# Create token Create a new token in the PCI/DSS scope. This type of token protects sensitive card payment credentials. There are two ways to create the token, which depend on the level of your PCI/DSS compliance: {% table %} - Source {% width="20%" %} - Compliance - Description --- - - Min. SAQ-A+ - This is the most common way to create a token. It will leverage the SDKs of Guardian to securely capture the cardholder data and send it encrypted to the API. --- - - Min. SAQ-D+ - In case you have the required compliance to handle cardholder data yourself, you can also just import the full data in exchange for a token. {% /table %} Endpoint: POST /api/pci/tokens Version: EAP Security: APIKey, AdminToken ## Header parameters: - `x-idempotency-key` (string) Optional idempotency key to prevent duplicate processing Example: "order_12345_retry_001" ## Request fields (application/json): - `expiration_time` (integer) The expiry time is used to specify after how many seconds a token should be automatically deleted after creation. - `source` (any, required) - `metadata` (object) Metadata consisting of entries, each of which each includes a key and an associated value: * Maximum 20 key-value pairs. * Maximum 20 characters per key. * Maximum 80 characters per value. Example: {"my_key_one":"my_value_one","my_key_two":"my_value_two"} ## Response 401 fields (application/json): - `code` (integer) The corresponding HTTP status code for the error - `classifier` (string) Technical code that helps to identify the error - `message` (string) Human readable representation of the error ## Response 403 fields (application/json): - `code` (integer) The corresponding HTTP status code for the error - `classifier` (string) Technical code that helps to identify the error - `message` (string) Human readable representation of the error ## Response 409 fields (application/json): - `code` (integer) The corresponding HTTP status code for the error - `classifier` (string) Technical code that helps to identify the error - `message` (string) Human readable representation of the error ## Response 422 fields (application/json): - `code` (integer) The corresponding HTTP status code for the error - `classifier` (string) Technical code that helps to identify the error - `message` (string) Human readable representation of the error - `validation_errors` (array) - `validation_errors.path` (string) Json-path in the request which points to the validation error - `validation_errors.message` (string) Human readable validation message