PCI Vault Logo
Capture

PCI Vault lets you capture data without having the data touch your own server at all.

To do this without compromising your passphrase or your authorization details, you can create a shareable unique endpoint. This endpoint can only be used for storing data in the vault, nothing else.

POST /capture/ Create a Capturing Endpoint

Create a temporary endpoint that you can share with others without compromising your passphrase. This endpoint will capture data that can later be decrypted with the same key that was used to create the endpoint.

We have a PCD web form that is ready-made to use this endpoint, you can get instructions here on how to use the Capture PCD form.

This endpoint can also auto-generate the form html for you. To do this, set the Accept header in your request to text/html. The generated form html will work out of the box and can be injected directly into your HTML.

Important: We store an encrypted version of the provided key in our database. This endpoint generates a secret necessary to decrypt the key and securely store the captured data. Anybody with the secret can use the generated endpoint to post data on your behalf. We do not store this secret. We recommend that you delete the endpoint after use.

(query)

The identifier for the key that will be used to encrypt submitted data.

(query)

The passphrase for the key that will be used to encrypt submitted data.

(query)

A unique name for the endpoint. The uniqueness is enforced across the entire vault, you can't use a unique id that is currently being used by someone else.

(query)

The duration for which the endpoint will be active. This can be specified using a ISO8601 duration string. To make the endpoint never expire, give it a duration of 0, i.e. P0T

(query)

The tokenization algorithm to use. See the tokenization guide for more information.

(query)

PCI Vault can try to parse credit card numbers, cvv numbers, and expiry dates in a smart way. To enable smart parsing for data sent to this endpoint, set this flag to true. If the parsing was successful, the parsed item will contain a JSON object with the parsed data, otherwise the request will be rejected with error 400.

(query)

A comma seperated list of rule ids to apply to the data in order. The rules are applied just before the data is encrypted and stored in the vault.

(header)

Set the Accept header text/html to receive the endpoint data in ready-made HTML code.

(body)

A webhook to send the capture result to.

(body -> webhook)

The URL for the webhook. This must be an https URL.

(body -> webhook)

A secret that will be returned in the webhook call's X-PCIVault-Webhook-Secret header.

(body -> webhook)

A value between 1 and 8 for the maximum amount of times the webhook should be called per token update. Calls to the webhook will stop on a 200 HTTP response, or when max_attempts are reached.

(body -> webhook)

Some metadata which will be merged into the webhook response. This is useful for uniquely identifying webhook responses to requests.

POST
https://api.pcivault.io/v1/capture/
Accept
application/json
Response Code: 200 (example)
GET /capture/ List Capture Endpoints

List available capture endpoints, this list may include expired endpoints. Expired endpoints can't be used and will be deleted.

(query)

Optional key identifier for filtering endpoints.

GET
https://api.pcivault.io/v1/capture/
# No Body
Response Code: (example)
POST /capture/{unique_id} Use a Capturing Endpoint to Capture Data

Encrypt, tokenize , and store data securely in the vault without having access to a key.

The data object is limited to 256KB per request. It does not need to comply with the example value, but it must be a valid JSON object.

Please specify a number in the data with one of these keys: card_number, account_number, n, or number. Alternatively, specify a number in the query string.

(path)

The unique id of the endpoint to use.

(query)

This number is used for generating a token. It is only required if not specified in the body, and will not be stored.

(query)

A reference to assist with lookups and grouping of data.

(header)

The secret associated to the endpoint.

Any valid JSON object

POST
https://api.pcivault.io/v1/capture/{unique_id}
Response Code: 200 (example)
DELETE /capture/{unique_id} Delete a Capturing Endpoint

Delete a capturing endpoint. Please note that this endpoint can also be used to delete retrieval endpoints by specifying a unique id belonging to a retrieval endpoint.

(path)

The unique id of the endpoint to delete.

DELETE
https://api.pcivault.io/v1/capture/{unique_id}
# No Body
Response Code: 200 (example)
POST /capture/iframe Create a Hosted Form

Use this endpoint to create a hosted form which can be embedded in an iFrame.

The created form will be publicly visible, and can be used with any capture endpoint.

This endpoint is zero-rated.

(query)

The type of form, this can be either pcd for credit card, ach for bank details or custom for a custom form.

(query)

A unique id for the form. This id must be a system-wide unique id. If you don't specify an id, PCI Vault will generate one for you.

(body)

A list of of CSS links to include. This is useful for externally hosting CSS to modify the form.

(body)

A list of of Javascript links to include. This is useful for externally hosting Javascript to modify the form.

(body)

Base64 encoded CSS. This CSS will be included in a <style> tag in the form HTML.

(body)

Base64 encoded Javascript. This Javascript will be included in a <script> tag in the form HTML.

(body)

Base64 encoded Javascript function which will be invoked when the form was submitted successfully.

(body)

Base64 encoded Javascript function which will be invoked if an error occurs when the form is submitted.

(body)

Set to true to force the used of a randomized keypad input.

(body)

Set to false to hide the sample credit card on the PCD form.

(body)

Set to true to disable all validation on the PCD form.

(body)

Set to true to strip space from the credit card on the PCD form.

A javascript object, specifying which fields to validate or display. Each key is optional, but must have an object value with validate and/or visible as keys containing true or false as values. Unspecified, undefined, or null keys will be overridden by true values. Invisible fields will not be validated.

POST
https://api.pcivault.io/v1/capture/iframe
Response Code: 200 (example)
GET /capture/iframe/{form_id} Use a Hosted Form

Request the HTML for rendering the hosted HTML form.

This link can be included in an iFrame like this:

<iframe
    src="api-stage.pcivault.io/v1/capture/iframe/MmRMVP4UjYD8g5kVUcmx4Z?unique_id=MThcun2CoC9Eeou3khz4cN&secret=QyXgJqG3d2Tj7ttsbRHI5TffocOg3dZGYmuOuDCLE-wPi_CxoJh7uKSROpm8hIHJ"
></iframe>

This endpoint is publicly available, no Basic Auth or secret headers necessary. However, the unique id and secret for a valid Capture Endpoint is necessary for the form to be usable.

(path)

The id for the form you want to access

(query)

The unique id for the capture endpoint to which the form should send data.

(query)

The secret for the capture endpoint to which the form should send data.

(query)

Set this to true to send data to the staging environment rather than production.

(query)

The HTML title for the hosted form.

GET
https://api.pcivault.io/v1/capture/iframe/{form_id}
# No Body
Response Code: 200 (example)
DELETE /capture/iframe/{form_id} Delete a Hosted Form

Delete a hosted endpoint. You will only be able to delete the form created by the same Basic Auth user.

(path)

The id of the hosted form to delete.

DELETE
https://api.pcivault.io/v1/capture/iframe/{form_id}
# No Body
Response Code: 200 (example)