POST /proxy/transaction
Send a request to your payment processor (PSP) with card data injected from a token. Your server never sees raw card data. Supports JSON, form-encoded, and XML bodies. For JSON, sendtoken, cvc_session_id, and proxy_url in the body; for form/XML you may also send them via headers X-Token, X-Proxy-URL, and X-CVC-Session-ID (or in query/form).
Request
Request body
| Field | Type | Required | Description |
|---|---|---|---|
token | string | Yes | Token to use |
cvc_session_id | string | No | CVC session for CVV (if tokenized with CVV) |
proxy_url | string | Yes | Full PSP endpoint URL (HTTPS) |
request_data | object | Yes | Request body with placeholders (see below) |
http_headers | object | No | Headers to send (e.g. PSP API key) |
http_method | string | No | HTTP method (default: POST) |
Placeholders in request_data
Replaced with real card data before the request is sent:
| Placeholder | Value |
|---|---|
${cardNumber} | Full card number |
${expirationMonth} | 2-digit month (01–12) |
${expirationYear} | 2- or 4-digit year |
${cvv} or ${cvc} | Security code (if cvc_session_id provided) |
${accountNumber}, ${routingNumber}.
Response
200 OK
Proxy returns the PSP response wrapped:Error responses
| Status | Example message |
|---|---|
| 400 | Invalid proxy URL |
| 404 | Token not found, CVC session expired or not found |
| 502 | Failed to proxy request (upstream error) |
| 504 | Request timeout |
Delete CVC session
DELETE /proxy/delete-cvc-session/ — Delete a CVC session by UUID (e.g. after a successful transaction). Auth: API key. Response:{ "success": true, "message": "CVC session deleted!" }. Production CVC sessions have a 90-second TTL and are deleted after use in proxy; use this endpoint to delete explicitly when needed (e.g. test sessions).
See Status codes and Common errors.