- Know when the iframe is ready.
- Validate the form programmatically from your page.
- Submit the form programmatically.
- Receive tokenization results without a page redirect.
- Resize the iframe dynamically based on form content.
- Intercept card details before tokenization for custom approval logic.
Setup
Add thepostMessageHost parameter to your iframe URL. Set it to your page’s origin (URL-encoded):
Events from the Iframe
Field-level validation events are also sent as JSON objects with
{field, validationResult} for each field as the user interacts with the form.
Commands to the Iframe
Your page can send commands to the iframe:Receiving Results via PostMessage
To receive tokenization results via postMessage instead of a redirect, addsubmitWithPostMessage=true to your iframe URL. On success, the iframe sends a CardSubmitSuccess message containing the token details. On failure, it sends CardSubmitFailure with the error.
Dynamic Iframe Resizing
When the form content changes (e.g. validation errors appear), the iframe sendsframeDimensionsChanged:{width}:{height}. Use this to resize the iframe:
Custom Validation
Custom validation lets your page inspect card details before tokenization and approve or reject the submission. Enable it by addinguseCustomValidation=true to the iframe URL.
When the cardholder submits the form, the iframe pauses tokenization and sends a CustomValidation message with masked card details:
Approving
Rejecting
Use Cases
- Restrict accepted card types or BIN ranges before tokenization.
- Check card details against your business rules (e.g. reject corporate cards, enforce expiry minimums).
- Log or audit card submissions before they are tokenized.
Next Steps
Hosted Card Entry Form
Set up the card entry form iframe.
Capture Cards Overview
All tokenization methods.
Stylesheets
Customize the look of your card entry form.
Card Entry Form Callback
API reference for form callback notifications.

