Skip to main content
POST
/
tokenization
Tokenize Card Data
curl --request POST \
  --url https://stage.tonder.io/api/v1/tokenization/ \
  --header 'Content-Type: application/json' \
  --header 'X-Skyflow-Authorization: <api-key>' \
  --data '
{
  "card_number": "4242424242424242",
  "cardholder_name": "John Doe",
  "cvv": "123",
  "expiration_month": "07",
  "expiration_year": "2025"
}
'
{
  "card_number": "9230-0892-4469-1474",
  "cardholder_name": "c05d89b2-299c-4f93-b49a-42be00d3b64b",
  "cvv": "d31f0da3-0ed3-4ad8-8b68-14c2669a99a7",
  "expiration_month": "e401a32e-4174-424f-9688-727005f6a80e",
  "expiration_year": "bd9ccc23-3d00-4109-9626-fc6581389063"
}
Due to PCI DSS requirements, your company must share relevant attestation documents before Tonder activates production endpoint access. Contact your Tonder representative for compliance requirements.
The X-Skyflow-Authorization header needs to be in the following format:X-Skyflow-Authorization: <ACCESS_TOKEN_FROM_TOKENIZATION_AUTH>
Securely tokenize sensitive card data using Tonder’s vault service. This endpoint converts each card field into individual tokens that can be safely stored and used for payment processing.

How Tokenization Works

Tonder tokenizes each card field individually rather than creating a single token for the entire card. This means:
  • Each sensitive field (card number, CVV, expiration month, etc.) receives its own unique token
  • Tokens must be used in their corresponding fields when making payment requests
  • Tokens are not interchangeable between fields

Authentication Flow

Before using this endpoint, you must:
  1. Get an access token using the Get Tokenization Access Token endpoint
  2. Use the access token in the X-Skyflow-Authorization header for this request
  3. Use the tokens in payment requests via the Process Transaction endpoint

Security Requirements

PCI Compliance

Before using tokenization in production:
  • Submit PCI DSS compliance documentation
  • Complete security questionnaire
  • Undergo security review process
  • Receive production endpoint access approval

Best Practices

  • Use immediately: Send card data for tokenization immediately after collection
  • Don’t store raw data: Never store unencrypted card data on your servers
  • Secure transmission: Always use HTTPS for all tokenization requests
  • Token storage: Safely store the returned tokens for future payment processing

Field Requirements

All card fields are required for tokenization:
FieldFormatDescription
card_number13-19 digitsThe complete card number without spaces or dashes
cardholder_nameString (max 255 chars)Name as it appears on the card
cvv3-4 digitsCard security code
expiration_monthMM formatTwo-digit month (01-12)
expiration_yearYYYY formatFour-digit year

Response Format

The response contains individual tokens for each field: 
{
  "card_number": "9230-0892-4469-1474",        // Token for card number
  "cardholder_name": "c05d89b2-299c-4f93-b49a-42be00d3b64b", // Token for cardholder name
  "cvv": "d31f0da3-0ed3-4ad8-8b68-14c2669a99a7",             // Token for CVV
  "expiration_month": "e401a32e-4174-424f-9688-727005f6a80e", // Token for expiration month
  "expiration_year": "bd9ccc23-3d00-4109-9626-fc6581389063"  // Token for expiration year
}
Important: Each field is tokenized separately. Use each individual token in the corresponding field when making payment requests. The tokens are not interchangeable between fields.

Next Steps

For a complete step-by-step guide on using these tokens to process payments, see Create a Payment with Card Tokenization.

Authorizations

X-Skyflow-Authorization
string
header
required

Access token from /tokenization/auth/ endpoint

Body

application/json
card_number
string
required

The full card number (13-19 digits)

Example:

"4242424242424242"

cardholder_name
string
required

The name as it appears on the card

Maximum string length: 255
Example:

"John Doe"

cvv
string
required

Card security code (3-4 digits)

Example:

"123"

expiration_month
string
required

Card expiration month (MM format)

Example:

"07"

expiration_year
string
required

Card expiration year (YYYY format)

Example:

"2025"

Response

Card data tokenized successfully

card_number
string

Token representing the card number

Example:

"9230-0892-4469-1474"

cardholder_name
string

Token representing the cardholder name

Example:

"c05d89b2-299c-4f93-b49a-42be00d3b64b"

cvv
string

Token representing the CVV

Example:

"d31f0da3-0ed3-4ad8-8b68-14c2669a99a7"

expiration_month
string

Token representing the expiration month

Example:

"e401a32e-4174-424f-9688-727005f6a80e"

expiration_year
string

Token representing the expiration year

Example:

"bd9ccc23-3d00-4109-9626-fc6581389063"