Skip to main content
Cresora Commerce
Integration Guides

Tokenization Guide

Store card data safely using Cresora tokens to reduce PCI scope.

Tokenization replaces a raw card number with a Cresora-issued token. You store the token; Cresora stores the card. This reduces your PCI scope to SAQ A-EP.

How it works

  1. Your frontend sends the card data directly to Cresora using Cresora.js
  2. Cresora returns a single-use token
  3. Your server receives only the token — never the raw card number
  4. Your server uses the token to create a payment or store it for future charges

Cresora.js (client-side)

Include Cresora.js on your payment page and use it to collect and tokenize card details:

<script src="https://js.cresoracommerce.com/v1/cresora.js"></script>
const cresora = Cresora("csk_test_xxxxxxxxxxxx");

// Mount a card form into #card-element
const cardElement = cresora.elements().create("card");
cardElement.mount("#card-element");

// On form submit — tokenize
const { token, error } = await cresora.createToken(cardElement);
if (error) {
  // Show error to customer
} else {
  // Send token.id to your server
  await fetch("/charge", {
    method: "POST",
    body: JSON.stringify({ token_id: token.id }),
  });
}

Use the token server-side

curl
curl -X POST https://sandbox-api.cresoracommerce.com/api/v1/transactions/sale \
  -H "Authorization: Bearer csk_test_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: idem_$(uuidgen)" \
  -d '{
    "amount": "50.00",
    "currency": "USD",
    "payment_method": "token",
    "token_id": "tok_xxxxxxxxxxxx",
    "merchant_id": "mrch_xxxxxxxxxx"
  }'

Single-use tokens expire after 15 minutes or after one successful use.

Save a card for future charges

To save a card for reuse, tokenize it with save: true:

const { token } = await cresora.createToken(cardElement, { save: true });
// token.id is now a reusable payment_method_id (pmid_xxx)

Reusable payment methods don't expire and can be charged as many times as needed:

{
  "payment_method": "saved_card",
  "payment_method_id": "pmid_xxxxxxxxxxxx",
  "merchant_id": "mrch_xxxxxxxxxx"
}
🔒PCI scope

With Cresora.js tokenization, card data never touches your server. Your PCI scope reduces to SAQ A-EP. If you also use the HPP integration, you can achieve SAQ A.

3DS2 Guide

Implement 3D Secure 2 for Strong Customer Authentication and liability shift.

Surcharging Guide

Pass card processing fees to cardholders where permitted by law and card network rules.

On this page

How it worksCresora.js (client-side)Use the token server-sideSave a card for future charges