Integrate in hours
REST API, official SDKs and a full sandbox. You connect checkout or backend: we tokenise card data and return a token. From sandbox to production in days.
One call, one token
You send card data once. We reply with a token your servers can store safely.
{ "token": "tok_pci_eu_a1b2…", "last_four": "1111" } Charge with the token
Use the token at checkout or renewals. Card data stays in our vault.
{ "status": "authorized", "transaction_id": "txn_9f8…" } Events to your server
We notify you when a token is created or used. Signature verified with HMAC.
{ "event": "token.created", "token": "tok_pci_eu_…" } Sandbox in Minutes
Full API access. No credit card required.
REST + 5 SDKs
Versioned API with OpenAPI specification.
Reduced PCI scope
Your servers see only tokens, never card data.
REST API Documentation
Clean, versioned REST API. You authenticate, send JSON, receive JSON. Every endpoint is idempotent and every error includes an ID for debugging.
/v1/tokenize Scope: tokenize cURL Request
curl -X POST https://api.pci-proxy.eu/v1/tokenize \
-H "Authorization: Bearer sk_live_..." \
-d '{
"card_number": "4111111111111111",
"expiry": "12/26",
"cvv": "123"
}' Response 200 OK
{
"token": "tok_pci_eu_a1b2c3d4e5f6",
"last_four": "1111",
"brand": "visa",
"expires_at": "2026-12-31",
"request_id": "req_7g8h9i0j"
} /v1/forward Scope: forward cURL Request
curl -X POST https://api.pci-proxy.eu/v1/forward \
-H "Authorization: Bearer sk_live_..." \
-d '{
"token": "tok_pci_eu_a1b2c3d4e5f6",
"target_url": "https://psp.example.com/charge",
"amount": 9900,
"currency": "EUR"
}' Response 200 OK
{
"status": "authorized",
"transaction_id": "txn_9f8e7d6c",
"amount": 9900,
"currency": "EUR",
"psp_response_code": "00"
} Full
Sandbox
Environment
100%
API Parity with Production
Every endpoint, error code and webhook behaves identically in sandbox and production.
Test Cards
4111 1111 1111 1111 5555 5555 5555 4444 4000 0000 0000 0002 Official SDKs for Every Stack
Install, pass the API key, tokenise. Every library handles authentication, retry, error mapping and type safety out of the box.
Install
npm install @pci-proxy-eu/js import PCIProxy from '@pci-proxy-eu/js';
const pci = new PCIProxy({ merchantId: 'mrc_xyz789', apiKey: 'sk_live_...', env: 'sandbox' });
const result = await pci.tokenize({ cardNumber: '4111111111111111', expiry: '12/26' });
console.log(result.token); // tok_pci_eu_test_a1b2c3d4e5f6 Install
pip install pci-proxy-eu from pci_proxy_eu import Client
client = Client(merchant_id="mrc_xyz789", api_key="sk_live_...", environment="sandbox")
result = client.tokenize(card_number="4111111111111111", expiry="12/26")
print(result.token) # tok_pci_eu_test_a1b2c3d4e5f6 Install
composer require pci-proxy-eu/sdk use PCIProxyEU\Client;
$client = new Client(merchantId: 'mrc_xyz789', apiKey: 'sk_live_...', environment: 'sandbox');
$result = $client->tokenize(['card_number' => '4111111111111111', 'expiry' => '12/26']);
echo $result->token; // tok_pci_eu_test_a1b2c3d4e5f6 Webhook Integration + DX
Real-time HMAC-SHA256 notifications, exponential backoff and a complete developer-friendly ecosystem for production-grade builds.
token.created New token generated token.used Token forwarded to PSP token.expired Token expired (TTL) token.deleted Token removed on request forward.success PSP responded 2xx forward.failure PSP returned error import crypto from 'crypto';
// Verify HMAC-SHA256 signature
app.post('/webhooks/pci', (req, res) => {
const sig = req.headers['x-pci-signature'];
const expected = crypto
.createHmac('sha256', process.env.WEBHOOK_SECRET)
.update(req.body).digest('hex');
if (sig !== `sha256=${expected}`)
return res.status(401).send('Invalid signature');
const event = JSON.parse(req.body);
res.status(200).send('OK');
}); Developer-Friendly Features
Idempotency
On every write - retry without duplicating charges.
RFC 7807 Errors
Structured problem details, machine-readable.
Request Tracing
X-Request-Id on every response for distributed tracing.
Rate Limits
Real-time X-RateLimit-* headers.
OpenAPI 3.1
Download the spec, generate clients in any language.
Postman Collection
Pre-configured sandbox and prod environments.
Webhook Retry Policy
Start Building with PCI Proxy
Explore the architecture behind the API or see how merchants and PSPs put it to work.