Support

Support Ticket

You can create a Support Ticket within your environment portal under "Support" -> "Support Desk" and completing the short form to open a new ticket.

Email

If you have any questions or feedback about using the Rixon API, please email us at techops@rixontechnology.com.

If you are running into an API error, please also include the request trace ID when emailing us. You can find the request trace ID in the x-requestid API response header.

Remember: Before communicating with Rixon Technology, check that you're not sending any sensitive information such as headers or requests with tokens and authorization information.

Service Uptime Monitoring

https://status.rixontechnology.com/



Guides

Authentication Overview

Two-token model: API Key is long-lived and used only to create sessions. Session Token is short-lived and used for all data calls.


Versioning

Breaking changes can be disruptive and we take versioning very seriously. If we require sunsetting a legacy endpoint, we'll notify you with sufficient lead time to migrate. We recommend implementing against the latest endpoints documented in the Rixon API.

Breaking changes

We don't consider the following types of changes as breaking changes, so please don't be worried when you see them:

  • New endpoints
  • New read-only or optional fields
  • Endpoints or fields marked as deprecated
  • New enum constants

Note: Your code should be able to handle new types of responses. For example, please ensure that you design your code to handle unknown enum types and new fields in responses.


API Error Handling

Rixon uses HTTP response status codes to indicate the success or failure of your API requests. If your request fails, Rixon returns an error using the appropriate status code.

In general, there are 3 status code ranges you can expect:

  • 2xx : Success status codes confirm that your request worked as expected.
  • 4xx : Error status codes indicate an error because of the information provided (e.g., a required parameter was omitted).
  • 5xx : Error status codes are rare and indicate an error with Rixon's servers.

All Rixon Technology API endpoints include an errors object in their response body when the request fails. It will contain a type, message, and optional code. For example:

HTTP/1.1 400 Bad Request


{
  "errors": {
    "code": [
      "[ErrorCode]"
    ],
    "Validation": [
      "[Field] is Invalid"
    ]
  },
  "type": "https://tools.ietf.org/html/rfc9110#section-15.5.1",
  "title": "One or more validation errors occurred.",
  "status": 400,
  "traceId": "00-4d6e036689bbc3608e2b0c16eb968b16-671fc005fc4a712c-00"
}

HTTP/1.1 404 Not Found


{
  "type": "https://tools.ietf.org/html/rfc9110#section-15.5.5",
  "title": "Not Found",
  "status": 404,
  "traceId": "00-1d7bd1f5dc226634fd44a79bcc860768-712b243be6649137-00"
}

HTTP/1.1 403 Forbidden


{
  "errors": "[ErrorCode]",
  "type": "https://tools.ietf.org/html/rfc9110#section-15.5.4",
  "title": "Forbidden",
  "status": 403,
  "traceId": "00-000aed33eade6918c465a7dc5e576403-f8fbe708326c8359-00"
}

Common errors and fixes

Status code
Endpoint
Error Message
Fix
400 Any POST with free form text input [Field name] is invalid Free form text fields, display names, etc.
401 Any endpoint Unauthorized; Expired token For Portal APIs, Generate a new JWT token. For Tokenization APIs, generate a new SessionToken.
403 Any endpoint Forbidden For Portal APIs, Generate a new JWT token. For Tokenization APIs, generate a new SessionToken.
429 Any endpoint Too Many Requests Rate limit exceeded. Implement exponential backoff or reduce request frequency. See Rate Limits section.

Request Correlation

All requests are tagged with several unique identifiers. The response of every request contains a header as x-requestid which can be used to trace the request throughout our technology stack. When triaging and troubleshooting, making a note of this value will expedite analysis.


Pretty Responses

By default, all APIs which return json, return a minified/compressed json object to optimize transmission of data. You can optionally toggle that a request return "pretty" formatted/indented json object. To do this, either add "?pretty" as a query string parameter or include the HTTP header or x-printpretty in your API request.


Rate limits

The Rixon API employs rate limits as a safeguard against abuse and to ensure API stability. Per Client ID, Per IP Address, and Per account. Specific rate limits are defined internally on each environment therefore you should contact your customer success representative to adjust your rate limits. By default:

  • Up to 600 requests in 1 second.
  • Up to 10,000,000 transfers in 24 hours.

Exceeding a rate limit will result in an HTTP 429 (too many requests) response. Rate limits may be reduced further to prevent abuse or ensure system reliability. Rixon Technology may reduce limits to prevent abuse or ensure system reliability. If you require higher rate limits for a high volume application, please contact support.

Rate Limit Response Headers

  • x-rate-limit-limit - Defines the most restrictive internal limit rule that is being measured
  • x-rate-limit-remaining - The number of requests allowed until. all requests will be rejected/denied
  • x-rate-limit-reset - The datetime when the limit and counters will be reset

Handling rate limits gracefully

If you encounter rate limits, there may be a workaround depending on your circumstance.

If your rate limiting is due to frequent polling of certain endpoints, you may be able to leverage the Webhooks Feature to instead receive real time notifications of important events. If we do not yet support a webhook that you require, let us know.

If webhooks are not a viable option to reduce call volume, you can watch for 429 status codes and implement a retry mechanism. We recommend using an exponential backoff schedule with some randomness to avoid the thundering herd problem.

Another option is to throttle traffic to Rixon more broadly per Client ID rather than for individual requests. A token bucket algorithm implemented per Client ID and optionally also against a specific type of rate limit (as listed at the top of this page) may help you mitigate or avoid the effect of rate limits on your application.


Quickstart

This guide will help you get up and running making your first Rixon Tokenization API call in just a few minutes.

This guide assumes you are a Rixon customer with admin access to your portal.

1. Generate your credentials

Before starting the process of data protection, you need to determine the type of data that requires protection. After that, you should define the data format and access privileges. To protect each type of data, you need to create a token definition that provides instructions to the Rixon platform on how to handle that specific data.


Setting Up API Keys

Navigate

From the sidenav in the portal, go to Account→Configurations→API Keys.

Service API Key Creation

In order to securely communicate with Rixon’s tokenization & data protection API’s you will need to create a Service API key. Your account may already have an autogenerated API key created. Your API key(s) should be stored securely and not shared since these keys are used to authenticate to Rixon’s data protection functionality.

In order to use Rixon to secure your sensitive data, we need to prepare Rixon to accept and protect your data. In order to configure Rixon you will need a portal user with at least the "AccountAdmin" role assigned or higher. This role will allow you to navigate to Account→Configurations→API Keys.

An autogenerated API key may already exist. You are safe to use this autogenerated API Key. If you'd like to create a new Key yourself, locate the section labeled “Add an API Key.” Enter a name for the key in the title field, and enter an expiration date. API Keys are not usable after they expire and should be rotated frequently. Click “Issue New API Key” and your key will appear above under the section labeled “Your Existing API Keys.”


Creating Token Definitions

Navigate

From the sidenav in the portal go to Account→Configurations→Token Definitions.

In the header of the token table, click “Create New” to access the token creation wizard.

Token Definition Creation

The token creation wizard will walk you through steps to create your token definition(s). You can accept the defaults or read the descriptions of each option to customize how your data is handled. Make sure to repeat the process of creating a token definition for each type of data you wish to protect.


Configuring Security Policies

Navigate

From the sidenav in the portal go to Account→Configurations→Security Policies.

Security Policy Configuration

Security policies defined in Rixon will define the access controls that will be enforced on API requests for tokenization.

Locate the “Security Policy Table” and click the “Create New” button. Read the description of each option and fill out the required fields. Customize each option as necessary or accept the defaults. Make sure under access controls you give your security policy the appropriate API operation permissions for your token definition.

2. Make your first API Call

With your API Key and Security Policy, you can now make an CreateSession API call. For this example, we'll hit the CreateSession endpoint which authenticates and authorizes, yielding a Session Token.

Session Tokens are short-lived. If you receive a 401 or 403, your token has likely expired — call CreateSession again. Do not cache Session Tokens indefinitely.

Below is an example. Where <YOUR_ACCOUNT_DOMAIN> is usually your accountname.app.rixontechnology.com. This can be found in your "Account Settings" in the portal.

curl


curl -X 'POST' \
  'https://<YOUR_ACCOUNT_DOMAIN>/api/services/evtservice/createsession' \
  -H 'Content-Type: application/json' \
  -d '{
  "apiKey": "<YOUR_API_KEY>",
  "policy": "<THE_POLICY_NAME>",
  "policyPassword": "<THE_POLICY_PASSWORD>"
}'

With the Session Token, you can now make a Tokenization API call. For this example, we'll hit the Tokenize endpoint which simply tokenizes a single value with the tokenization engine parameters defined in the Token Definition.

curl


curl -X 'POST' \
  'https://<YOUR_ACCOUNT_DOMAIN>/api/services/evtservice/tokenize' \
  -H 'Content-Type: application/json' \
  -d '{
  "sessionToken": "<THE_SESSION_TOKEN_FROM_PREVIOUS_REQUEST>",
  "tokenName": "<THE_TOKENDEF_NAME>",
  "value": "MySensitiveValue"
}'

Next steps

Congratulations, you've protected your data with tokenization! You're ready to dive deeper.

Reading through the rest of the guides will familiarize you with important Rixon API conventions and implementation concerns. The API references will give you a better understanding of what functionality is included in each API and whether they will meet the needs of your use case. If you need help, see our support page. Happy developing!


Rixon API Overview

Rixon Technology provides a real-time, vaultless and keyless tokenization platform for securing sensitive payment and financial data. The Rixon API allows your applications to tokenize, detokenize, and manage sensitive values without ever storing raw data in your environment. Using the Rixon API, you can secure your data.

Rixon APIs use the REST architecture, are defined using the OpenAPI specification and use standard HTTP response codes and verbs. All APIs accept and return JSON and require HTTPS.

Explore our guides and review our API documentation to see how you can integrate with Rixon Technology.