Skip to main content
POST
/
pg
/
tokens
curl --request POST \
  --url https://api-pacb-uat.eximpe.com/pg/tokens/ \
  --header 'Content-Type: application/json' \
  --header 'X-API-Version: <api-key>' \
  --header 'X-Client-ID: <api-key>' \
  --header 'X-Client-Secret: <api-key>' \
  --header 'X-Merchant-ID: <api-key>' \
  --data '
{
  "identifier": "USER_PS_001",
  "card_number": "5506900480000008",
  "nickname": "HDFC Regalia Credit Card",
  "cardholder_name": "Priya Sharma",
  "expiry_month": 5,
  "expiry_year": 2030,
  "network": "mastercard",
  "card_type": "credit_card"
}
'
{
  "success": true,
  "message": "Card details saved successfully",
  "data": {
    "card_label": "HDFC Regalia Credit Card",
    "card_token": "c8a28bca2021ead49124"
  }
}

Overview

The Save Card endpoint allows you to securely save card details for future transactions. Card information is tokenized and stored securely, ensuring PCI compliance while enabling seamless repeat transactions. When you save a card, the system generates a unique card_token that can be used for future payments without requiring the customer to re-enter their card details.

Key Features

🔒 Security First

  • Card numbers are immediately tokenized and never stored in plain text
  • PCI DSS compliant tokenization process
  • Secure token-based card management

📱 Customer Consent

  • Explicit cardholder consent verification required
  • Compliance with data protection regulations

🏷️ Card Organization

  • Optional card nickname for easy identification
  • Support for multiple card types (Credit Card, Debit Dard)
  • Network identification (VISA, MASTERCARD, AMEX, etc.)

Required Parameters

ParameterTypeDescription
identifierstringUnique identifier for the card owner (customer ID, user ID, etc.)
card_numberstringFull card number (will be tokenized immediately)
cardholder_namestringName as it appears on the card
expiry_monthintegerCard expiry month (1-12)
expiry_yearintegerCard expiry year (YYYY format)
networkstringCard network (visa, mastercard, amex, discover, rupay)
card_typestringType of card (credit_card, debit_card)
nicknamestringCustom name for easy card identification

Conditional Parameters

ParameterTypeDescription
authorization_reference_numberstringRequired for Rupay and AMEX cards only - See details below

Authorization Reference Number Details

The authorization_reference_number parameter is mandatory for specific card networks:

Rupay Cards

  • Required: Yes
  • Value: The authorization reference number received during the authorization call of Rupay card transactions
  • Note: Authentication reference number will be sent by the PG in the authorization response. Currently, this check is skipped by Rupay

AMEX Cards

  • Required: Yes
  • Value: The AEVV (American Express Verification Value) received during authorization call of AMEX card transactions
  • Note: American Express Verification Value will be sent by the PG in the authorization response

Other Networks (VISA, MASTERCARD, DISCOVER)

  • Required: No
  • Value: This parameter should not be included for other card networks

Response

The API returns a tokenized representation of the saved card:
  • card_label: Display-friendly card label
  • card_token: Unique token for future transactions

Usage Examples

Saving a Credit Card

{
  "identifier": "customer_12345",
  "card_number": "4111111111111111",
  "nickname": "My VISA Card",
  "cardholder_name": "John Doe",
  "expiry_month": 12,
  "expiry_year": 2030,
  "network": "visa",
  "card_type": "credit_card"
}

Saving a Debit Card

{
  "identifier": "customer_67890",
  "card_number": "5506900480000008",
  "nickname": "Business Debit",
  "cardholder_name": "Jane Smith",
  "expiry_month": 8,
  "expiry_year": 2029,
  "network": "mastercard",
  "card_type": "debit_card"
}

Saving a Rupay Card (with Authorization Reference)

{
  "identifier": "customer_98765",
  "card_number": "6521123456789012",
  "nickname": "Rupay Debit",
  "cardholder_name": "Raj Patel",
  "expiry_month": 6,
  "expiry_year": 2031,
  "network": "rupay",
  "card_type": "debit_card",
  "authorization_reference_number": "AUTH_REF_789012345"
}

Saving an AMEX Card (with AEVV)

{
  "identifier": "customer_54321",
  "card_number": "378282246310005",
  "nickname": "AMEX Business",
  "cardholder_name": "Sarah Johnson",
  "expiry_month": 10,
  "expiry_year": 2032,
  "network": "amex",
  "card_type": "credit_card",
  "authorization_reference_number": "AEVV_ABC123DEF456"
}

Security Notes

  • Immediate Tokenization: Card numbers are tokenized as soon as they’re received
  • No Plain Text Storage: Full card numbers are never stored in our systems
  • Token Uniqueness: Each saved card gets a unique, non-reversible token

Error Handling

Common Error Responses

400 - Validation Error

When required fields are missing or invalid: 
{
  "success": false,
  "error": {
    "type": "validation_error",
    "errors": [
      {
        "code": "invalid",
        "detail": "This field is required.",
        "attr": "card_number"
      }
    ]
  }
}

Multiple Validation Errors

{
  "success": false,
  "error": {
    "type": "validation_error",
    "errors": [
      {
        "code": "invalid",
        "detail": "This field is required.",
        "attr": "cardholder_name"
      },
      {
        "code": "invalid",
        "detail": "Invalid card number format.",
        "attr": "card_number"
      },
      {
        "code": "invalid",
        "detail": "Authorization reference number is required for Rupay cards.",
        "attr": "authorization_reference_number"
      }
    ]
  }
}

Authorization Reference Number Missing (Rupay/AMEX)

{
  "success": false,
  "error": {
    "type": "validation_error",
    "errors": [
      {
        "code": "invalid",
        "detail": "Authorization reference number is required for Rupay cards.",
        "attr": "authorization_reference_number"
      }
    ]
  }
}

401 - Authentication Error

{
  "success": false,
  "error": {
    "code": "ERR_AUTH_000",
    "message": "Missing credentials",
    "details": {
      "authentication": "Missing credentials."
    }
  }
}

Error Response Structure

Status CodeError TypeDescription
400Validation ErrorMissing or invalid request parameters
401Authentication ErrorInvalid or missing credentials
403Authorization ErrorInsufficient permissions
409Conflict ErrorCard already exists or duplicate identifier
500Server ErrorInternal system error

Best Practices

  1. Always Verify Consent: Ensure customers explicitly consent before saving cards
  2. Use Descriptive Nicknames: Help customers identify their cards easily
  3. Validate Card Details: Verify card information before saving
  4. Handle Errors Gracefully: Implement proper error handling for failed saves
  5. Secure Transmission: Always use HTTPS for card data transmission

Next Steps

After saving a card successfully:
  1. Store the returned card_token securely
  2. Use the token for future order creation
  3. Allow customers to manage their saved cards
  4. Implement card deletion when customers request it

Authorizations

X-Client-ID
string
header
required

Client Application ID - Your unique application identifier used to authenticate API requests. You can find your Client ID in the Developer Settings section of the merchant dashboard.

X-Client-Secret
string
header
required

Client Secret Key - Your secret key used alongside the Client ID for secure authentication. Keep this confidential and never expose it in client-side code. Available in the Developer Settings section of the merchant dashboard.

X-Merchant-ID
string
header
required

Merchant Identifier - The unique ID for the merchant account. This is required for PSP (Payment Service Provider) merchants who manage multiple merchant accounts. You can find merchant IDs in the Merchant Management section of the dashboard.

X-API-Version
string
header
required

API Version - Specifies which version of the API to use (e.g., '1.X.X', '2.X.X', or '3.X.X'). This header allows you to control which API version your integration uses. Default version information is available in the Developer Settings.

Body

application/json

Card details to save

identifier
string
required

Unique identifier for the card owner

card_number
string
required

Card number (will be tokenized and securely stored)

Pattern: ^[0-9]{13,19}$
cardholder_name
string
required

Name on the card

expiry_month
integer
required

Card expiry month (1-12)

Required range: 1 <= x <= 12
expiry_year
integer
required

Card expiry year (YYYY format)

Required range: x >= 2024
network
enum<string>
required

Card network

Available options:
visa,
mastercard,
amex,
discover,
rupay
card_type
enum<string>
required

Type of card

Available options:
credit_card,
debit_card
nickname
string

Card nickname for easy identification

authorization_reference_number
string

Conditional parameter required for specific card networks: For Rupay cards - the authorization reference number received during authorization call. For AMEX cards - the AEVV (American Express Verification Value) received during authorization call. This parameter is mandatory for Rupay and AMEX cards only.

Response

Card saved successfully

success
boolean
required

Indicates if the request was successful

message
string
required

Response message

data
object
required