Server-Side Tokenization
Tokenization in Response
Route a request through PCI Booking to a third party. PCI Booking intercepts the response, tokenizes card data, masks the details, and returns the sanitized response.
POST
Tokenization on Response Guide
Automatically tokenize cards from gateway responses
All URLs must be HTTPS and URL-encoded.
Error Responses
Parameter Constraints
Parameters
Authentication
Recommended. A long-lived token for browser-side calls. How to generate.
Alternative. Valid for 5 minutes. How to generate.
Query String
The unique ID for the profile set up for the response you will receive for this request. You can set up as many profiles as you require. Read more about target profiles.
The URI of the third party to relay the request to. PCI Booking sends your request to this endpoint and intercepts the response.
The HTTP method that PCI Booking should use when calling the target URI. Possible values:
POST, GET, PUT, PATCH, DELETE.The number of seconds PCI Booking should wait for a response from the third party.
Whether to save the CVV in the database.
true: save the CVV. false: discard the CVV.A reference value which can be used to query for this card token.
The user ID of the property to associate the token with. Found under “Property settings” in the user’s site.
The user ID of the PCI Booking customer (booker ID) to associate the token with. The PCI Booking customer must share their user ID with you.
Controls whether PCI Booking checks if the card already exists as a token in your account.
true: PCI Booking looks up the card in your stored tokens. If a match is found, the existing token URI is returned instead of creating a new one. The response status will be200instead of201.false(default): A new token is always created, even if the same card was previously stored.
Request Body
The request body and headers are passed through to the third party as-is. Include any body content and headers that the third party requires.
Response
200 - The card already exists in your account (wheneliminateCardDuplication is true). The response body contains the third-party response with card details masked. The existing token URI is returned in the X-pciBooking-cardUri header.
201 - A new card was tokenized. The response body contains the third-party response with card details masked. The new token URI is returned in the X-pciBooking-cardUri header.
Remember to set the CVV Retention Policy on the token.

