Proxy Service
The proxy lets you send payment requests to your PSP (Stripe, Elavon, etc.) without your servers ever seeing raw card data. You send a token (and optional CVC session ID), the request body with placeholders like${cardNumber}, and the proxy injects the real card data and forwards the request to the PSP.
Card and bank payment flows both use the proxy to send tokenized data to your processor. See Card Payments and Bank Payments for the full journey (API, Elements, or Checkout).
How it works
- Your backend calls POST /proxy/transaction with a
token,proxy_url(PSP endpoint), andrequest_datacontaining placeholders. - Vault detokenizes the card and replaces placeholders (
${cardNumber},${expirationMonth},${expirationYear},${cvv}) in the body. - Vault forwards the request to the PSP with your
http_headers(e.g. PSP API key). - The PSP response is returned to you. Your server never sees the card number or CVV.
Why use the proxy
- PCI — You don’t handle card data; scope stays with Vault and the PSP.
- Security — No PAN or CVV in your logs or memory.
- Simplicity — One call: token + placeholders + PSP URL.
Endpoint and formats
- Endpoint:
POST /proxy/transaction - Content types: JSON, form-encoded, or XML — see JSON, Form-encoded, XML.
- CVC: If you need to send CVV, tokenize with
cvvand pass the returnedcvc_session_idin the proxy request. See CVC sessions.
Next steps
- JSON requests — Most common format.
- CVC sessions — Using CVV in proxy calls.