Tokenization
Tokenization replaces sensitive card data (PAN) with a non-sensitive gateway token. This dramatically reduces your PCI compliance scope because raw card numbers never touch your servers.
How It Works
- You send the card number to Gatelithix via
POST /v1/tokens. - Gatelithix encrypts the PAN in the vault (PCI zone) and returns a
gateway_token. - You use the gateway token for all payment operations instead of the raw card number.
The PAN is encrypted at ingress and stored in an isolated PCI-compliant vault. Your servers only ever see tokens.
Server-to-Server Tokenization
POST /v1/tokens
| Parameter | Type | Required | Description |
|---|---|---|---|
pan | string | Yes | Full card number (13-19 digits). |
exp_month | integer | Yes | Expiration month (1-12). |
exp_year | integer | Yes | Expiration year (e.g., 2028). |
card_brand | string | No | Card brand (e.g., visa, mastercard). |
Response
{
"token": "tok_test_aBcDeFgHiJkLmNoPqRsTuVwX",
"bin": "424242",
"last4": "4242",
"exp_month": 12,
"exp_year": 2028,
"card_brand": "visa",
"created_at": "2026-03-18T12:00:00Z"
}Token Format
| Environment | Prefix | Example |
|---|---|---|
| Sandbox | tok_test_ | tok_test_aBcDeFgHiJkLmNoPqRsTuVwX |
| Production | tok_live_ | tok_live_aBcDeFgHiJkLmNoPqRsTuVwX |
Token Stability
Tokenizing the same card number for the same merchant always returns the same gateway token. This makes tokens safe for storage and reuse:
- Save the token in your database alongside the customer record.
- Use it for recurring charges without re-tokenizing.
- The token is scoped to your merchant account and cannot be used by other merchants.
Client-Side Tokenization
For web applications, use Hosted Fields to tokenize card data directly from the browser. Hosted fields use iframes served from the Gatelithix PCI zone, so the card number never touches your frontend code.