Skip to main content
This quickstart walks through one common flow: capture a card using the hosted card entry form, inspect the token, and process a payment through the Universal Payment Gateway. This is one example. Each step has alternatives you can swap in depending on your use case: See Capture Cards Overview and Use Tokens Overview for the full list.

Step 1: Authenticate

Log in to your PCI Booking account and navigate to the API Keys section. Copy your API key. You will use it for server-to-server calls in the format:
The hosted card entry form runs in the cardholder’s browser, so it cannot use your API key directly. Instead, generate a temporary session token:
The response returns a session token as a plain string:
Save this token. you will pass it as a query parameter when building the card form URL in the next step.

Step 2: Tokenize a Card

Build a URL to the PCI Booking hosted card entry form. This URL is the src of an iframe you embed in your page. When the browser loads this URL, PCI Booking serves a secure card entry form directly to the cardholder. Card data never touches your servers. The URL includes the session token from Step 1 and your configuration as query parameters:
This example uses only a few basic parameters. The card entry form supports many additional options including custom styling, card type restrictions, CVV requirements, and more. See the full parameter reference for the complete list. Embed it in your page:
After the cardholder submits the form, PCI Booking tokenizes the card and redirects to your success URL with the token appended. You can also use a callback URL instead of redirect URLs.
There are other ways to tokenize cards: Card Entry Form Sessions, Card By Link, Payments Library, direct API storage, and more. See Capture Cards Overview.

Step 3: Retrieve Your Token

Confirm the card was stored by checking the token metadata. This includes the card brand, last four digits, expiration date, and the issuing bank and country. useful for routing decisions between PSPs.
The response includes the masked card number, expiry, card brand, and token metadata. You will never see the full card number through this endpoint.

Step 4: Use Your Token (Process a Payment)

Send the token through the Universal Payment Gateway (UPG). PCI Booking detokenizes the card and forwards it to your PSP. For testing, PCI Booking provides two built-in mock payment gateways: Mock gateways require no credentials and return instant responses. Use them to test your integration before connecting a real PSP.
PCI Booking replaces the token with real card data, sends it to the gateway, and returns the result. You never see the card. With NULLSuccess, the response will always be a successful charge. When you are ready for production, replace NULLSuccess with your real PSP name and credentials:
You can also store your PSP credentials in PCI Booking and pass a credentialsId query parameter instead of including credentials in every request. See Gateway Credentials.
Processing payments through the UPG is one way to use a token. You can also relay card data via HTTP, relay via file, or display the card. See Use Tokens Overview.

What’s Next