> ## Documentation Index
> Fetch the complete documentation index at: https://docs.y.uno/llms.txt
> Use this file to discover all available pages before exploring further.

# Register Destination

> Add a third-party host to your PCI Proxy allowlist so the forward proxy can send card data to it.

Adds a host to your account's destination allowlist. The [forward proxy](/reference/pci-proxy/invoke-forward-proxy) only sends card data to hosts on this list; there is no "any host" mode. See the [Destination Allowlist guide](/docs/security-and-compliance/pci-proxy/allowlist) for how matching works.

<Note>
  **Adding a destination is sensitive**

  Registering a host widens where your stored cards can be sent. Restrict who can manage the allowlist and review any unexpected additions.
</Note>


## OpenAPI

````yaml openapi/pci-proxy/manage-destinations.json POST /pci-proxy/destinations
openapi: 3.1.0
info:
  title: pci-proxy-manage-destinations
  version: 1.0.0
servers:
  - url: https://api-sandbox.y.uno/v1
security:
  - sec0: []
    sec1: []
paths:
  /pci-proxy/destinations:
    post:
      summary: Register Destination
      description: >-
        Adds a host to your account's allowlist so the forward proxy can send
        card data to it. Matching is on the exact hostname, case-insensitive;
        subdomains and wildcards are not implied. A newly registered host is
        usable within minutes.
      operationId: registerPciProxyDestination
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/DestinationInput'
            example:
              hostname: api.example-processor.com
              purpose: Direct acquiring — Processor X
      responses:
        '201':
          description: The destination was registered.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Destination'
              example:
                id: 4218
                account_code: null
                hostname: api.example-processor.com
                status: ENABLED
                purpose: Direct acquiring — Processor X
                created_by: ops@merchant.com
                created_at: '2026-07-09T13:05:36Z'
                updated_at: '2026-07-09T13:05:36Z'
        '400':
          description: The request body could not be parsed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DestinationError'
              examples:
                Invalid request:
                  value:
                    code: INVALID_REQUEST
                    messages:
                      - invalid body
        '401':
          $ref: '#/components/responses/Unauthorized'
        '409':
          description: >-
            The hostname is already registered on your allowlist (for this
            account scope).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DestinationError'
              examples:
                Destination exists:
                  value:
                    code: DESTINATION_EXISTS
                    messages:
                      - destination already registered
        '422':
          description: >-
            The value is not a bare public hostname (a URL, a host with a
            scheme, port, or path, an IP address, or a wildcard).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DestinationError'
              examples:
                Invalid hostname:
                  value:
                    code: INVALID_HOSTNAME
                    messages:
                      - >-
                        hostname must be a bare public FQDN with no scheme,
                        port, path, or wildcard
components:
  schemas:
    DestinationInput:
      type: object
      required:
        - hostname
      properties:
        hostname:
          type: string
          description: >-
            The bare public hostname to allow, without scheme, port, or path
            (for example `api.example-processor.com`). Matched exactly,
            case-insensitive.
          example: api.example-processor.com
        purpose:
          type: string
          description: >-
            An optional human-readable label describing why this host is
            allowed. Shown when you list destinations.
          example: Direct acquiring — Processor X
        account_code:
          type: string
          nullable: true
          description: >-
            Optional. Restrict this destination to a single account. Omit (or
            send `null`) to allow the host for the whole organization.
          example: null
    Destination:
      type: object
      properties:
        id:
          type: integer
          format: int64
          description: >-
            Unique identifier of the destination. Use it to remove the
            destination.
          example: 4218
        account_code:
          type: string
          nullable: true
          description: >-
            The account this destination is scoped to, or `null` when it applies
            to the whole organization.
          example: null
        hostname:
          type: string
          description: The registered hostname.
          example: api.example-processor.com
        status:
          type: string
          description: Whether the destination is active.
          example: ENABLED
        purpose:
          type: string
          description: The label you provided when registering the destination.
          example: Direct acquiring — Processor X
        created_by:
          type: string
          description: The user who registered the destination.
          example: ops@merchant.com
        created_at:
          type: string
          format: date-time
          description: When the destination was registered.
          example: '2026-07-09T13:05:36Z'
        updated_at:
          type: string
          format: date-time
          description: When the destination was last changed.
          example: '2026-07-09T13:05:36Z'
    DestinationError:
      type: object
      properties:
        code:
          type: string
          description: Machine-readable error code.
          enum:
            - NOT_AUTHENTICATED
            - AuthenticationFail
            - INVALID_REQUEST
            - INVALID_HOSTNAME
            - DESTINATION_EXISTS
            - NOT_FOUND
            - INTERNAL_ERROR
        messages:
          type: array
          items:
            type: string
  responses:
    Unauthorized:
      description: Authentication failed. Missing or invalid API credentials.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/DestinationError'
          examples:
            Not authenticated:
              value:
                code: NOT_AUTHENTICATED
                messages:
                  - not authenticated
  securitySchemes:
    sec0:
      type: apiKey
      in: header
      name: public-api-key
      x-default: <Your public-api-key>
    sec1:
      type: apiKey
      in: header
      name: private-secret-key
      x-default: <Your private-secret-key>

````