Server-Side Tokenization
Tokenize on Response Using Preset Profiles
Send a request through a pre-configured PCI Booking profile to a third party. PCI Booking intercepts the response, tokenizes card data, and returns the sanitized response.
POST
Universal Tokenization Guide
Tokenize cards from any source using preset profiles
Error Responses
Parameter Constraints
- ProfileName: Must match an existing profile name (see Get Tokenization Profiles).
- pathSegments: Required if the profile’s target URL has dynamic path segments. Provide key-value pairs in query string format.
- eliminateCardDuplication: When
true, a200status indicates the card already existed;201means a new token was created.
Parameters
Authentication
Recommended. A long-lived token for browser-side calls. How to generate.
Alternative. Valid for 5 minutes. How to generate.
Path Parameters
The name of the profile as returned from the Get Tokenization Profiles method.
Query String
Dynamic path segments to append to the profile’s target URL. Some third-party endpoints include dynamic values in the URL path (e.g.
https://ws.mydomain.com/{customerName}). The Get Tokenization Profiles response lists the required path segments for each profile.Query string parameters to append to the profile’s target URL. Some third-party endpoints require additional parameters (e.g.
?param1=value1¶m2=value2). Provide the full query string as needed.Whether to save the CVV in the database.
true: save the CVV. false: discard the CVV.A reference value which can be used to query for this card token.
The user ID of the property to associate the token with. Found under “Property settings” in the user’s site.
Controls whether PCI Booking checks if the card already exists as a token in your account.
true: PCI Booking looks up the card in your stored tokens. If a match is found, the existing token URI is returned instead of creating a new one. The response status will be200instead of201.false(default): A new token is always created, even if the same card was previously stored.
Request Body
The request body and headers are passed through to the third party as-is. Include any body content and headers that the third party requires.
Response
200 - The card already exists in your account (wheneliminateCardDuplication is true). The response body contains the third-party response with card details masked. The existing token URI is returned in the X-pciBooking-cardUri header.
201 - A new card was tokenized. The response body contains the third-party response with card details masked. The new token URI is returned in the X-pciBooking-cardUri header.
Remember to set the CVV Retention Policy on the token.

