The tokenization SDK of PCI Proxy EU allows development teams to integrate PCI DSS compliance directly into application code, without building security infrastructure from scratch. Available for the three most popular backend languages, the SDK handles authentication, encryption in transit and error handling, leaving the developer only with business logic. This article shows the main integration patterns with concrete examples.
PCI Proxy EU SDK: structure and authentication
The SDK exposes a singleton client that initialises with the API key and environment (sandbox or production). Authentication happens via Bearer header on every HTTP request to PCI Proxy EU endpoints. The client automatically handles retry with exponential backoff for transient errors (timeout, 429 rate limit) and raises typed exceptions for permanent errors like token not found or expired card.
Package structure follows each language's conventions: CommonJS/ESM modules for Node.js, PyPI package for Python, Composer package for PHP. Each release is signed and publishes an SBOM (Software Bill of Materials) to facilitate compliance with supply chain security policies. The changelog documents breaking changes and PCI requirements updates.
Tokenization in Node.js: practical example
In a Node.js backend with Express, the typical flow involves receiving the token generated by the frontend hosted field, calling the client.charge(token, amount, currency) method and handling the response. The SDK returns a structured object with the authorisation outcome, transaction identifier and metadata needed for reconciliation. In case of decline, the response includes the ISO decline code and a localised message.
For recurring payments, the client.detokenize(token) method retrieves a reference to the valid PAN for a single charge to the processor. The reference is single-use and expires after a few seconds, preventing it from being reused by an attacker intercepting the call. The developer never receives the PAN in cleartext: they receive only the temporary reference that the proxy uses internally.
Python and PHP: the same features, the same simplicity
The Python SDK follows requests library conventions and supports both synchronous and asynchronous usage via asyncio. Initialisation happens with PCIProxyClient(api_key=os.environ["PCI_PROXY_KEY"]), and all methods accept native Python dictionaries for parameters. Error handling uses exceptions from the PCIProxyError hierarchy, with subclasses for authentication, validation and network errors.
For PHP, the Composer package automatically installs Guzzle HTTP dependencies. The client uses PSR-7 and PSR-18 interfaces, making it compatible with any framework following PHP-FIG standards, from Laravel to Symfony. Methods are documented with complete PHPDoc and the package includes type stubs for IDEs. In both languages, transitioning from sandbox to production requires only changing the environment variable with the production key.
Frequently asked questions
Is the SDK open source?
The SDK source code is available on GitHub under MIT licence. Anyone can inspect the implementation, report issues and propose pull requests. The vault core and encryption remain server-side at PCI Proxy EU, but the client code the developer uses in their application is completely transparent and auditable.
How do I handle tokenization errors in the SDK?
Each SDK method can raise typed exceptions corresponding to specific error categories. Network errors and timeouts are automatically handled by the retry mechanism. Semantic errors like invalid card or expired token are propagated with standardised codes and messages that allow returning an appropriate message to the customer without exposing internal technical details.
Does the SDK support detokenization for recurring charges?
The detokenization method is designed specifically for recurring payments and subscriptions. The token is created once during the first payment or card registration phase, then reused for each subsequent charge without the customer needing to re-enter their data. The token has no default expiry, but can be configured with an explicit expiry date to respect company policies.
Ready to integrate the tokenization SDK in your stack? Access the documentation and sandbox and go to production in days. Discover PCI Proxy EU.