before use, and regions can compare version/hash metadata to detect drift.
{
"bundle_id": "bundle-bank-prod-v1",
"policy_version": "policy-bank-prod-v1",
"allowed_workloads": ["payment-api-prod"],
"field_rules": {
"bank_account_number": {
"action": "tokenize",
"token_format": "opaque"
},
"ssn": {
"action": "tokenize",
"token_format": "masked-reference"
}
},
"algorithm_id": "deterministic-tokenization-v1",
"key_ref": "aws-kms://customer-prod/tokenmesh/accounts",
"key_version": "2026-01",
"signature": "ed25519:..."
}Signed policy bundle
Demo metadata, no cleartext values
The control plane publishes a key reference. The raw key stays in customer-controlled KMS, HSM, or Vault infrastructure.
The key reference points to customer-owned key infrastructure. The control plane publishes the reference, not the raw key.
Runtime behavior
The SDK verifies first, then tokenizes in-process.
At runtime, the application calls the local SDK. The SDK evaluates policy locally and avoids a central tokenization API on every event.
App starts
SDK loads trusted signing public key
SDK fetches signed bundle
SDK verifies signature
SDK caches valid bundle
SDK tokenizes locally
SDK writes redacted audit metadata
SDK fails closed if bundle/key/policy is invalid
Outage behavior
Offline control plane does not have to stop local tokenization.
If the TokenMesh control plane is temporarily unavailable, SDKs can continue tokenizing with a valid cached bundle and key access.
Outage behavior
The control plane is not on the per-event tokenization hot path.
| Control plane | Cached bundle | Key resolver | Result |
|---|---|---|---|
| Offline | Valid cached bundle | Available | Tokenization continues |
| Offline | Missing bundle | Available | Fail closed |
| Online | Expired bundle | Available | Fail closed until refreshed |
| Online | Valid cached bundle | Unavailable | Fail closed |
Deployment models
Fit the control plane to the institution.
TokenMesh-hosted control plane
Fastest SaaS deployment. Customer apps and keys remain customer-controlled.
Customer-hosted control plane
For banks that require everything inside their own cloud or data center.
Hybrid control plane
TokenMesh manages workflow and UI; customer controls keys and runtime execution.