Skip to main content

Headers

HeaderDescription
X-API-KeyThe Vault API key, provided via body.vaultApiKey
X-TokenThe Ozura card token, provided via body.ozuraCardToken
X-CVC-Session-IDThe Ozura CVC session token, provided via body.ozuraCvcSession
X-Proxy-URLThe target processor API URL. This should come from environment variables using the format [processor]ApiUrl. Note that test and production servers typically have different URLs.

Proxy Target URL

Send all proxied requests to the Vault tokenize endpoint:
EnvironmentURL
Staginghttps://pci-vault-staging-drc0duhcakf4g4fr.eastus-01.azurewebsites.net/tokenize
Productionhttps://api.ozuravault.com/tokenize
This URL is available in the Pay API via environment variables.

Card Data Placeholders

Since the Pay API never handles raw card data, you must use the following placeholder strings in your request body wherever the processor expects card data. The Ozura Vault will replace these placeholders with the actual values before forwarding the request to the processor.
PlaceholderReplaced WithFormat
cardNumberPlaceholderFull card number
cvvPlaceholderCVV/CVC code
expirationMonthPlaceholderExpiration month2 digits (e.g., 04 for April)
expirationYearPlaceholderExpiration year4 digits (e.g., 2029)
expirationYearPlaceholder2Expiration year2 digits (e.g., 29)
Use whichever expiration year placeholder matches the format your processor expects.

Example: Proxied Request Body

Below is an example of a JSON request body structured for a processor that expects card data. Notice how placeholder strings are used in place of real card values: 
{
  "amount": amountTotal,
  "currency": currency,
  "paymentOption": {
    "card": {
      "cardNumber": "cardNumberPlaceholder",
      "cardHolderName": "<billingFirstName> <billingLastName>",
      "expirationMonth": "expirationMonthPlaceholder",
      "expirationYear": "expirationYearPlaceholder2",
      "CVV": "cvvPlaceholder"
    }
  },
  "billingAddress": {
    "firstName": "<billingFirstName>",
    "lastName": "<billingLastName>",
    "email": "<billingEmail>",
    "country": "<billingCountry>"
  }
}
The structure of the request body itself will vary between processors. The example above is for illustration only. Refer to your specific processor’s API documentation to build the correct request body structure — just make sure to use the placeholder strings wherever card data is expected.

Summary Checklist

When building a new processor-specific card sale function, confirm the following:
Function accepts the standardized input object (body + credentials)
Step 1: Card Auth is proxied through Ozura Vault
CVV response code is validated (must be a match)
AVS response code is validated (must meet acceptable criteria)
Step 2: BIN Lookup is proxied through Ozura Vault
Surcharge is calculated before taxes (if card is surchargeable)
Sales tax is calculated only when salesTaxExempt === false and billingCountry === CountryCode.US
Step 3: Card Sale is proxied through Ozura Vault using the final calculated amountTotal
All card data fields use Vault placeholder strings (never raw card data)
Processor API URL is sourced from environment variables
Function returns the standardized response object with all required fields
fullProcessorResponse contains the complete raw processor response