Basis Theory
Basis Theory Technical Briefing
Published November 9, 2021
Overview
Brian, co-founder of Basis Theory, walks through the Basis Theory platform — a developer-first tokenization and encryption service for any sensitive value on the internet. The demo covers tenants (test/prod, sub-customer, or geo-split workspaces), Elements (drop-in UI that keeps you out of PCI scope for cards, bank accounts, SSNs, and driver's licenses), and server-to-server apps gated by PCI Level 1 attestation. Basis Theory tokenizes any serializable value — strings, documents, PII, cards, bank accounts — and returns a consistent token shape with type, fingerprint, and non-sensitive metadata so developers can dedupe without decryption. Customers can roll their own keypair (bring-your-own-key) so Basis Theory only sees ciphertext. The reactor system ships pre-built serverless templates (Stripe, Braintree, BIN analysis via Perapt) and private reactors for custom integrations, allowing partners to tokenize a card once and route to multiple processors without ever touching the raw PAN.
0:00 Introduction to Basis Theory
Brian, a co-founder of Basis Theory, introduces the product as a developer-first tokenization and encryption platform for the internet. Everything shown is dog-fooded on top of the Basis Theory APIs, SDKs, and Terraform module — build on the portal or on the APIs directly.
0:30 Tenants — test/prod, sub-customers, geo splits
Basis Theory tenants let you split data by environment (test vs. prod), by sub-customer, or by geography. From the portal, Brian creates a new application and chooses from several application types depending on the job to be done.
1:30 Elements vs. server-to-server apps and PCI scope
Elements drop into your UI so you can take in cards, bank accounts, or other PII (SSNs, driver's licenses) without ever touching the raw data — keeping you out of PCI scope. Server-to-server apps give you programmatic access, and PCI Level 1 attestation is required to decrypt card PANs.
2:00 Tokenize any serializable value
In the sandbox, Brian tokenizes a simple string. Any serializable value (string, bool, document, card, bank account) can be tokenized and every response is the same shape: token, tenant id, type, creator, ISO timestamp, and optional child tokens.
2:30 PII tokens and bring-your-own keys
For PII data, Basis Theory can either encrypt with its own keys (after reviewing your PCI/SOC2 due diligence) or let you roll your own keypair so Basis Theory only ever sees the ciphertext — only your private key can decrypt.
4:00 Card and bank account tokens with fingerprinting and metadata
Tokenizing a card returns a masked PAN, a card-type tag, and a fingerprint you can use for dedupe without decryption. Bank accounts return tokenized account numbers (not routing numbers). Both accept attached non-sensitive metadata for analysis and lookup.
6:00 Reactors — pre-built serverless functions (Stripe, Braintree, BIN lookup)
Reactors are pre-built serverless functions — e.g., a Stripe reactor using the Stripe SDK — that let you run partner SDKs against your Basis Theory tokens. Private reactors let you ship custom integrations from your own GitHub repo without exposing them publicly.
7:30 End-to-end: card element → Stripe / Braintree / BIN analysis
A worked example: a user pastes a card into a Basis Theory element, gets a token back, and the token is then used to create a Stripe token, a Braintree token, and to run a BIN analysis (debit vs. credit, processor routing) via Perapt — all without touching the underlying PAN.
Presented by Brian Billingsley and James Armstead — Basis Theory · website
Topics: Data Infrastructure, Developer Tools, Compliance & Regulation
