> ## Documentation Index
> Fetch the complete documentation index at: https://docs.y.uno/llms.txt
> Use this file to discover all available pages before exploring further.

# Invoke Forward Proxy

> Call any third-party HTTPS API with real card data through Yuno's PCI DSS Level 1 environment, referencing stored cards by vaulted_token.

Forwards your request to the destination in the `yuno-proxy-url` header, replacing `{{vaulted_token.<TOKEN>.<field>}}` expressions with real card data inside Yuno's secure environment. See the [Forward Proxy guide](/docs/security-and-compliance/pci-proxy/forward-proxy) for a step-by-step integration.

<Note>
  **Beta**

  The PCI Proxy is in beta and is enabled per account. Contact your Key Account Manager (KAM) to activate it.
</Note>

<Warning>
  **Server-side only**

  Proxy requests detokenize card data and must only be made from your backend. Never expose your `private-secret-key` in client-side code.
</Warning>

All of `GET`, `POST`, `PUT`, `PATCH`, and `DELETE` are supported — the destination receives the same method you used. Path segments and query strings appended after `/pci-proxy` are appended to the destination URL.

If you are a PCI-certified merchant and need the raw card data itself rather than a pass-through call, use [Retrieve Enrolled Payment Method by ID PCI Data](/reference/payment-methods-direct-workflow/retrieve-enrolled-payment-method-by-id-pci-api) instead.


## OpenAPI

````yaml openapi/pci-proxy/invoke-forward-proxy.json POST /pci-proxy
openapi: 3.1.0
info:
  title: pci-proxy-invoke-forward-proxy
  version: 1.0.0
servers:
  - url: https://api-sandbox.y.uno/v1
security:
  - sec0: []
    sec1: []
paths:
  /pci-proxy:
    post:
      summary: Invoke Forward Proxy
      description: >-
        Forwards your request to the destination indicated in the
        `yuno-proxy-url` header, replacing `{{vaulted_token.<TOKEN>.<field>}}`
        expressions in the body and header values with real card data inside
        Yuno's PCI DSS Level 1 environment. The destination's status code,
        headers, and body are returned unchanged. `GET`, `PUT`, `PATCH`, and
        `DELETE` are also supported and forwarded verbatim. The full destination
        (including its path and query string) is specified in `yuno-proxy-url`;
        a query string on the `/pci-proxy` request itself is rejected. Every
        proxy response carries a `yuno-proxy-request-id` header; a `401`
        returned before the request reaches the proxy is the only exception.
      operationId: invokeForwardProxy
      parameters:
        - name: yuno-proxy-url
          in: header
          required: true
          description: >-
            The complete destination URL, including its path and any query
            string (for example
            `https://api.example-processor.com/charges/ch_123/capture?expand=true`).
            Must be a public HTTPS hostname on port 443; IP addresses and
            internal networks are rejected. It must not contain
            `{{vaulted_token...}}` expressions (card data must never appear in a
            URL).
          schema:
            type: string
            example: https://api.example-processor.com/charges
        - name: yuno-proxy-timeout
          in: header
          required: false
          description: Destination timeout in seconds. Default 30, maximum 120.
          schema:
            type: integer
            minimum: 1
            maximum: 120
            example: 30
      requestBody:
        description: >-
          The body the destination API expects, with vaulted token expressions
          where card data belongs. The proxy is content-transparent: it forwards
          your body and `Content-Type` unchanged and resolves
          `{{vaulted_token.<TOKEN>.<field>}}` expressions anywhere in the raw
          body, so any content type is supported (JSON, form-encoded, XML). The
          JSON object below is illustrative. Supported fields: `number`,
          `expiration_month`, `expiration_year`, `holder_name` (the security
          code is not stored and cannot be injected). At most 20 distinct tokens
          per request; maximum body size 1 MB. Expressions are also resolved in
          header values. All non-expression content is forwarded untouched.
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
              example:
                amount: 2500
                currency: USD
                card:
                  number: >-
                    {{vaulted_token.1a2b3c4d-5678-90ab-cdef-111213141516.number}}
                  exp_month: >-
                    {{vaulted_token.1a2b3c4d-5678-90ab-cdef-111213141516.expiration_month}}
                  exp_year: >-
                    {{vaulted_token.1a2b3c4d-5678-90ab-cdef-111213141516.expiration_year}}
                  name: >-
                    {{vaulted_token.1a2b3c4d-5678-90ab-cdef-111213141516.holder_name}}
          '*/*':
            schema:
              description: >-
                Any other content type (form-encoded, XML, plain text) is
                forwarded as-is with expressions resolved in the raw body.
      responses:
        '200':
          description: >-
            Response from the destination, passed through unchanged (the actual
            status code is whatever the destination returned; check
            `yuno-proxy-destination-status`).
          headers:
            yuno-proxy-request-id:
              description: Unique identifier of this proxy invocation.
              schema:
                type: string
            yuno-proxy-destination-status:
              description: >-
                HTTP status code returned by the destination. Present only when
                the destination was reached.
              schema:
                type: integer
            yuno-proxy-replacements:
              description: Number of expressions replaced before forwarding.
              schema:
                type: integer
          content:
            application/json:
              schema:
                type: object
                additionalProperties: true
                description: The destination's response body, unchanged.
        '400':
          description: >-
            Proxy-originated request error. The `yuno-proxy-destination-status`
            header is absent because the destination was not called.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Invalid request:
                  value:
                    code: INVALID_REQUEST
                    messages:
                      - yuno-proxy-url header is required
                Expression resolution failed:
                  value:
                    code: EXPRESSION_RESOLUTION_FAILED
                    messages:
                      - >-
                        vaulted_token 1a2b3c4d-5678-90ab-cdef-111213141516 could
                        not be resolved
        '401':
          description: >-
            Authentication failed. Returned before the request reaches the
            proxy, so it carries no `yuno-proxy-*` headers.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Not authenticated:
                  value:
                    code: NOT_AUTHENTICATED
                    messages:
                      - not authenticated
                Authorization unavailable:
                  value:
                    code: AuthenticationFail
                    messages:
                      - authorization unavailable
        '403':
          description: The destination is not allowed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Destination not allowed:
                  value:
                    code: DESTINATION_NOT_ALLOWED
                    messages:
                      - destination must be a public HTTPS hostname
        '413':
          description: Request body over 1 MB.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Request too large:
                  value:
                    code: REQUEST_TOO_LARGE
                    messages:
                      - request body exceeds 1 MB
        '429':
          description: Rate limit exceeded for the account (enforced at the Yuno edge).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Too many requests:
                  value:
                    code: TOO_MANY_REQUESTS
                    messages:
                      - rate limit exceeded
        '500':
          description: Unexpected proxy-side error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Proxy error:
                  value:
                    code: PROXY_ERROR
                    messages:
                      - internal error
        '502':
          description: The destination could not be reached.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Destination unreachable:
                  value:
                    code: DESTINATION_UNREACHABLE
                    messages:
                      - connection to destination failed
        '504':
          description: The destination did not respond within the timeout.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProxyError'
              examples:
                Destination timeout:
                  value:
                    code: DESTINATION_TIMEOUT
                    messages:
                      - >-
                        destination did not respond within the configured
                        timeout
components:
  schemas:
    ProxyError:
      type: object
      properties:
        code:
          type: string
          description: Machine-readable error code.
          enum:
            - NOT_AUTHENTICATED
            - AuthenticationFail
            - INVALID_REQUEST
            - EXPRESSION_RESOLUTION_FAILED
            - DESTINATION_NOT_ALLOWED
            - REQUEST_TOO_LARGE
            - TOO_MANY_REQUESTS
            - DESTINATION_UNREACHABLE
            - DESTINATION_TIMEOUT
            - PROXY_ERROR
        messages:
          type: array
          items:
            type: string
  securitySchemes:
    sec0:
      type: apiKey
      in: header
      name: public-api-key
      x-default: <Your public-api-key>
    sec1:
      type: apiKey
      in: header
      name: private-secret-key
      x-default: <Your private-secret-key>

````