Self-hostable PCI tokenization microservice and CLI that swaps PANs for format-preserving tokens and proves no raw card data persists.
Fintech & Payments Security — PCI, fraud, AML, and payment rails.
pip install cognis-tokenvault
tokenvault scan . # → prioritized findings in seconds- Install the CLI (console script
tokenvault):pip install cognis-tokenvault
- Scan for cardholder data —
scandetects PANs and exits2if any are found (a CI gate); pass-to read stdin:tokenvault scan payments.log
- Tokenize — swap each PAN for a format-preserving token, keeping the leading BIN (
--keep-bin, default 6) and writing the redacted copy with-o:export TOKENVAULT_KEY='super-secret-key' tokenvault tokenize payments.log -o payments.redacted.log --vault vault.json
- Detokenize / read the audit trail — reversing a token is audited (
detokenize); export the trail as JSON for your SIEM:tokenvault detokenize 4532015199999704 --vault vault.json tokenvault audit --vault vault.json --format json
- Automate in CI — fail the build if raw card data is committed (
scanreturns exit2on a hit):- run: pip install cognis-tokenvault - run: tokenvault scan src/ # nonzero exit blocks the merge
- Why tokenvault? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing
Format-preserving encryption (FF3-1) tokenization as a single binary you can run in CI tests shrinks PCI scope; the 'detokenize-audit' command produces an access trail auditors love.
tokenvault is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.
- ✅ Luhn Check
- ✅ Luhn Check Digit
- ✅ Mask Pan
- ✅ Detect Pans
- ✅ Tokenize Pan
- ✅ Detokenize Token
- ✅ Load Key
- ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
- ✅ Ports in Python, JavaScript, Go, and Rust (
ports/)
pip install cognis-tokenvault
tokenvault --version
tokenvault scan . # scan current project
tokenvault scan . --format json # machine-readable
tokenvault scan . --fail-on high # CI gate (non-zero exit)$ tokenvault scan .
[HIGH ] TOK-001 example finding (./src/app.py)
[MEDIUM ] TOK-002 another signal (./config.yaml)
2 findings · risk score 5 · 38ms
flowchart LR
IN[input] --> P[tokenvault<br/>analyze + score]
P --> OUT[report]
tokenvault is interoperable with every popular way of using AI:
- MCP server —
tokenvault mcp(Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet) - OpenAI-compatible / JSON — pipe
tokenvault scan . --format jsoninto any agent or LLM - LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
- CI / scripts — exit codes + SARIF for non-AI pipelines
| Cognis tokenvault | Vault Transit | |
|---|---|---|
| Self-hostable, no account | ✅ | varies |
| Single command, zero config | ✅ | |
| JSON + SARIF for CI | ✅ | varies |
| MCP-native (AI agents) | ✅ | ❌ |
| Polyglot ports (JS/Go/Rust) | ✅ | ❌ |
| Open license | ✅ COCL | varies |
Built in the spirit of Vault Transit / Basis Theory, re-framed the Cognis way. Missing a credit? Open a PR.
Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (tokenvault mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.
pip install "git+https://github.com/cognis-digital/tokenvault.git" # pip (works today)
pipx install "git+https://github.com/cognis-digital/tokenvault.git" # isolated CLI
uv tool install "git+https://github.com/cognis-digital/tokenvault.git" # uv
pip install cognis-tokenvault # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/tokenvault:latest --help # Docker
brew install cognis-digital/tap/tokenvault # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/tokenvault/main/install.sh | sh| Linux | macOS | Windows | Docker | Cloud |
|---|---|---|---|---|
scripts/setup-linux.sh |
scripts/setup-macos.sh |
scripts/setup-windows.ps1 |
docker run ghcr.io/cognis-digital/tokenvault |
DEPLOY.md (AWS/Azure/GCP/k8s) |
panhound— Scans code, logs, fixtures, and S3 buckets for leaked PANs (Luhn-validated card numbers) and CVVs before they hit prod.fraudlens— Replays a stream of transactions against pluggable fraud rules and ML scorers, emitting precision/recall and alert volume from the terminal.obscan— Conformance and security linter for Open Banking / FAPI APIs: validates OAuth flows, consent scopes, and PSD2 endpoints against the spec.ledgerproof— Verifies double-entry ledger integrity and tamper-evidence by checking balance invariants and hash-chained journal entries.iso20022— Validates, lints, and diffs ISO 20022 / pacs / camt payment messages and translates legacy MT into MX with schema-aware errors.sanctscan— Screens counterparties and transactions against OFAC/EU/UN sanctions lists with fuzzy name matching and explainable hit scoring.
Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram
PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.
{} composes with the 300+ tool Cognis suite — JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.