Credit Card Number (PCI DSS) Protection Endpoint
METHOD: POST
ENDPOINT: https://dev.qupass.in/api/ccn
Description
The Credit Card Number endpoint enables the protection and unprotection of payment card identifiers while preserving their numeric data type and structural semantics.
The returned token consists exclusively of decimal digits (0–9), ensuring compatibility with systems that expect numeric-only identifiers, while allowing for an expanded length to accommodate secure, high-entropy token generation.
By maintaining the same encoding space — specifically the decimal digit domain — the endpoint ensures that protected values remain syntactically valid within numeric processing pipelines, even though the original fixed-length constraints (e.g., 16 digits depending on card type) are not retained.
This approach enables strong protection guarantees without disrupting storage compatibility, input validation logic that relies on numeric character sets, or downstream data handling workflows.
Examples
- Input:
4539 1488 0343 6467(Numeric)- QuFold_Token:
497946249 763432447 047334895 245702506346- ✅ Character set preserved (Numeric block)
- ✅ Encoding compatibility is maintained
- FPE:
1703 8460 2554 8666- ✅ Length and Character set preserved (Numeric block)
- ✅ Encoding compatibility is maintained
- QuFold_Token:
Request Payload
HEADER PARAMETERS
- x-api-key
(required)Provides access to one or more functions in the API Playground. - Authorization
(required)The JWT token issued upon successful authentication. - qu-token
(required)QU token that you revceive at the time of login.
- x-api-key
PAYLOAD DETAILS
- id
(required)Integer identifier for the request. - operation
(required)Specifies the protection operation. Available:[protect | unprotect]. - data
(required)Array of values to be transformed. - options:
- method - Transformation method; Available:
[tokenise | fpe | mask | redact | passthrough].- Defaults to
tokenise
- Defaults to
- scope - User-defined context string; differentiates tokens across applications or datasets. (e.g.,
app1,azure+app1).- Defaults to
no-scope
- Defaults to
- noise - Adds controlled randomness.
- Defaults to
0, ensures deterministic tokenization within scope Non-zerovalues produce possibledistinct tokensfor the repeated inputs
- Defaults to
- method - Transformation method; Available:
- id
Sample Request
curl --location 'https://dev.qupass.in/api/ccn' \
--header 'x-api-key: <API_Key>' \
--header 'Authorization: <JWT_TOKEN>' \
--header 'qu-token: <QU_TOKEN>' \
--header 'Content-Type: application/json' \
--data '{
"id": 1,
"operation": "protect",
"data": [
"4539 1488 0343 6467",
"4485 2756 9823 1029",
"4716 3344 5566 7788"
],
"options": {
"method": "tokenise",
"scope": "App1"
}
}'
package main
import (
"io"
"fmt"
"strings"
"net/http"
)
func main() {
API_Key := "<API_Key>"
JWT_Token := "<JWT_TOKEN>"
QU_Token := "<QU_TOKEN>"
url := "https://dev.qupass.in/api/ccn"
data := strings.NewReader(`{
"id":1,
"operation": "protect",
"data": [
"4539 1488 0343 6467",
"4485 2756 9823 1029",
"4716 3344 5566 7788"
],
"options": {
"method": "tokenise",
"scope": "App1"
}
}`)
req, err := http.NewRequest("POST", url, data)
if err != nil {
fmt.Println(err)
return
}
req.Header.Set("x-api-key", API_Key)
req.Header.Set("Authorization", JWT_Token)
req.Header.Set("qu-token", QU_Token)
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
fmt.Println(err)
return
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
fmt.Println(err)
return
}
fmt.Println(string(body))
}
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.io.OutputStream;
import java.io.InputStreamReader;
import java.io.BufferedReader;
import java.nio.charset.StandardCharsets;
public class APIRequest {
public static void main(String[] args) {
try {
String API_Key = "<API_Key>";
String JWT_Token = "<JWT_TOKEN>";
String QU_Token = "<QU_TOKEN>";
URI uri = new URI("https://dev.qupass.in/api/ccn");
String data = "{"
+ "\"id\": 1,"
+ "\"operation\": \"protect\","
+ "\"data\": ["
+ "\"4539 1488 0343 6467\","
+ "\"4485 2756 9823 1029\","
+ "\"4716 3344 5566 7788\""
+ "],"
+ "\"options\": {"
+ "\"method\": \"tokenise\","
+ "\"scope\": \"App1\""
+ "}"
+ "}";
URL url = uri.toURL();
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("x-api-key", API_Key);
conn.setRequestProperty("Authorization", JWT_Token);
conn.setRequestProperty("qu-token", QU_Token);
conn.setRequestProperty("Content-Type", "application/json");
conn.setDoOutput(true);
// Send request body
try (OutputStream os = conn.getOutputStream()) {
byte[] input = data.getBytes(StandardCharsets.UTF_8);
os.write(input, 0, input.length);
}
int statusCode = conn.getResponseCode();
BufferedReader br;
if (statusCode >= 200 && statusCode < 300) {
br = new BufferedReader(new InputStreamReader(conn.getInputStream(), StandardCharsets.UTF_8));
} else {
br = new BufferedReader(new InputStreamReader(conn.getErrorStream(), StandardCharsets.UTF_8));
}
StringBuilder response = new StringBuilder();
String line;
while ((line = br.readLine()) != null) {
response.append(line.trim());
}
System.out.println(response.toString());
} catch (Exception e) {
e.printStackTrace();
}
}
}
const API_Key = "<API_Key>";
const JWT_Token = "<JWT_TOKEN>";
const QU_Token = "<QU_TOKEN>";
const url = "https://dev.qupass.in/api/ccn";
const data = {
id: 1,
operation: "protect",
data: [
"4539 1488 0343 6467",
"4485 2756 9823 1029",
"4716 3344 5566 7788"
],
options: {
method: "tokenise",
scope: "App1"
}
};
fetch(url, {
method: "POST",
headers: {
"x-api-key": API_Key,
"Authorization": JWT_Token,
"qu-token": QU_Token,
"Content-Type": "application/json"
},
body: JSON.stringify(data)
})
.then(async (response) => {
const text = await response.text(); // raw response like Python's response.text
if (!response.ok) {
throw new Error(`HTTP ${response.status}: ${text}`);
}
console.log(text);
})
.catch((error) => {
console.error("Error:", error.message);
});
<?php
$API_Key = "<API_Key>";
$JWT_Token = "<JWT_TOKEN>";
$QU_Token = "<QU_TOKEN>";
$url = "https://dev.qupass.in/api/ccn";
$headers = [
"x-api-key: $API_Key",
"Authorization: $JWT_Token",
"qu-token: $QU_Token",
"Content-Type: application/json"
];
$data = [
"id" => 1,
"operation" => "protect",
"data" => [
"4539 1488 0343 6467",
"4485 2756 9823 1029",
"4716 3344 5566 7788"
],
"options" => [
"method" => "tokenise",
"scope" => "App1"
]
];
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
$response = curl_exec($ch);
if (curl_errno($ch)) {
echo 'Error:' . curl_error($ch);
} else {
echo $response;
}
curl_close($ch);
?>
import requests
import json
API_Key = "<API_Key>"
JWT_Token = "<JWT_TOKEN>"
QU_Token = "<QU_TOKEN>"
url = 'https://dev.qupass.in/api/ccn'
headers = {
'x-api-key': API_Key,
'Authorization': JWT_Token,
'qu-token': QU_Token,
'Content-Type': 'application/json'
}
data = {
"id": 1,
"operation": "protect",
"data": [
"4234 5678 9123",
"4234 5678 9124",
"5234 5678 9123"
],
"options": {
"method": "tokenise",
"scope": "App1"
}
}
response = requests.post(url, headers=headers, data=json.dumps(data))
print(response.text)
Sample Data Payload and Output
PROTECTION SCENARIOS:
| Input | Output |
|---|---|
| |
UNPROTECTION SCENARIOS:
| Input | Output |
|---|---|
| |
| |
| |
| |