> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Duplicate Token

> Create a copy of an existing token, optionally adding a CVV and specifying property association and creator reference.

<Card title="Update Card Data Guide" icon="book" href="/manage-tokens/update-card-data">
  Modify expiration dates and creator references on tokens
</Card>

Once the `Duplicate Token` method has been completed successfully, a new card token will be created and the token URI will be returned in the response header `Location`.

The result of this process would be that there are two card tokens in PCI Booking for the same card.
**It is your responsibility** to [delete](/api-reference/manage-tokens/delete-token) one of them to avoid getting charged for storage on both tokens.

## Error Responses

| Code  | HTTP Status | Condition                                                  |
| ----- | ----------- | ---------------------------------------------------------- |
| -179  | 400         | CVV provided but does not match `^\d{3,4}$`                |
| -160  | 404         | Card URI is invalid or card not found                      |
| -1003 | 401         | User is not the owner and is not associated with this card |

## Parameter Constraints

| Parameter | Type   | Required | Constraints                                         |
| --------- | ------ | -------- | --------------------------------------------------- |
| cardUri   | string | Yes      | Must contain a valid 32-character hexadecimal token |
| cvv       | string | No       | If provided, must match `^\d{3,4}$` (3 or 4 digits) |

<Note>This endpoint is rate limited.</Note>

## Parameters

### Headers

<ParamField header="Authorization" type="string" required>
  Your API key prefixed with `APIKEY`. Example: `APIKEY your-api-key`. For server-to-server calls.
</ParamField>

<Accordion title="Alternative: Browser-Side Authentication">
  This endpoint also accepts token-based authentication via query parameters:

  | Method                         | Details                                                                                                             |
  | ------------------------------ | ------------------------------------------------------------------------------------------------------------------- |
  | **Access Token** (recommended) | `accessToken` query param. [How to generate](/getting-started/authentication#access-token).                         |
  | **Session Token**              | `sessionToken` query param. [How to generate](/api-reference/general/start-temporary-session). Valid for 5 minutes. |

  If multiple methods are provided, precedence: Session Token > Access Token > API Key.
</Accordion>

### Query String

<ParamField query="cardUri" type="string" required>
  The card URI (resource identifier for the card location within PCI Booking). For example, `https://service.pcibooking.net/api/payments/paycard/865ed8bec1f84366b97112a69cdbf915`. The card URI should be URL encoded.
</ParamField>

<ParamField query="cvv" type="string">
  Security code, as returned from the iFrame or other sources. If not provided, the new token will not contain any CVV.
</ParamField>

<ParamField query="ref" type="string">
  A reference value that can be used to query for this card token.
</ParamField>

<ParamField query="merchant" type="string">
  The Property's Username (user ID) found within PCI Booking (under "Property settings") which has been given permission to view the card. The owner (Booker) always has permission to view the card.
</ParamField>

<RequestExample>
  ```javascript Node.js theme={null}
  const params = new URLSearchParams({
    cardUri: 'https://service.pcibooking.net/api/payments/paycard/865ed8bec1f84366b97112a69cdbf915',
    cvv: '123',
    ref: 'booking-12345',
    merchant: 'hotel-sunrise'
  });

  const response = await fetch(
    `https://service.pcibooking.net/api/payments/paycard/duplicate?${params}`,
    {
      method: 'POST',
      headers: {
        'Authorization': 'APIKEY your-api-key'
      }
    }
  );

  const newTokenUri = response.headers.get('Location');
  console.log('New token URI:', newTokenUri);
  ```

  ```python Python theme={null}
  import requests

  response = requests.post(
      'https://service.pcibooking.net/api/payments/paycard/duplicate',
      headers={'Authorization': 'APIKEY your-api-key'},
      params={
          'cardUri': 'https://service.pcibooking.net/api/payments/paycard/865ed8bec1f84366b97112a69cdbf915',
          'cvv': '123',
          'ref': 'booking-12345',
          'merchant': 'hotel-sunrise'
      }
  )

  new_token_uri = response.headers.get('Location')
  print('New token URI:', new_token_uri)
  ```
</RequestExample>

## Response

**200** - Card duplicated. A `Location` header is returned with the new token URI.

<Info>
  Remember to set the [CVV Retention Policy](/capture-cards/cvv-retention-policy) on the new token if it includes a CVV.
</Info>

<ResponseExample>
  ```xml 200 theme={null}
  <?xml version='1.0' encoding='utf-8'?>
  <BankCard>
      <Type>Visa</Type>
      <Number>491891******5005</Number>
      <NameOnCard>Juan Dela Cruz</NameOnCard>
      <ExpirationDate>
          <Month>07</Month>
          <Year>2020</Year>
      </ExpirationDate>
      <IssueNumber>2</IssueNumber>
  </BankCard>
  ```

  ```json 401 theme={null}
  {
      "code": -1003,
      "message": "Not authorized to access this resource",
      "moreInfo": "Bad or missing authorization data, expected APIKEY or Temp Session or One-Time Accesss Token",
      "errorList": null
  }
  ```
</ResponseExample>
