> ## Documentation Index > Fetch the complete documentation index at: https://developer.hellgate.io/llms.txt > Use this file to discover all available pages before exploring further. # Create token > Create a new token in the PCI DSS scope. See [PCI Tokens overview](/products/guardian/tokens/pci-tokens) for creation sources (session vs pan) and compliance levels. ## OpenAPI ````yaml /products/guardian/openapi.yaml post /api/pci/tokens openapi: 3.1.0 info: title: Guardian API version: '1.0' contact: name: Starfish GmbH & Co. KG email: hello@starfish.team url: https://hellgate.io/cpa/guardian license: name: Hellgate API Terms url: https://hellgate.io/terms-and-conditions servers: - url: https://{cluster_id}.on-hellgate.cloud description: Guardian service instance variables: cluster_id: default: my-cluster-id description: | Guardian is a service of the Hellgate Cloud Platform. The unique cluster-id is used to connect to your instance. security: [] tags: - name: pci description: Management of card payment credentials under the ruling of PCI DSS. - name: network description: Management of network tokens and cryptograms for secure transactions. - name: generic description: Management of generic tokens and their schemas for various use cases. - name: metadata description: Inquiries for card metadata based on PAN, PCI tokens, or network tokens. - name: apikey description: Management of API keys for service access. - name: webhook description: Management of webhooks for event notifications. - name: types description: Management of types for generic token schemas. paths: /api/pci/tokens: post: tags: - pci summary: Create token description: > Create a new token in the PCI DSS scope. See [PCI Tokens overview](/products/guardian/tokens/pci-tokens) for creation sources (session vs pan) and compliance levels. operationId: pci_token_create requestBody: content: application/json: schema: $ref: '#/components/schemas/pci_token_create_request' examples: session: summary: Session as Source (SAQ-A+) value: source: type: session pan: summary: PAN as Source (SAQ-D+) value: source: type: pan account_number: '4111111111111111' expiry_month: 12 expiry_year: 2025 security_code: '123' responses: '200': description: Success response content: application/json: schema: $ref: '#/components/schemas/pci_token_create_response' examples: session: summary: Session as Source (SAQ-A+) value: session_id: 8744c9ea-a02b-4ae6-875c-b64fc333e3ef pan: summary: PAN as Source (SAQ-D+) value: id: 8744c9ea-a02b-4ae6-875c-b64fc333e3ef card: cardholder_name: John Doe expiry_month: 12 expiry_year: 2025 masked_account_number: 411111******1111 scheme: visa created_at: '2023-10-01T12:00:00Z' '401': $ref: '#/components/responses/401_UnauthorizedError' '403': $ref: '#/components/responses/403_ForbiddenError' '409': $ref: '#/components/responses/409_ConflictError' '422': $ref: '#/components/responses/422_ValidationError' security: - APIKey: [] - AdminToken: [] components: schemas: pci_token_create_request: type: object properties: expires_in: type: integer minimum: 1 maximum: 2592000 description: | How many seconds after creation the token expires automatically. source: oneOf: - $ref: '#/components/schemas/from_session_source' - $ref: '#/components/schemas/from_pan_source' metadata: $ref: '#/components/schemas/Metadata' required: - source pci_token_create_response: type: object oneOf: - $ref: '#/components/schemas/session' - $ref: '#/components/schemas/pci_token' from_session_source: title: From Session type: object properties: type: type: string enum: - session required: - type from_pan_source: title: From PAN type: object properties: type: type: string enum: - pan account_number: type: string description: The card number (without separators) example: '4111111111111111' cardholder_name: type: string description: The name of the cardholder example: Bob Holder expiry_year: type: integer description: The expiry year of the card minimum: 2000 example: 2025 expiry_month: type: integer description: The expiry month of the card minimum: 1 maximum: 12 example: 4 security_code: type: string minLength: 3 maxLength: 4 example: '321' description: > The security code of the card. The system does not permanently store the security code; it is kept in an ephemeral position for immediate use. required: - type - account_number - expiry_year - expiry_month Metadata: type: object description: | Metadata consisting of key-value entries. * Maximum 20 key-value pairs. * Maximum 20 characters per key. * Maximum 80 characters per value. example: my_key_one: my_value_one my_key_two: my_value_two session: title: Session type: object properties: session_id: type: string format: uuid required: - session_id pci_token: title: Token type: object properties: id: type: string format: uuid card: $ref: '#/components/schemas/card' created_at: type: string format: date-time expires_at: type: string format: date-time metadata: $ref: '#/components/schemas/Metadata' required: - id - card - created_at example: id: 8744c9ea-a02b-4ae6-875c-b64fc333e3ef card: cardholder_name: John Doe expiry_month: 12 expiry_year: 2025 masked_account_number: 411111******1111 scheme: visa created_at: '2023-10-01T12:00:00Z' ErrorGeneric: type: object properties: code: $ref: '#/components/schemas/ErrorStatusCode' classifier: $ref: '#/components/schemas/ErrorClassifier' message: $ref: '#/components/schemas/ErrorMessage' ErrorValidation: type: object properties: code: $ref: '#/components/schemas/ErrorStatusCode' classifier: $ref: '#/components/schemas/ErrorClassifier' message: $ref: '#/components/schemas/ErrorMessage' validation_errors: type: array items: type: object properties: path: type: string description: Json-path in the request which points to the validation error message: type: string description: Human readable validation message card: type: object properties: cardholder_name: type: string expiry_month: type: integer expiry_year: type: integer masked_account_number: type: string scheme: type: string enum: - visa - mastercard - american express - discover - diners club - jcb - unionpay required: - expiry_month - expiry_year - masked_account_number - scheme example: cardholder_name: John Doe expiry_month: 12 expiry_year: 2025 masked_account_number: 411111******1111 scheme: visa ErrorStatusCode: type: integer description: The corresponding HTTP status code for the error ErrorClassifier: type: string description: Technical code that helps to identify the error ErrorMessage: type: string description: Human readable representation of the error responses: 401_UnauthorizedError: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/ErrorGeneric' example: code: 401 message: No valid means of authentication was provided classifier: UNAUTHORIZED 403_ForbiddenError: description: Forbidden content: application/json: schema: $ref: '#/components/schemas/ErrorGeneric' example: code: 403 message: Not allowed to access this resource or feature classifier: FORBIDDEN 409_ConflictError: description: Conflict content: application/json: schema: $ref: '#/components/schemas/ErrorGeneric' example: code: 409 message: Conflict classifier: CONFLICT 422_ValidationError: description: Validation error content: application/json: schema: $ref: '#/components/schemas/ErrorValidation' example: code: 422 classifier: VALIDATION_ERROR message: Validation error validation_errors: - path: json-path message: human readable error message securitySchemes: APIKey: type: apiKey name: x-api-key in: header AdminToken: type: apiKey name: x-admin-token in: header ````