- Guides
- Proxy Recipes
- API
- Form JS
- External Links
With a retrieve endpoint you can give third parties or a web frontend direct access to your data in PCI Vault.
To do this without compromising your passphrase or your authorization details, you can create a shareable unique endpoint. This endpoint can only be used to retrieve data and can be locked down to only specific tokens and references for added security.
Create a temporary endpoint that you can share with others without compromising your passphrase. This new endpoint can be used to retrieve data that was encrypted with the provided key. You can also lock down the new endpoint to only retrieve specific tokens or references.
Important: We store an encrypted version of the provided key in our database. This endpoint generates a secret necessary to decrypt the key and then decrypt the captured data. Anybody with the secret can use the generated endpoint to decrypt the data accessible by the new endpoint. We do not store the secret. We recommend that you delete the endpoint after use.
The identifier for the key that will be used to fetch and decrypt data.
The passphrase for the key that will be used to fetch and decrypt data.
A unique name for the endpoint. The uniqueness is enforced across the entire vault, you can't use a unique id that is currently being used by someone else.
The duration for which the endpoint will be active. This can be specified using a ISO8601 duration string.
A token to which new endpoint must be locked down. The new endpoint will only have access to this token. If neither token or reference is specified, the new endpoint will have access to all tokens.
A reference to which new endpoint must be locked down. The new endpoint will only have access to tokens with this reference. If the reference is not specified, the new endpoint will have access to tokens with any reference.
A comma separated list of rule ids to apply to the data in order. This does not change stored data.
A comma separated list of fields to mask in the response. In a masked field, all non-space characters will be replaced by an asterisk (*), except for the last 4 characters
Whether the returned data should include card metadata. When set to true, the BIN is queried and the issuer data is returned together with the decrypted data.
Set the Accept header text/html to receive the endpoint data in ready-made HTML code.
Accept |
application/json |
# No Body
List available retrieval endpoints, this list may include expired endpoints. Expired endpoints can't be used and will be deleted.
Optional key identifier for filtering endpoints.
# No Body
Decrypt or list encrypted data by token from the vault without having access to a key. Use the secret provided when creating this unique endpoint. If the token is provided, decrypted data will be returned, otherwise tokens will be listed.
The unique id of the endpoint to use.
The token to retrieve. If left unspecified, this endpoint will generate a tree of available tokens using the supplied reference if applicable.
The reference by which data must be filtered. If a token has been stored with a reference, both the reference and the token must be supplied in order to decrypt the associated data.
Filter for tokens where the reference begins with the specified value.
If set to true, decrypt all tokens in the tree. Note: every token in the tree will be decrypted and counted as an API operation, so use this with caution when using a large limit parameter.
Limit the number of cards in the tree. This limit is 1024 by default. To remove the limit, specify a negative limit. Warning: Your browser might not be able to render too many cards, we recommend you set the limit fairly low when trying this endpoint out. Depending on how many cards are in the vault, removing the limit might also result in an error due to a timeout.
The token received in the X-PCIVault-Next-Token header in a previous request.
The secret associated to the endpoint.
# No Body
Delete a retrieval endpoint. Please note that this endpoint can also be used to delete capturing endpoints by specifying a unique id belonging to a capturing endpoint.
The unique id of the endpoint to delete.
# No Body
Request the HTML for rendering the standard PCD hosted form.
This link can be included in an iFrame like this:
<iframe
src="api-stage.pcivault.io/v1/retrieve/iframe/pcd?unique_id=MThcun2CoC9Eeou3khz4cN&secret=QyXgJqG3d2Tj7ttsbRHI5TffocOg3dZGYmuOuDCLE-wPi_CxoJh7uKSROpm8hIHJ&token=5d7c9c6d3b15f03632742d66e933ad431e1dbc1e8ce6450437d216b14a3d657b&reference=test_reference"
></iframe>
This endpoint is publicly available, no Basic Auth or secret headers necessary. However, the unique id and secret for a valid Retrieval Endpoint is necessary for the form to retrieve the data.
The unique id for the retrieval endpoint from which the form should fetch data.
The secret for the retrieval endpoint from which the form should fetch data.
The token to retrieve.
A reference for the token. Must be specified if the token was stored with a reference
Set this to true to fetch data from the staging environment rather than production.
The HTML title for the hosted form.
# No Body