PCI Booking supports three authentication methods. Each builds on the API key and serves a different purpose.
API Key
Your API key is the foundation of all authentication. It grants unlimited, repeatable access and is used for most API calls. Pass it using either header format:
Both are equivalent. Use the API key for all server-to-server calls: processing payments, managing tokens, configuring credentials, querying data, and more.
Keep your API key secret. Never expose it in client-side code, public repositories, or logs. If a request originates from a browser or any client-facing context, use a Session Token or Access Token instead.
Session Token
A Session Token is generated from your API key via an API call. It is valid for 5 minutes and can be used for any API call during that time.
Generate a session token:
Response:
Use it as a query parameter on subsequent requests:
Session tokens are commonly used for browser-facing operations like the hosted card entry form, card display, and sFTP tokenization.
Access Token
An Access Token is generated locally using your API key and PCI Booking’s SSL certificate. Unlike the session token, no API call is needed to create it. It is valid for a configurable duration (1 to 60 minutes) and is single-use only.
How it works
- Download PCI Booking’s SSL certificate from
https://service.pcibooking.net/api
- Run the generation script locally (see code samples below)
- The script encrypts your API key + a unique ID + expiration time using the certificate’s public key
- The output is your access token
Pass it as a query parameter:
Code Samples
Comparison
Which should I use?
- Server-to-server calls (processing payments, managing tokens, configuring settings): use the API key
- Browser-facing operations (card entry form iframe, card display): use a Session Token or Access Token. Your API key must never be exposed to the browser.
- Need precise control over expiry and single-use guarantees: use an Access Token
- Quick integration for browser operations: use a Session Token (simpler, just one API call)