> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Card By Link Webhook

> PCI Booking sends a POST request to your callback URL each time the status of a Card By Link request changes.

<Card title="Card By Link Guide" icon="book" href="/capture-cards/card-by-link">
  Send secure card capture links via email or SMS
</Card>

When you create a Card By Link request with a `CallBackURL`, PCI Booking sends a POST request to that URL each time the request status changes. Your endpoint must accept the following payload.

## Callback Payload

```json theme={null}
{
  "RequestID": "uC1efRTOpU4p3hmhH7fbY3J6A9LYL3j5",
  "LastNotifiedStatus": "CardStored",
  "LastNotifiedTime": "2017-12-19T20:07:32"
}
```

<ParamField body="RequestID" type="string">
  The unique identifier for the Card By Link request.
</ParamField>

<ParamField body="LastNotifiedStatus" type="string">
  The current status of the request. Possible values:

  | Channel     | Value              | Description                                          |
  | ----------- | ------------------ | ---------------------------------------------------- |
  | Email / SMS | `MessageQueued`    | Message was added to the PCI Booking queue.          |
  | SMS only    | `MessageSent`      | The message was sent to the recipient.               |
  | SMS only    | `MessageFailed`    | Message delivery to the recipient failed.            |
  | SMS only    | `MessageDelivered` | Message was successfully delivered to the recipient. |
  | Email / SMS | `FormViewed`       | Recipient viewed the capture form.                   |
  | Email / SMS | `CardStored`       | Card was captured and tokenized successfully.        |
  | Email / SMS | `LinkExpired`      | The link to the capture form has expired.            |
  | Email / SMS | `StoreFailed`      | Capture form submission failed.                      |
</ParamField>

<ParamField body="LastNotifiedTime" type="string">
  Timestamp of the status change (ISO 8601 format).
</ParamField>

## What to Do on `CardStored`

Once you receive a callback with `LastNotifiedStatus: CardStored`, call [Retrieve Request](/api-reference/tokenize-cards/cotp-retrieve-request) to get the full request details including the `CardUri` (token URL).

<Warning title="CVV capture requests">
  For CVV-only requests, PCI Booking creates a **new token** that is a full copy of the original card details plus the captured CVV. The original token is not modified and does not contain the CVV. You should delete the original token if it is no longer needed, otherwise it will continue to incur monthly storage fees.
</Warning>

<Info>
  Remember to set the [CVV Retention Policy](/capture-cards/cvv-retention-policy) on the token once `CardStored` is received.
</Info>

## Expected Response

Your callback endpoint must return **200 OK** to acknowledge receipt.
