Built for Developers
RESTful API, official SDKs, full sandbox and webhooks: a PCI-compliant API that delivers tokenisation as a service, including card-on-file tokenisation. From the PCI sandbox environment to production in hours.
Sandbox in Minutes
Full API access. No credit card required.
REST + 5 SDKs
Versioned API with OpenAPI specification.
PCI Scope Eliminated
Your servers see only tokens, never PANs.
REST API Documentation
Clean, versioned REST API. Authenticate, send JSON, receive JSON. Every endpoint is idempotent, every error returns a structured problem detail with tracing headers for debugging.
/v1/tokenize Scope: tokenize cURL Request
curl -X POST https://api.pci-proxy.eu/v1/tokenize \
-H "Authorization: Bearer sk_live_..." \
-d '{
"card_number": "4111111111111111",
"expiry": "12/26",
"cvv": "123"
}'Response 200 OK
{
"token": "tok_pci_eu_a1b2c3d4e5f6",
"last_four": "1111",
"brand": "visa",
"expires_at": "2026-12-31",
"request_id": "req_7g8h9i0j"
}/v1/forward Scope: forward cURL Request
curl -X POST https://api.pci-proxy.eu/v1/forward \
-H "Authorization: Bearer sk_live_..." \
-d '{
"token": "tok_pci_eu_a1b2c3d4e5f6",
"target_url": "https://psp.example.com/charge",
"amount": 9900,
"currency": "EUR"
}'Response 200 OK
{
"status": "authorized",
"transaction_id": "txn_9f8e7d6c",
"amount": 9900,
"currency": "EUR",
"psp_response_code": "00"
}Full
Sandbox
Environment
100%
API Parity with Production
Every endpoint, error code and webhook behaves identically in sandbox and production.
Test Cards
4111 1111 1111 1111 5555 5555 5555 4444 4000 0000 0000 0002 Official SDKs for Every Stack
Install, pass the API key, tokenise. Every library handles authentication, retry, error mapping and type safety out of the box.
npm install @pci-proxy-eu/js import PCIProxy from '@pci-proxy-eu/js';
const pci = new PCIProxy({ merchantId: 'mrc_xyz789', apiKey: 'sk_live_...', env: 'sandbox' });
const result = await pci.tokenize({ cardNumber: '4111111111111111', expiry: '12/26' });
console.log(result.token); // tok_pci_eu_test_a1b2c3d4e5f6pip install pci-proxy-eu from pci_proxy_eu import Client
client = Client(merchant_id="mrc_xyz789", api_key="sk_live_...", environment="sandbox")
result = client.tokenize(card_number="4111111111111111", expiry="12/26")
print(result.token) # tok_pci_eu_test_a1b2c3d4e5f6composer require pci-proxy-eu/sdk use PCIProxyEU\Client;
$client = new Client(merchantId: 'mrc_xyz789', apiKey: 'sk_live_...', environment: 'sandbox');
$result = $client->tokenize(['card_number' => '4111111111111111', 'expiry' => '12/26']);
echo $result->token; // tok_pci_eu_test_a1b2c3d4e5f6Webhook Integration + DX
Real-time HMAC-SHA256 notifications, exponential backoff and a complete developer-friendly ecosystem for production-grade builds.
token.created New token generated token.used Token forwarded to PSP token.expired Token expired (TTL) token.deleted Token removed on request forward.success PSP responded 2xx forward.failure PSP returned error import crypto from 'crypto';
// Verify HMAC-SHA256 signature
app.post('/webhooks/pci', (req, res) => {
const sig = req.headers['x-pci-signature'];
const expected = crypto
.createHmac('sha256', process.env.WEBHOOK_SECRET)
.update(req.body).digest('hex');
if (sig !== `sha256=${expected}`)
return res.status(401).send('Invalid signature');
const event = JSON.parse(req.body);
res.status(200).send('OK');
});Developer-Friendly Features
Idempotency
On every write - retry without duplicating charges.
RFC 7807 Errors
Structured problem details, machine-readable.
Request Tracing
X-Request-Id on every response for distributed tracing.
Rate Limits
Real-time X-RateLimit-* headers.
OpenAPI 3.1
Download the spec, generate clients in any language.
Postman Collection
Pre-configured sandbox and prod environments.
Webhook Retry Policy
Start Building with PCI Proxy
Explore the architecture behind the API or see how merchants and PSPs put it to work.