Skip to main content


Malga has created this tokenization service to allow sensitive card data to be safely processed.

Through the tokenization’s API you can ensure that sensitive card data (holder name, pan, cvv) does not pass through your backend and can be sent to Malga's servers directly from your client application. A token represents sensitive card data securely stored on Malga, following PCI’s best practices, and the data is sent directly from your frontend to Malga's servers.

It is highly recommended that you perform the tokenization process directly client-side, collecting sensitive card data in your interface and sending it directly to the token API, from a token client created for this purpose, sending to your backend the identifier of the generated token that does not store sensitive data and can be transmitted normally by your servers.


Tokens are invalidated after the first use, and you cannot store the token generated for future use in recurring purchases. If you want to save the data of a card for future use, you must create a token and then request the creation of a card from the token created, so the card will be stored permanently in our vault, our secure card storage server, and you will only need to send the generated card id for future transactions.

Card token flow

You can create cards from tokens you generate, and you can assign multiple cards to the same buyer to enable future charges.


The token expiration time is 2 hours.

Creating CardId

Once a card is created, a unique cardId is generated, which can be stored in your system, since it does not contain sensitive card data, just a card identifier saved securely in the Malga’s vault.

From a generated cardId it is possible to make recurring charges, simply by sending this identifier when creating the charge.


The card's security code (CVV), which was sent during tokenization, is validated through a zero-value transaction with the card issuer, so Malga can validate that the tokenized card data is valid without the need to make an actual charge. After a successful validation of the card's data, the card’s status is: active and available for future purchases. Otherwise, the card will present status: failed and invalidated, and a new token and a new card must be generated.

Card Status

The possible statuses for a card on Malga are:

activeIf the card data is validated, the status is returned as active and cvvchecked true
failedIf the card data is not validated, the status is returned as failed and cvvchecked false
pendingIf the card data validation service is unavailable, the status is returned as pending and cvvchecked: false; While the status is pending the card can be used to create transactions, ensuring greater transactional resilience.

It is possible to send the card's CVV as an option in the billing request, being useful in scenarios where the card is in pending or active status, and this CVV is passed on to the provider, thus increasing the chances of approval in cases where you can request the security code when billing.

Credit Card’s brands Accepted

Credit Card’s brands accepted for transactions on Malga's platform are: