> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Token Replacement in Response

> Extract card data from third-party responses and replace with tokens before the data reaches your systems.

Token Replacement in Response lets you send card data to a third party without making the outbound call yourself. PCI Booking sits as a gateway in front of your API. When a third party sends a request, your API processes it and responds with tokens. PCI Booking replaces the tokens with real card data before relaying the response back to the sender.

This is the mirror of [Tokenization on Request](/capture-cards/tokenization-on-request) in the Capture Cards section. Both use the same gateway infrastructure, but in opposite directions: Tokenization on Request tokenizes card data in the third party's inbound request, while Token Replacement in Response detokenizes tokens in your outbound response.

## How It Works

1. **PCI Booking sets up a gateway endpoint**. The gateway is configured with your SSL certificate and a custom site name. Third parties send their requests to this gateway URL instead of directly to your API.
2. **Third party sends a request**. The request arrives at the PCI Booking gateway.
3. **Request forwarded to your API**. PCI Booking relays the request to your API endpoint (with optional [tokenization of inbound card data](/capture-cards/tokenization-on-request)).
4. **Your API responds with tokens**. Your API processes the request and includes card tokens in the response body.
5. **Token replacement**. PCI Booking parses your response, retrieves the real card data for each token, and substitutes it into the response body.
6. **Response relayed to sender**. The third party receives the response with real card data. Your systems never handled raw card details.

## Bi-Directional: Tokenize and Detokenize in One Call

The same gateway can handle both directions simultaneously:

* **Inbound**: Tokenize card data in the third party's request before it reaches your API ([Tokenization on Request](/capture-cards/tokenization-on-request)).
* **Outbound**: Replace tokens in your API's response with real card data before relaying back to the sender (this page).

This means a single gateway endpoint can keep card data off your systems in both directions.

## Target Profiles

The gateway uses a [target profile](/account-setup/target-profiles) to know where tokens appear in your response and how to replace them. Each profile includes [content filters](/account-setup/content-filters) that define the location of card fields in the message. The PCI Booking support team configures this as part of the gateway setup.

## Setting Up the Gateway

Gateway setup is done by the PCI Booking support team. Contact [support@pcibooking.net](mailto:support@pcibooking.net) with:

* Your PCI Booking username.
* The target URI where requests should be relayed to (your API endpoint).
* How to identify which responses contain tokens that need replacement.
* A sample of your response structure (XML or JSON) showing where tokens appear.

<Info>
  If you already have a [Tokenization on Request](/capture-cards/tokenization-on-request) gateway set up, the same gateway can be enhanced to also perform token replacement on the response. Contact support to enable it.
</Info>

## Use Cases

* Sending card details back to a booking platform or OTA that originally sent you the reservation.
* Responding to a channel manager's request with card data for payment processing on their end.
* Any scenario where a third party expects real card data in your API response.

## Next Steps

<CardGroup cols={2}>
  <Card title="Token Replacement in Request" icon="book" href="/use-tokens/token-replacement-in-request">
    The forward direction: you send requests to a third party through PCI Booking.
  </Card>

  <Card title="File Transfer Token Replacement" icon="book" href="/use-tokens/file-transfer-token-replacement">
    Send card data via SFTP/FTPS.
  </Card>

  <Card title="Use Tokens Overview" icon="book" href="/use-tokens/overview">
    All detokenization methods.
  </Card>
</CardGroup>
