# Lookup Identifiers
source: https://developer.mastercard.com/user-account-management-service/documentation/use-cases/lookup-identifiers/index.md

## Retrieve tokens and sensitive identifiers {#retrieve-tokens-and-sensitive-identifiers}

During onboarding, the assigned Solution Engineer will recommend which sensitive identifier should be stored in your system based on the specific needs of your program. For maximum flexibility, storing a PCI-sensitive identifier (such as BCN or BAN) may be advised. In other cases, a non-PCI identifier (such as RANAC or RANCU) might be more appropriate.

This section explains how to exchange sensitive identifiers with their token counterparts and vice versa. Some services may require specific token identifiers to perform certain actions (such as handling a lost or stolen card). The sequence diagram illustrates how to retrieve the correct identifiers based on these scenarios.

### Pre-requisites {#pre-requisites}

Following are the pre-requisites for the customer to use this endpoint:

Refer to payload encryption in [Use Cases](https://developer.mastercard.com/user-account-management-service/documentation/use-cases/index.md)

### Sequence Diagram {#sequence-diagram}

Diagram lookup-identifiers

##### Following are the execution steps: {#following-are-the-execution-steps}

1. The cardholder signs into the customer application.
2. The customer authenticates the cardholder.
3. The customer sends the signed or encrypted request to the User Account Management for the tokens and sensitive identifiers.
   * The lookup identifiers request requires the following mandatory input parameters:
     * userId - Unique identifier of the user.
     * userIdType - Identifier type for the given user.
4. The Mastercard API Gateway validates the customer's information and routes the request to the User Account Management in the case of a valid customer.
5. The User Account Management Service validates the request received through the `/users/references/searches` endpoint.
6. The User Account Management Service retrieves the tokens and sensitive identifiers.
7. The User Account Management Service sends an encrypted response with sensitive identifiers (200), if the request has optional parameter `includeSensitiveIdentifiers` set to true.
8. The User Account Management Service includes primary account details in the response, if the request has optional parameter `includeOnlyPrimary` set to true.
9. The User Account Management Service includes only accounts that belong to the program, if the request has optional parameter `programIdentifier` is sent in the request.
10. The User Account Management Service sends a response with a status code of 4xx/5xx in case of an invalid request.

You will receive an error response for an invalid request or any missing request parameter. In that case, you need to update the input and perform step 3 again.

### Endpoint {#endpoint}


API Reference: `POST /users/references/searches`

Note: For more information about the error codes, refer to the [Code and Formats](https://developer.mastercard.com/user-account-management-service/documentation/code-and-formats/index.md) section.