Forward card details to third-party API endpoints
Use the Vault and Forward API to securely share card details across multiple processors.
The Vault and Forward API allows you to tokenize and store card details in Stripe’s PCI-compliant vault and route that data to supported processors or endpoints. Leverage the API to:
- Use the Payment Element across multiple processors.
- Use Stripe as your primary vault for card details across processors.
- Route card details to your own PCI compliant token vault.
Request access
To gain access to use Stripe’s forwarding service, contact Stripe support.
Forward requests to destination endpoints and populate card details from Stripe’s vault
Collect card details and create a PaymentMethod
To collect card details, use the Payment Element to create a PaymentMethod. After you create a PaymentMethod, we automatically store card details in Stripe’s PCI compliant vault. If you have your own frontend, you can still use the Vault and Forward API by creating a PaymentMethod directly.
Typically, you can only reuse PaymentMethods by attaching them to a Customer. However, the Vault and Forward API accepts all PaymentMethod objects, including those not attached to a customer.
Similarly, the Vault and Forward API doesn’t confirm or capture PaymentIntents. As a result, you might unintentionally use them to capture a payment on Stripe that was already captured on another processor.
CVCs expire automatically after a certain time period and also expire when used with the Vault and Forward API. If you require a CVC after either of these conditions are met, you must re-collect the card details.
Create a ForwardingRequest
To send card details from Stripe’s vault, you must Create a ForwardingRequest and include the following parameters:
payment_
: Object that enables Stripe to identify your customer’s card details within Stripe’s vault and insert that data into the request body.method url
: The exact destination endpoint of your request.request.
: The API request body that you want to send to the destination endpoint (for example, the payments request you send to another processor). Leave any field where you normally input your customer’s card details blank.body replacements
: Fields that you want Stripe to substitute in therequest.
. The available fields that we recommend always setting arebody card_
,number card_
,expiry card_
, andcvc cardholder_
. For example, includingname card_
in thenumber replacements
array replaces the appropriate card number field for your destination endpoint in therequest.
.body
Caution
Stripe might be more lenient than other processors in validating the cardholder name field. If you use the cardholder_
replacements field, you’re responsible for making sure that the names you use pass any validation enforced by the destination endpoint. For example, if the destination endpoint expects all names to only contain the letters A-Z with no accent marks or other writing systems, you must make sure the card details you forward meet this requirement. An alternative is to not use the cardholder_
replacements field and specify the cardholder name in your request body directly in your request.
You must format your request based on the data that the destination endpoint expects. In the example below, the destination endpoint expects an Idempotency-Key
header and accepts a JSON body with the payment details.
Security tip
We require you to pass API keys for the destination endpoint on each API request. Stripe forwards the request using the API keys you provide, and only retains hashed and encrypted versions of destination endpoint API keys.
Caution
You can provide a Idempotency-Key
to make sure that requests with the same key result in only one outbound request. Use a different and unique key for Stripe and any idempotency keys you provide on the underlying third-party request.
Use a new Idempotency-Key
every time you make updates to request.
or request.
fields. Passing in the older idempotency key results in the API replaying older responses, including any previous validation errors.
Forward the request with card details
Stripe makes a request to the destination endpoint on your behalf by inserting the card details from the PaymentMethod into the request.
. Where enabled and available, the Card Account Updater (CAU) automatically attempts to update and provide the latest available card details for requests.
Stripe then forwards the request to the destination endpoint. For example:
Stripe makes a POST request to the endpoint:
POST /v1/payments HTTP/1.1 User-Agent: Stripe Accept: */* Host: endpoint-url Content-Type: application/json Content-Length: 321
Stripe includes the following headers:
Destination-API-Key: {{DESTINATION_API_KEY}} Destination-Idempotency-Key: {{DESTINATION_IDEMPOTENCY_KEY}}
Stripe includes the following JSON body in the request:
{ amount: { value: 1000, currency: 'usd' }, paymentMethod: { number: '4242424242424242', expiryMonth: '03', expiryYear: '2030', cvc: '123', holderName: 'First Last', }, reference: '{{REFERENCE_ID}}' }
Note
If you’re using the Vault and the Forward API to make an authorization request, you must handle any post-transaction actions, such as refunds or disputes, directly with the third-party processor. Contact Stripe support if you require 3DS authentication across your multiprocessor setup.
Handle the response from the destination endpoint
When you use the Vault and Forward API to forward card details to a third-party processor, Stripe synchronously waits for a response from the destination endpoint. The timeout period for this response is less than a minute. Stripe redacts identified PCI-sensitive data, stores the redacted response from the destination endpoint, and returns a ForwardingRequest object, which contains data about the request and response.
Caution
When you use the Vault and Forward API to forward card details to a third-party processor, Stripe can’t guarantee that the processor will provide any particular response to your forwarded API requests. If the third-party processor is unresponsive, you must reach out directly to that processor to resolve the issue.
{ id: "fwdreq_123", object: "forwarding.request", payment_method: "{{PAYMENT_METHOD}}", request_details: { body: '{ "amount": { "value": 1000, "currency": "usd" }, "paymentMethod": { "number": "424242******4242", "expiryMonth": "03", "expiryYear": "2030", "cvc": "***", "holderName": "First Last", }, "reference": "{{REFERENCE_ID}}" }', headers: [ { name: "Content-Type", value: "application/json", }, { name: "Destination-API-Key", value: "{{DESTINATION_API_KEY}}", }, { name: "Destination-Idempotency-Key", value: "{{DESTINATION_IDEMPOTENCY_KEY}}", }, ... ] }, request_context: { "destination_duration": 234, "destination_ip_address": "35.190.113.80" }, response_details: { body: '{ // Response from the third-party endpoint goes here ... }', headers: [ ... ], status: 200, }, replacements: [ "card_number", "card_expiry", "card_cvc", "cardholder_name" ] ... }
Configure your Vault and Forward API endpoint
To set up your Vault and Forward API endpoint, you must:
- Confirm that we support the destination endpoint.
- Provide a test and production account with Stripe support.
- Share the production details for the destination endpoint with Stripe support.
Confirm that we support the destination endpoint
Stripe supports forwarding API requests to the following endpoints:
- Adyen:
[prefix]-checkout-live.
adyenpayments. com/v68/payments [prefix]-checkout-live.
adyenpayments. com/v69/payments [prefix]-checkout-live.
adyenpayments. com/v70/payments
- Braintree:
payments.
braintree-api. com/graphql - Checkout:
api.
checkout. com/tokens api.
checkout. com/payments
- GMO Payment Gateway:
p01.
mul-pay. jp/payment/ExecTran. json - PaymentsOS:
api.
paymentsos. com/tokens - Spreedly:
core.
spreedly. com/v1/payment_ methods. json - Tabapay:
[prefix]/v1/clients/[ClientID]/accounts
- Worldpay:
access.
worldpay. com/tokens secure.
worldpay. com/jsp/merchant/xml/paymentService
- Flexpay:
api.
flexpay. io/v1/gateways/charge
- Your own PCI-compliant token vault
Stripe supports HTTPS-based APIs that accept JSON/XML requests and return JSON/XML responses. If your destination endpoint isn’t supported or you require a different API format, share the endpoint details with Stripe support to get support for your specific needs.
Supported countries
The Vault and Forward API can only forward requests to the following countries:
Countries eligible for request forwarding
Additionally, ensure that your Stripe account is registered in one of these countries:
Countries eligible for the Vault and Forward API
Provide test accounts to Stripe support
To access the Vault and Forward API, share the account IDs (acct_
) for your test accounts with Stripe support.
Share production details
Share the production details for destination endpoint with Stripe support. These include the following for destination endpoint: URL, HTTP method, documentation, fields, request headers, and encryption keys. Stripe then sets up destination endpoint for use with the Vault and Forward API in live mode.
To share third-party API keys, you must encrypt them by using the Stripe public key that’s specific to the Vault and Forward API. Start by importing a public key using the GNU Privacy Guard (PGP). After you familiarize yourself with the basics of PGP, use the following PGP key to encrypt your third-party API keys:
Vault and Forward API PGP key
To encrypt your third-party API keys with the Vault and Forward API PGP key:
Calculate the
SHA256
hash of your private key and hex encode the hash. Treat this hash as a secret.Command Lineecho -n "{{THIRD_PARTY_SECRET_KEY}}" | sha256sum
Encrypt the
SHA256
hash with Stripe’s public key,Base64
encode the result, and set the Stripe key astrusted
.Command Lineecho -n "{{SHA256_HASH}}" | gpg -e -r AE863ADA1603150856C0A853A7B203177D034588 --always-trust | base64 > encrypted_base64.txt
Verify
encrypted_
by running the following command:base64. txt Command Linecat encrypted_base64.txt | base64 -d | gpg --list-only --list-packets
Make sure that encrypted_
contains the following characteristics:
- Key ID:
27E4B9436302901A
- Key type: RSA
- Key size: 4096 bits
- User ID:
Forward API Secret Encryption Key (Forward API Secret Encryption Key) <multiprocessor-ext@stripe.
com>
Test your integration
To confirm that your integration works correctly with destination endpoint, initiate a ForwardingRequest using the PaymentMethod you created. This example uses pm_
as a payment method.
Caution
The Vault and Forward API treats any response from the destination endpoint as a success
and returns a 200
, along with the destination endpoint’s response code in the response.
. For example, when the destination endpoint returns a status code of 400
to Stripe, the Vault and Forward API responds with a status code of 200
. The response.
includes the destination endpoint’s 400
response and error message. Separately test the API request that you send to your destination endpoint to make sure that you don’t have any errors.
View your request logs in the Dashboard
You can view request logs and errors related to the Vault and Forward API in Workbench. Additionally, you can use the List API to fetch the logs from Stripe.
Security tip
The request.
and request.
in the incoming request are encrypted and appear as encrypted_
in the Dashboard.