> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Token Replacement to sFTP

> Replace card tokens in a document and upload the result to an sFTP server.

<Card title="File Transfer Token Replacement Guide" icon="book" href="/use-tokens/file-transfer-token-replacement">
  Replace tokens with card data in SFTP file transfers
</Card>

Performs token replacement on a file and uploads the result directly to an SFTP server. Use this when you need to send batch files containing card data to a payment processor or partner that accepts SFTP delivery. PCI Booking replaces all card tokens in the file body with the real card data before uploading.

## Error Responses

| Code    | HTTP Status | Condition                                                              |
| ------- | ----------- | ---------------------------------------------------------------------- |
| `-1003` | `401`       | Authorization token is missing or invalid.                             |
| `-125`  | `400`       | Invalid host format (e.g. multiple colons in the server address).      |
| `-125`  | `400`       | Invalid or missing Basic Auth credentials in the Authorization header. |
| `-125`  | `400`       | The requested filter name is not recognized.                           |
| `-125`  | `400`       | Token replacement could not be applied to the file content.            |
| `-1003` | `401`       | SFTP login failed (invalid server credentials).                        |
| `-160`  | `404`       | File upload failed on the remote server.                               |

## Parameter Constraints

* **serverAddress**: Format is `hostname` or `hostname:port`. Only one colon is allowed. Default port is 22.
* **filter**: Must be one of: `GBT`, `SIMPLECSV`, `SIMPLEJSON`, `AIR`, `IUR`, `TADC`, `CSV`. Case-insensitive.
* **Authorization header**: Must contain valid Basic Auth credentials (`username:password`) for the SFTP server.

## Parameters

### Authentication

<Warning>
  This is a browser-facing endpoint. Use one of the authentication methods below instead of the API key shown above.
</Warning>

<ParamField query="accessToken" type="string">
  Recommended. A long-lived token for browser-side calls. [How to generate](/getting-started/authentication#access-token).
</ParamField>

<ParamField query="sessionToken" type="string">
  Alternative. Valid for 5 minutes. [How to generate](/api-reference/general/start-temporary-session).
</ParamField>

If both are provided, the session token takes precedence.

### Path Parameters

<ParamField path="serverAddress" type="string" required>
  The sFTP server address. This can be an IP address or domain name. Add the port number with a colon if required. For example: `fsgatewaytest.aexp.com:22` or `10.200.1.10`.
</ParamField>

<ParamField path="folderPath" type="string" required>
  The folder path where the file should be uploaded to. This can be an individual folder or a full path.
</ParamField>

<ParamField path="fileName" type="string" required>
  The file name for the content being uploaded, including extension. For example: `PCIBTST.xml`.
</ParamField>

### Query String

<ParamField query="filter" type="string" required>
  Indicates the format of the file being sent. Read more on [Supported Formats](/reference/api-conventions).
</ParamField>

<ParamField query="timeout" type="string">
  The timeout, in seconds, for the sFTP server to respond.
</ParamField>

### Headers

<ParamField header="X-PciBooking-carduri" type="string" required>
  Comma-separated token values to insert into the file. Tokens should be listed in the order of their appearance. For tokens appearing multiple times, include the number of occurrences in square brackets.
</ParamField>

<ParamField header="Authorization" type="string" required>
  The authorization parameter used to authenticate to the sFTP server.
</ParamField>

<ParamField header="Content-Encoding" type="string">
  Supported compression formats: `gzip` and `deflate`. Omit this header if no compression is needed.
</ParamField>

### Request Body

The request body contains the raw file content as text. PCI Booking replaces any token placeholders with real card data (based on the `filter` format), then uploads the result to the sFTP server.

<RequestExample>
  ```javascript Node.js theme={null}
  const response = await fetch(
    'https://service.pcibooking.net/api/sftp/sftp.gateway.com:22/uploads/batch/PCIBTST.xml?filter=GBT',
    {
      method: 'PUT',
      headers: {
        'Authorization': 'Basic dXNlcm5hbWU6cGFzc3dvcmQ=',
        'X-PciBooking-carduri': 'tok_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4,tok_f6e5d4c3b2a1f6e5d4c3b2a1f6e5d4c3[2]',
        'Content-Type': 'text/plain'
      },
      body: '<CardData>\n  <Card1>{{CardNo}}</Card1>\n  <Card2>{{CardNo}}</Card2>\n</CardData>'
    }
  );

  console.log(response.status);
  ```

  ```python Python theme={null}
  import requests

  response = requests.put(
      'https://service.pcibooking.net/api/sftp/sftp.gateway.com:22/uploads/batch/PCIBTST.xml',
      params={'filter': 'GBT'},
      headers={
          'Authorization': 'Basic dXNlcm5hbWU6cGFzc3dvcmQ=',
          'X-PciBooking-carduri': 'tok_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4,tok_f6e5d4c3b2a1f6e5d4c3b2a1f6e5d4c3[2]',
          'Content-Type': 'text/plain'
      },
      data='<CardData>\n  <Card1>{{CardNo}}</Card1>\n  <Card2>{{CardNo}}</Card2>\n</CardData>'
  )

  print(response.status_code)
  ```
</RequestExample>

## Response

<ResponseExample>
  ```text 204 theme={null}
  File uploaded successfully. No content returned.
  ```

  ```json 400 theme={null}
  {
      "code": -125,
      "message": "Bad input data",
      "moreInfo": "...",
      "errorList": null
  }
  ```

  ```json 401 theme={null}
  {
      "code": -1003,
      "message": "Not authorized to access this resource",
      "moreInfo": "Bad or missing authorization data, expected Temp Session or One-Time Access Token",
      "errorList": null
  }
  ```
</ResponseExample>
