POST /tokenize

Create a token from sensitive card or bank account data. Card data can include an optional CVV, which is stored in a separate CVC session (90-second TTL; deleted after use in proxy). Auth: X-Pub-Key and X-API-Key (or JWT). Both headers are required for tokenize. For testing you can use this pub key: pk_prod_jys4le1jgncomgda_L8HbeakKLNRWdBXoX5A6QJUYOlhUkNle. Do not use this test pub key in production or with sensitive card data. For a production pub key, contact ammar@ozura.com. Get an X-API-Key by creating an account at Ozura Vault.

Request

{
  "type": "card",
  "data": {
    "cardNumber": "4111111111111111",
    "expirationMonth": "12",
    "expirationYear": "2025",
    "cvv": "123"
  }
}

Request body

Field	Type	Required	Description
`type`	string	Yes	`"card"` or `"bank"`
`data.cardNumber`	string	Yes (card)	13–19 digit card number
`data.expirationMonth`	string	Yes (card)	2-digit month (01–12)
`data.expirationYear`	string	Yes (card)	2- or 4-digit year
`data.cvv`	string	No	3–4 digit security code
`data.cvc`	string	No	Alias for `cvv`

CVV/CVC handling

If cvv or cvc is provided: stored in a separate CVC session, 90-second TTL, deleted after use in proxy; response includes cvc_session_id.
If omitted: no CVC session; no cvc_session_id in response; CVC cannot be used in proxy.

For long-lived test CVC sessions (e.g. 1-year), use POST /test-tokens.

Response

201 Created

{
  "success": true,
  "token": "tok_a1b2c3d4e5f6g7h8i9j0",
  "mask": {
    "card_number": "411111******1111"
  },
  "cvc_session_id": "550e8400-e29b-41d4-a716-446655440000",
  "bin": "411111"
}

Field	Type	Description
`success`	boolean	Request success
`token`	string	Token identifier
`data`	object	Masked payload (e.g. `number`, `expiration_month`, `expiration_year`) for display
`mask.card_number`	string	Masked card for display
`cvc_session_id`	string	Present if CVV was sent
`bin`	string	First 6 digits (BIN)
`fingerprint`	string	If deduplication enabled
`deduplicated`	boolean	If existing token was returned

Request may include optional maskingConfig for custom masking behavior.

Validation

Card number: 13–19 digits, Luhn valid; spaces/dashes stripped.
Expiration: month 01–12; year current or future.
CVV: 3 digits (Visa, MC, Discover), 4 (Amex).

Error responses

Status	Example message
400	`Invalid card number`, `Card has expired`, `Missing required field: cardNumber`
401	`Invalid API key`
403	Permission denied

See Status codes and Common errors.

Vault

​POST /tokenize

​Request

​Request body

​CVV/CVC handling

​Response

​201 Created

​Validation

​Error responses