Skip to main content
POST

Tokenization on Response Guide

Automatically tokenize cards from gateway responses
PCI Booking forwards your request to the third party, tokenizes any card data found in the response (using your target profile), and returns the sanitized response with the following custom headers:
All URLs must be HTTPS and URL-encoded.

Error Responses

Parameter Constraints

Parameters

Authentication

This is a browser-facing endpoint. Use one of the authentication methods below instead of the API key shown above.
accessToken
string
Recommended. A long-lived token for browser-side calls. How to generate.
sessionToken
string
Alternative. Valid for 5 minutes. How to generate.
If both are provided, the session token takes precedence.

Query String

profileName
string
required
The unique ID for the profile set up for the response you will receive for this request. You can set up as many profiles as you require. Read more about target profiles.
targetURI
string
required
The URI of the third party to relay the request to. PCI Booking sends your request to this endpoint and intercepts the response.
httpMethod
string
required
The HTTP method that PCI Booking should use when calling the target URI. Possible values: POST, GET, PUT, PATCH, DELETE.
timeout
int
The number of seconds PCI Booking should wait for a response from the third party.
saveCVV
boolean
default:"false"
Whether to save the CVV in the database. true: save the CVV. false: discard the CVV.
ref
string
A reference value which can be used to query for this card token.
MerchantId
string
The user ID of the property to associate the token with. Found under “Property settings” in the user’s site.
allowedUserId
string
The user ID of the PCI Booking customer (booker ID) to associate the token with. The PCI Booking customer must share their user ID with you.
eliminateCardDuplication
boolean
default:"false"
Controls whether PCI Booking checks if the card already exists as a token in your account.
  • true: PCI Booking looks up the card in your stored tokens. If a match is found, the existing token URI is returned instead of creating a new one. The response status will be 200 instead of 201.
  • false (default): A new token is always created, even if the same card was previously stored.

Request Body

The request body and headers are passed through to the third party as-is. Include any body content and headers that the third party requires.

Response

200 - The card already exists in your account (when eliminateCardDuplication is true). The response body contains the third-party response with card details masked. The existing token URI is returned in the X-pciBooking-cardUri header. 201 - A new card was tokenized. The response body contains the third-party response with card details masked. The new token URI is returned in the X-pciBooking-cardUri header.
Remember to set the CVV Retention Policy on the token.