Skip to main content
Once an API endpoint has been enabled, any vaulted card data can be forwarded to it using the Vault Forward API. The card must already be stored in the vault as a payment method — see Tokenize a card for how to store one.

Request

Vault Forward acts as a proxy to your third-party endpoint. You send the request to the Gr4vy API instead of directly to the downstream service, with a few adjustments:
  1. Send the request to POST /vault-forward instead of the downstream URL.
  2. Replace any PCI data in the body with template placeholders, for example {{ CARD_NUMBER_1 }}.
  3. Add control headers to specify which cards to forward and where to send the request.
  4. Prefix any downstream headers with x-vault-forward-header-.

Request headers

*Provide either x-vault-forward-payment-methods or x-vault-forward-checkout-session — at least one is required.

Payload placeholders

Replace PCI data in the request body with placeholders using {{ PLACEHOLDER }} syntax. The X suffix is the 1-based index of the payment method in the x-vault-forward-payment-methods list.

Authentication

Pass your downstream API credentials through headers using the x-vault-forward-header- prefix:
For services that require request signing, mutual TLS, or payload encryption — where passing credentials through headers is not possible — see Advanced authentication.

Response

HTTP status code

Any validation error before forwarding returns a 4XX status. In all other cases — including when the downstream service returns an error — the status is 200.

Response headers

Payload

The raw downstream response body is returned as-is. Empty if no response was received.

Examples

Explore further

CVV & Secure Fields

Forward a security code collected via Secure Fields or a checkout session

3DS forwarding

Forward 3DS authentication data alongside card details

Network token forwarding

Forward network tokens and cryptograms to third-party endpoints

Advanced authentication

Configure request signing, mutual TLS, or payload encryption

Enable an endpoint

Allow a specific host to receive forwarded PCI data in production