Token Replacement in Request
Token Replacement
Token Replacement in Request
Replace card tokens with real card data and relay the request to a third-party API.
POST
Token Replacement in Request
Token Replacement Guide
Replace tokens with card data in API requests
Error Responses
Parameter Constraints
- cardToken must contain a valid card URI with a 32-hex token.
- targetUri is required.
- httpMethod defaults to POST. Accepted values: POST, GET, PUT, PATCH, DELETE.
- postResponseAction accepts
ClearCVVorDeleteToken.
All URLs must be HTTPS. URL-encode all query string components.
Parameters
Authentication
Recommended. A long-lived token for browser-side calls. How to generate.
Alternative. Valid for 5 minutes. How to generate.
Query String
The token URI identifying the card in PCI Booking.
The HTTPS URL of the third party to relay the request to.
The HTTP method to use when calling the target URI. One of:
POST, GET, PUT, PATCH, DELETE.The ID of a target profile configured for this request. If omitted, PCI Booking uses placeholder-based replacement instead.
For placeholder-based replacement: the key containing card data in form-data or query string. Ignored if
profileName is provided. If omitted, PCI Booking searches the request body for placeholders.Action to perform after a successful relay.
ClearCVV clears the CVV from the token. DeleteToken deletes the token entirely. If omitted, no action is taken.Seconds to wait for the third-party response before timing out.
Headers
Compression format:
gzip or deflate. Omit if no compression is needed.Request Body
The request body is relayed to the third party as-is, with token placeholders replaced by real card data. Structure it as required by the third party’s API.Request Example
Send a JSON payment request to a third-party API, with PCI Booking replacing the card placeholders with real data before forwarding:- curl
- Node.js
- Python
{{CardNo}}, {{ExpMonth}}, {{ExpYear}}, {{Cvv}}, and {{NameOnCard}} placeholders with the actual card data from the token before forwarding the request to api.thirdparty.com.
To use a target profile (pre-configured replacement rules) instead of inline placeholders:
- curl
- Node.js
- Python
Response
200 - The third-party response, relayed back as-is.Consider adding business logic based on the CVV retention policy status after a token replacement request.

