1. Can the header fields be stripped in the HTTP requests?
    • We can switch on transparent mode for you. In this mode, VGS-request-id and x-forwarded- headers will be excluded from the requests you make.
  2. How quickly do new or updated filters and operations on a route take effect?
    • Edits to the route filters and operations require a minute to populate.
  3. Can regular expressions be used for the Pathinfo?
    • Yes, you can use regular expressions for Pathinfo field. If you use regex, please ensure that you use matches option from the drop-down menu.
  4. How does Host matching work compared to Filter Condition and Operation Config matching?
    • If the request doesn’t match any defined Host, the proxy will respond a 400 and tell you to whitelist the host. If the Host matches but PathInfo or the Filter Conditions don’t match and/or Operations Configs don’t have matching payload parts, the requests will be passed without any modifications or errors reported.
  5. For PCI compliance, what do I need to redact?
    • For PCI Compliance, the minimum you must redact are the PAN and the CVV/CSC (in Volatile Memory).


  1. We are working on integrating with a third party service that will go through the VGS Platform. This service can only accept connections from a predefined list of whitelisted IP addresses. Can you provide us with the range of IP addresses to whitelist?
    • The following IP addresses can be used for both sandboxes and live environments -,,
  2. Do you have an API to push all filters at once?
    • We do not have a public API.
  3. I’m getting errors that the host doesn’t match request url basename. How do I fix this?
    • Make sure to serve the content via the tenant address (https://tenantid.sandbox.verygoodproxy.com). We added X-Forwarded-Host headers for you. (If you are communicating via api (client to server), you don’t need to do this).
  4. Can we use our own vault?
    • Yes, this is an enterprise feature. Contact our sales team to discuss this.
  5. Do we have to send all of our traffic through the VGS?
    • No, you can segment traffic by assigning a custom CNAME such as vault.company.com and then send secure traffic to it.
  6. What is the cost of a single SSL certificate?
    • $19.99 / month
  7. Are the wildcard certificates supported, in the current release?
    • Wildcard certificates are currently not supported. Cost per CNAME record is $19.99 a month. Support for wildcard certificates may become available in the upcoming feature releases.
  8. How do we configure our client library using Selenium web driver to work with VGS Platform?


  1. What are UUID and FPE 6_T_4 Formats?
    • They are different token formats. UUID is the default format that can be used for any kind of data. With UUID, tokens will look like tok__fgiC3Jx2abPUOPETFMvXuT. This format helps to quickly distinguish tokens from regular data and distinguish production tokens from those used in sandboxes. FPE 6_T_4 is the format-preserving-encryption for card numbers. With this format, the token will look and act like a valid card number with the same first 6 and the last 4 digits. This can be useful when tokens need to be valid card numbers (e.g. to pass Luhn validation). In cases when you don’t have such requirements, UUID is a more secure format.
  2. What are Persistent and Volatile Storage types?
    • With the default, Persistent mode tokens will be stored on the database per our data retention policy. With Volatile Storage, tokens will be stored only for 60 minutes - that is the default value and can be configured. It is useful when you cannot keep some information in your system due to compliance but still need to use it for a series of requests. One example would be getting the PIN from a client and using it as a request to third-party service. One important note is that you can only reveal tokens when the storage mode matches. E.g. If you have the operation to redact PIN value with Volatile storage, a reveal operation with Volatile storage will work for that token but Persistent will not and vice versa.
  3. Do values always resolve to the same redaction token (e.g. will 123 always be the same token)?
    • Provided the fingerprinting feature is turned on, the values always resolve to the same redaction token. Fingerprinting can be turned on or off. The fingerprinting is enabled, by default.
  4. What is the typical message flow?
    • Here you can see our common flow https://g.gravizo.com/svg?@startuml%3Bactor%20User%3Bparticipant%20%22Reverse%5CnVeryGoodProxy%22%20as%20RVGP%3Bparticipant%20%22Tenant%5CnBackend%5CnApp%22%20as%20CBAPP%3Bparticipant%20%22Forward%5CnVeryGoodProxy%22%20as%20FVGP%3Bparticipant%20%223rd%20Party%20Service%22%20as%203PS%3BUser%20-%3E%20RVGP:%20Sends%20request%20with%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22,%20%224111-1111-1111-1111%22%5Cn%7D%3BRVGP%20--%3E%20RVGP:%20Matches%20payload%20with%5Cnreverse%20proxy%20rules%3BRVGP%20--%3E%20RVGP:%20Tokenizes%20%224111-1111-1111-1111%22%5Cninto%20%22tok_abcd1234%22%3BRVGP%20-%3E%20CBAPP:%20Sends%20request%20with%5Cnupdated%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22,%20%22tok_abcd1234%22%5Cn%7D%3B%3BCBAPP%20--%3E%20CBAPP:%20Persists%20%22tok_abcd1234%22%3B====%3BCBAPP%20-%3E%20FVGP:%20Sends%20request%20with%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22:%20%22tok_abcd1234%22,%5Cn%20%20%22data%22:%20%22custom%20data%22%5Cn%7D%3BFVGP%20--%3E%20FVGP:%20Matches%20payload%20with%5Cnforward%20proxy%20rules%3BFVGP%20--%3E%20FVGP:%20Detokenizes%20%22tok_abcd1234%22%5Cnback%20into%20%224111-1111-1111-1111%22%3BFVGP%20-%3E%203PS:%20Sends%20request%20with%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22:%20%224111-1111-1111-1111%22,%5Cn%20%20%22data%22:%20%22custom%20data%22%5Cn%7D%3B@endumlcommon flow
  5. How many IP addresses are are available for IP anonymization?
    • We have approximately 2,000 ip addresses available.
  6. Can the records be removed from the expired cards?
    • Yes, records can be removed upon request and per our data retention policy.
  7. What protective measure have been put in place against the possibility of a DDoS attack?
    • Typical measures include WAF, powered by AWS, and DDoS mitigation at the Layer 3.


  1. Which compliance certifications does VGS have?
    • PCI DSS Level 1, See the Visa PCI service Provider List here.

Public IP addresses for VGS Platform


  1. What to do if a customer loses their MFA and gets locked out of their account:
    • The customer contacts support;
    • The support team resets their MFA;
    • Next time the customer logs in, they are shown the set-up QR code.
  2. What to do if MFA password is constantly incorrect.
    • Sync time on your mobile phone
    • Try logging in via incognito mode to sync with server time.