# Creating card tokens A [Card Token](/documentation/api/card-tokens) is a representation of a card number encrypted and stored in Increase’s Payment Card Industry (PCI) environment. The https://vault.increase.com/card_tokens endpoint is the only endpoint that accepts raw card numbers; everything else uses a Card Token. As such, the `/card_tokens` endpoint exists at https://vault.increase.com instead of the regular https://api.increase.com URL. Once you’ve created a Card Token for a recipient’s card you can [send a Card Validation](/documentation/sending-card-validations) to confirm it and then [send a Card Push Transfer](/documentation/sending-card-transfers) to push funds to the card. To authenticate with the `/card_tokens` endpoint you create a special bearer credential that can only be used for this purpose in the Increase dashboard: https://dashboard.increase.com/developers/api_keys (`Create API key` → `Create Production Card Tokenization Key`). ```curl $ curl -X POST https://vault.increase.com/card_tokens \ -H "Authorization: Bearer BEARERCREDENTIAL" \ -H "Content-Type: application/json" \ -d ’{ "primary_account_number": "4444440000001234", "expiration_month": 3, "expiration_year": 2030, "card_verification_value2": "123" }’ => {"card_token":"card_token_ooy8ebisb1p71o6lpbbd"}% ``` ## Tokenization providers Increase is fully PCI-DSS compliant and can receive card numbers either directly from you or from your tokenization provider. By utilizing a tokenization provider you collect card numbers from your customers using the tokenization provider’s frontend components, before relying on their forwarding endpoints to pass through the raw card details to Increase. This ensures that your systems never see raw card details. Examples of tokenization providers are: - Stripe: https://docs.stripe.com/payments/vault-and-forward - Basis Theory: https://developers.basistheory.com/docs/guides/share/process-card-payments - Very Good Security: https://www.verygoodsecurity.com/docs/guides/outbound-connection Increase supports any tokenization provider that can send a JSON payload over HTTPS. If you use a tokenization provider like Basis Theory you’ll want to use their proxy endpoint to forward the request to us: ```curl $ curl 'https://api.basistheory.com/proxy' \ -X 'POST' \ -H 'BT-API-KEY: ' \ -H 'BT-PROXY-URL: https://vault.increase.com/card_tokens' \ -H 'Authorization: Bearer BEARERCREDENTIAL' \ -H 'Content-Type: application/json' \ -d '{ "primary_account_number": "{{ token: d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4 | json: \"$.data.number\" }}", "expiration_month": "{{ token: d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4 | json: \"$.data.expiration_month\" }}", "expiration_year": "{{ token: d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4 | json: \"$.data.expiration_year\" }}", "card_verification_value2": "{{ token: d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4 | json: \"$.data.cvc\" }}", }' ``` ## Capabilities Once you’ve tokenized a card number you can fetch its capabilities with the [Card Token capabilities](/documentation/api/card-tokens#retrieve-the-capabilities-of-a-card-token) endpoint. The capabilities are based on routing files provided by the card networks and return a point-in-time view of the card number at the time of fetching. Note that retrieving the capabilities of a Card Token only lets you know that the card number belongs to a valid Account Range on the issuer’s side and whether it supports actions such as push-to-card transfers; it does not tell you whether the card number itself is valid. The capabilities can change over time. ## Sandbox Real card numbers are not usable in sandbox. Instead you can create sandbox-specific card tokens using the [Create a Card Token simulation](/documentation/api/card-tokens#sandbox-create-a-card-token).