Once an API endpoint has been enabled, any vaulted card data can be forwarded to it using the Vault Forward API. The card must already be stored in the vault as a payment method — see Tokenize a card for how to store one.Documentation Index
Fetch the complete documentation index at: https://docs.gr4vy.com/llms.txt
Use this file to discover all available pages before exploring further.
Request
Vault Forward acts as a proxy to your third-party endpoint. You send the request to the Gr4vy API instead of directly to the downstream service, with a few adjustments:- Send the request to
POST /vault-forwardinstead of the downstream URL. - Replace any PCI data in the body with template placeholders, for example
{{ CARD_NUMBER_1 }}. - Add control headers to specify which cards to forward and where to send the request.
- Prefix any downstream headers with
x-vault-forward-header-.
Request headers
| Header | Required | Description |
|---|---|---|
x-vault-forward-url | Yes | HTTPS URL to forward the request to. The host must be enabled in production. |
x-vault-forward-http-method | Yes | HTTP method to use: POST, PUT, or PATCH. |
x-vault-forward-payment-methods | Yes* | Comma-separated list of payment method IDs. At least 1, no duplicates. Only card payment methods are accepted. |
x-vault-forward-checkout-session | Yes* | Checkout session ID. If set, x-vault-forward-payment-methods can be omitted. Use to forward a CVV. |
x-vault-forward-header-{HEADER_NAME} | No | A header to forward to the downstream endpoint. For example, set x-vault-forward-header-authorization to forward an authorization header. |
x-vault-forward-timeout | No | Timeout for the forwarded request in seconds. Defaults to 30. |
x-vault-forward-payment-methods or x-vault-forward-checkout-session — at least one is required.
Payload placeholders
Replace PCI data in the request body with placeholders using{{ PLACEHOLDER }} syntax. The X suffix is the 1-based index of the payment method in the x-vault-forward-payment-methods list.
| Placeholder | Description |
|---|---|
CARD_NUMBER_X | The card number (PAN). |
CARD_EXPIRATION_DATE_X | Expiration date in MM/YY format. |
CARD_EXPIRATION_DATE_M_X | Expiration month, non-zero-padded (1–12). |
CARD_EXPIRATION_DATE_MM_X | Expiration month, zero-padded (01–12). |
CARD_EXPIRATION_DATE_YY_X | Expiration year without century (00–99). |
CARD_EXPIRATION_DATE_YYYY_X | Expiration year with century (for example 2025). |
CARD_SECURITY_CODE_X | Security code (CVV). Only available via Secure Fields and checkout sessions. |
Authentication
Pass your downstream API credentials through headers using thex-vault-forward-header- prefix:
Response
HTTP status code
Any validation error before forwarding returns a4XX status. In all other cases — including when the downstream service returns an error — the status is 200.
Response headers
| Header | Description |
|---|---|
content-type | Content type of the downstream response, forwarded as-is. |
x-vault-forward-http-status-code | HTTP status code returned by the downstream endpoint. |
x-vault-forward-header-{HEADER_NAME} | Response headers from the downstream endpoint (except content-type). For example, x-vault-forward-header-x-frame-options. |
x-vault-forward-error | Error string if no response was received, for example on timeout or network failure. |
Payload
The raw downstream response body is returned as-is. Empty if no response was received.Examples
Explore further
CVV & Secure Fields
Forward a security code collected via Secure Fields or a checkout session
3DS forwarding
Forward 3DS authentication data alongside card details
Network token forwarding
Forward network tokens and cryptograms to third-party endpoints
Advanced authentication
Configure request signing, mutual TLS, or payload encryption
Enable an endpoint
Allow a specific host to receive forwarded PCI data in production