Reveal Card Details

Fetches full PAN, CVV, and expiry. This endpoint returns a single-use hosted URL that renders the sensitive data directly in the user’s browser, so card details never touch your servers — keeping you out of PCI-DSS scope.

POST/v1/cards/{id}/reveal

🔐

The hosted reveal page is intended to be embedded in an iframe you render for the end user. Never screenshot or proxy the PAN on your servers.

Request

curl -X POST https://api.vaultspay.ae/v1/cards/card_01HX7.../reveal \
  -H "Authorization: Bearer sk_test_yourApiKeyHere"

Response

200 OK

{
  "hosted_url": "https://pay.vaultspay.ae/reveal/abc123def456",
  "expires_at": "2026-04-24T15:00:00Z",
  "single_use": true
}

Embedding example

<iframe
  src="https://pay.vaultspay.ae/reveal/abc123def456"
  width="340"
  height="210"
  frameborder="0"
  allow="clipboard-write"
></iframe>

Advanced: direct JWE response

PCI-DSS certified integrators may request the card details as an encrypted JWE instead of a hosted page. Contact your onboarding manager to enable this path.

Card Transactions Terminate Card