Skip to content

Using services

Opaque services provide a flexible way to automate secure, low-latency data processing for small, on-demand inputs. Each service runs inside a trusted execution environment (TEE), ensuring that both data and computation remain confidential—even during processing. Services are ideal for embedding policy-enforced logic into workflows where sensitive data must be handled securely and verifiably.

This page shows you how to install the Opaque SDK and configure built-in services in your workspace.

Currently, Opaque provides two built-in services:

  • Data ingestion: Securely fetches external data from sources like REST APIs.
  • Data redaction: Masks or removes PII fields from sensitive inputs.

Additional service types and user-defined services are planned for future release.

Before you begin

To use services in Opaque, make sure the following are in place:

  • oras installed (installation guide)
  • Python (version 3.9 or higher)
  • Opaque Python SDK ZIP file and OCI registry credentials (provided by Opaque)
  • OpenSSL installed (download here).
  • REST API URL and JWT token (provided by Opaque)
  • Basic familiarity with Python and REST APIs

Step 1: Install the Opaque Python SDK

After deploying Opaque, install the Python SDK on your local development environment to begin interacting with services.

  1. Set the OPAQUE_VERSION environment variable to match the version bundled with your deployment. (For the latest Opaque version, check docs.opaque.co and click View release notes).

    export OPAQUE_VERSION=2.0.0

  2. Pull the SDK package from the Opaque OCI registry:

    oras pull registry.corp.tooling.opaque-int.com/opaque-systems/opaque-python-sdk:<OPAQUE_VERSION>

    Note

    Replace with the version bundled with your deployment. This version is included with your deployment or provided by your Opaque contact.

  3. Unzip the SDK and install it:

    unzip opaque-python-package.zip
pip install opaque-<OPAQUE_VERSION>.tar.gz

When installed successfully, you should see: Successfully installed opaque-2.0.0.

Step 2. Launch and configure services

In the Opaque web app:

  1. Open your workspace and select Services from the secondary left-hand nav.
  2. Click New Service in the upper-right corner.
  3. Create a service:
    • Choose a service type (e.g., data ingestion or redaction).
    • Provide a name for the service.
    • (For redaction only) Configure additional options such as fields to redact under Sanitization > Choose PII.
    • Click Launch to deploy the service.
  4. Verify the service is running in the Services list view.

You'll also see each program use remote attestation to confirm that the data ingestion and redaction was executed in trusted execution environments (TEEs).

Note on custom redaction fields

If you're adapting this workflow to your own redaction use cases, keep the following in mind:

  • The redaction service supports built-in PII types (e.g., email, phone number), but you can also define custom sanitization fields using regular expressions.
  • Custom regex is evaluated using Python’s re module. Patterns copied from Java, JavaScript, or other environments may behave differently and can fail silently if not valid in Python.
  • To ensure compatibility, test your expressions using a Python-compatible regex tester such as regex101.com (with the Python flavor selected), or refer to the Python re module documentation for syntax guidance.

Step 3. Prepare to run services

With your services deployed, you’re ready to run secure workflows using the Opaque SDK.

Each workflow uses environment variables to authenticate with the Opaque platform and invoke services inside your workspace. Depending on your use case, you may choose to ingest external data, redact PII, or compose both steps into a policy-enforced pipeline.

Before you proceed:

  • Verify that Python (version 3.9 or higher) is installed.
  • Obtain the REST URL (provided by Opaque) and your API key:
    • In the Opaque web app, navigate to the API Keys section and copy the refresh token.
  • Go to Jobs > Services and note the UUIDs of any services you plan to invoke.

Note

The REST URL is either provided by Opaque or configured during deployment (e.g., through the Azure Marketplace).

Then set the following environment variables:

bash
CopyEdit
export OPAQUE_API_KEY="<your_api_key>"    # From the API Keys section in Opaque
export OPAQUE_REST_URL="<your_rest_url>"  # Must include the API version number

Once your environment is configured, you’re ready to choose a workflow pattern and start using services.