> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Token Replacement in Request

> Intercept outbound HTTP requests and replace card tokens with real card data before forwarding to the destination.

Token Replacement in Request lets you send an HTTP request through PCI Booking as a transparent proxy. PCI Booking replaces card tokens in your request with real card data, forwards the request to the destination, and returns the response. Your systems never handle sensitive card details.

This is the mirror of [Tokenization on Response](/capture-cards/tokenization-on-response) in the Capture Cards section. Both use the same forward proxy infrastructure, but in opposite directions: Tokenization on Response tokenizes card data in the third party's response, while Token Replacement in Request detokenizes tokens in your outbound request.

## How It Works

1. Your system sends an HTTP request to the PCI Booking relay endpoint, specifying the destination URL and including card tokens in the request body.
2. PCI Booking validates the destination against your account's **allowed endpoints** (relay restrictions).
3. PCI Booking retrieves the real card data for each token and substitutes it into the request body.
4. The modified request is forwarded to the destination with the real card data.
5. The destination's response is returned to your system.

## Supported Content Types

PCI Booking detects the content type automatically and applies the appropriate replacement engine:

| Content Type                                          | Engine          | Notes                                   |
| ----------------------------------------------------- | --------------- | --------------------------------------- |
| `application/json`                                    | JSON (JSONPath) | Supports nested objects and arrays.     |
| `text/xml`, `application/xml`, `application/soap+xml` | XML (XPath)     | Supports SOAP envelopes and namespaces. |
| `application/x-www-form-urlencoded`                   | Form-encoded    | Key-value pair replacement.             |
| Query string parameters                               | Query string    | Token replacement in URL parameters.    |

## Bi-Directional: Tokenization on the Way Back

The same proxy call can also tokenize card data in the destination's response. If your profile is configured for it, PCI Booking extracts card data from the response, tokenizes it, and returns tokens to you instead of raw card numbers. See [Tokenization on Response](/capture-cards/tokenization-on-response) for details on setting up profiles for this.

When tokenization on response is active, the response includes:

| Header                               | Description                                                                                  |
| ------------------------------------ | -------------------------------------------------------------------------------------------- |
| `X-PciBooking-cardUri`               | Token URI(s) for cards extracted from the response. Multiple tokens are semicolon-separated. |
| `X-PciBooking-Tokenization-Errors`   | Error details if tokenization failed for any card.                                           |
| `X-PciBooking-Tokenization-Warnings` | Warnings from the tokenization process.                                                      |

## Target Profiles

Instead of specifying replacement rules in every request, you configure a [target profile](/account-setup/target-profiles) once per third-party message format and reference it by name. Each profile includes [content filters](/account-setup/content-filters) that define where card fields appear in the message, plus optional client certificates for mutual TLS.

## Security

* **Relay restrictions**. Your account can be configured with an endpoint whitelist. Requests to destinations not on the list are rejected. Contact support or use the Admin portal to manage your allowed endpoints.
* **Client certificates**. Target profiles can include [client certificates](/account-setup/client-certificates) for mutual TLS authentication with the destination.
* **Timeout**. Relay requests have a default timeout of 60 seconds.

## Next Steps

<CardGroup cols={2}>
  <Card title="Token Replacement in Response" icon="book" href="/use-tokens/token-replacement-in-response">
    The reverse direction: third parties send requests to your API through PCI Booking.
  </Card>

  <Card title="File Transfer Token Replacement" icon="book" href="/use-tokens/file-transfer-token-replacement">
    Send card data via SFTP/FTPS.
  </Card>

  <Card title="Use Tokens Overview" icon="book" href="/use-tokens/overview">
    All detokenization methods.
  </Card>
</CardGroup>
