How Tokenization Works
Tonder tokenizes each card field individually rather than creating a single token for the entire card. This means:- Each sensitive field (card number, CVV, expiration month, etc.) receives its own unique token
- Tokens must be used in their corresponding fields when making payment requests
- Tokens are not interchangeable between fields
Authentication Flow
Before using this endpoint, you must:- Get an access token using the Get Tokenization Access Token endpoint
- Use the access token in the
X-Skyflow-Authorizationheader for this request - Use the tokens in payment requests via the Process Transaction endpoint
Security Requirements
PCI Compliance
Before using tokenization in production:- Submit PCI DSS compliance documentation
- Complete security questionnaire
- Undergo security review process
- Receive production endpoint access approval
Best Practices
- Use immediately: Send card data for tokenization immediately after collection
- Don’t store raw data: Never store unencrypted card data on your servers
- Secure transmission: Always use HTTPS for all tokenization requests
- Token storage: Safely store the returned tokens for future payment processing
Field Requirements
All card fields are required for tokenization:| Field | Format | Description |
|---|---|---|
card_number | 13-19 digits | The complete card number without spaces or dashes |
cardholder_name | String (max 255 chars) | Name as it appears on the card |
cvv | 3-4 digits | Card security code |
expiration_month | MM format | Two-digit month (01-12) |
expiration_year | YYYY format | Four-digit year |
Response Format
The response contains individual tokens for each field:Important: Each field is tokenized separately. Use each individual token in the corresponding field when making payment requests. The tokens are not interchangeable between fields.