Skip to main content
POST
Token Replacement in Request

Token Replacement Guide

Replace tokens with card data in API requests
This is PCI Booking’s core proxy feature. Instead of processing payments through PCI Booking’s gateway integrations, you send the exact API request your third-party system expects, with token placeholders where card data should go. PCI Booking swaps in the real card data and forwards the request transparently, so the third party receives a normal API call with real card details while you never handle sensitive data.

Error Responses

Parameter Constraints

  • cardToken must contain a valid card URI with a 32-hex token.
  • targetUri is required.
  • httpMethod defaults to POST. Accepted values: POST, GET, PUT, PATCH, DELETE.
  • postResponseAction accepts ClearCVV or DeleteToken.
All URLs must be HTTPS. URL-encode all query string components.

Parameters

Authentication

This is a browser-facing endpoint. Use one of the authentication methods below instead of the API key shown above.
accessToken
string
Recommended. A long-lived token for browser-side calls. How to generate.
sessionToken
string
Alternative. Valid for 5 minutes. How to generate.
If both are provided, the session token takes precedence.

Query String

cardToken
string
required
The token URI identifying the card in PCI Booking.
targetURI
string
required
The HTTPS URL of the third party to relay the request to.
httpMethod
string
required
The HTTP method to use when calling the target URI. One of: POST, GET, PUT, PATCH, DELETE.
profileName
string
The ID of a target profile configured for this request. If omitted, PCI Booking uses placeholder-based replacement instead.
contentParam
string
For placeholder-based replacement: the key containing card data in form-data or query string. Ignored if profileName is provided. If omitted, PCI Booking searches the request body for placeholders.
postResponseAction
string
Action to perform after a successful relay. ClearCVV clears the CVV from the token. DeleteToken deletes the token entirely. If omitted, no action is taken.
timeout
int
Seconds to wait for the third-party response before timing out.

Headers

Content-Encoding
string
Compression format: gzip or deflate. Omit if no compression is needed.

Request Body

The request body is relayed to the third party as-is, with token placeholders replaced by real card data. Structure it as required by the third party’s API.

Request Example

Send a JSON payment request to a third-party API, with PCI Booking replacing the card placeholders with real data before forwarding:
PCI Booking replaces the {{CardNo}}, {{ExpMonth}}, {{ExpYear}}, {{Cvv}}, and {{NameOnCard}} placeholders with the actual card data from the token before forwarding the request to api.thirdparty.com. To use a target profile (pre-configured replacement rules) instead of inline placeholders:

Response

200 - The third-party response, relayed back as-is.
Consider adding business logic based on the CVV retention policy status after a token replacement request.