{"info":{"_postman_id":"b62c0a19-7847-4425-a959-063c09a4ba3f","name":"Mithras Vault API","description":"

Overview

Remus Vault is a secure API for storing, tokenizing, and proxying sensitive payment card data.

Data at rest is stored securely and only retrievable with proper authentication.
\n
Proxy endpoints support capture from third parties and sending card data to authorized destinations.
\n
All sensitive operations require valid credentials and organization-level onboarding.
\n

Getting Started

Contact Mithras Support to request onboarding, development environment and credentials:
\n
- Email: support@mithras.cloud
  \n
- Include your organization details and intended use (storage, capture, send).
  \n
\n
Receive from Mithras:
\n
- Base API URL (referred to here as https://vault_endpoint)
  \n
- API credentials (X-API-Key, X-User-Token)
  \n
- Any scope- or environment-specific guidance
  \n
\n
(Optional, for Send Card) Request target endpoint authorization:
\n
- Provide exact HTTPS URL prefix(es) and allowed HTTP method(s) to be whitelisted.
  \n
- Requests to destinations not explicitly authorized will be rejected.
  \n
\n

Authentication

All API requests must include the following headers:

X-API-Key:
\n
X-User-Token:
\n

Notes:

Credentials are issued by Mithras (request via support@mithras.cloud).
\n
Additional authorization headers may be required for specific partner flows and will be provided during onboarding if applicable.
\n

Tokens & Access

When storing a card, you receive:
\n
- vault_locker (public token identifying the stored item)
  \n
- vault_locker_key (secret key used to unlock/decrypt when permitted)
  \n
\n
Treat tokens as secrets. Do not log full values.
\n
Viewing unmasked data or CVV may be limited and is auditable; CVV retrieval is explicitly user-driven and can count as a view.
\n
Send Card replaces placeholders (e.g. %CARD_NUMBER%) in your request body with real data server-side and forwards to authorized destinations.
\n

Card Data Retrieval

If you need to access or retrieve the stored card data, please contact support@mithras.cloud and we will provide you with the relevant documentation and access procedures.

Tokenisation Profiles

Tokenisation Profiles define how card data is located and masked in third-party responses (e.g., booking payloads). Profiles are provisioned by Mithras upon request (no charge). Current commonly available profiles include: channex, channex_entity, and roomcloud.

Profile structure (simplified):

{\n  \"type\": \"json\",\n  \"schema\": {\n    \"message_node\": { \"selector\": \"$.data\" },\n    \"card_node\": { \"selector\": \"ccData.attributes\" }\n  },\n  \"card_token_placement\": {\n    \"type\": \"card_node\",\n    \"card_token_node\": \"token\"\n  },\n  \"card_node\": {\n    \"card_number\": { \"selector\": \"ccNumber\" },\n    \"cardholder_name\": { \"selector\": \"ccHolder\" },\n    \"expiration_month\": { \"selector\": \"ccExpireDate\", \"transformation\": \"substring:0,2\" },\n    \"expiration_year\": { \"selector\": \"ccExpireDate\", \"transformation\": \"substring:3,7\" },\n    \"service_code\": { \"selector\": \"ccCode\" }\n  }\n}\n\n

Notes:

Use of selectors (e.g., JSONPath) is implementation detail; you only need to specify the profile name provided during onboarding.
\n
Ask support@mithras.cloud to add or adjust profiles for your integrations.
\n

Example Profiles (provisioned by Mithras)

Channex:

{\n  \"type\": \"json\",\n  \"schema\": {\n    \"message_node\": { \"selector\": \"$.data\" },\n    \"card_node\": { \"selector\": \"attributes.guarantee\" }\n  },\n  \"card_token_placement\": {\n    \"type\": \"card_node\",\n    \"card_token_node\": \"token\",\n    \"error_node\": \"error\"\n  },\n  \"card_node\": {\n    \"card_number\": { \"selector\": \"card_number\" },\n    \"card_type\": { \"selector\": \"card_type\" },\n    \"cardholder_name\": { \"selector\": \"cardholder_name\" },\n    \"expiration_month\": { \"selector\": \"expiration_date\", \"transformation\": \"substring:0,2\" },\n    \"expiration_year\": { \"selector\": \"expiration_date\", \"transformation\": \"substring:3,7\" },\n    \"service_code\": { \"selector\": \"cvv\" }\n  }\n}\n\n

RoomCloud:

{\n  \"type\": \"json\",\n  \"schema\": {\n    \"message_node\": { \"selector\": \"$\" },\n    \"card_node\": { \"selector\": \"ccData.attributes\" }\n  },\n  \"card_token_placement\": {\n    \"type\": \"card_node\",\n    \"card_token_node\": \"token\",\n    \"error_node\": \"error\"\n  },\n  \"card_node\": {\n    \"card_number\": { \"selector\": \"ccNumber\" },\n    \"cardholder_name\": { \"selector\": \"ccHolder\" },\n    \"expiration_month\": { \"selector\": \"ccExpireDate\", \"transformation\": \"substring:0,2\" },\n    \"expiration_year\": { \"selector\": \"ccExpireDate\", \"transformation\": \"substring:3,7\" },\n    \"service_code\": { \"selector\": \"ccCode\" }\n  }\n}\n\n

Contact support@mithras.cloud to enable or customize profiles for your integration.

Special Requirements

Send Card Proxy requires prior authorization (whitelisting) of the destination HTTPS endpoint. Submit a request to support@mithras.cloud with the full URL prefix and allowed HTTP methods.
\n
Production traffic must use HTTPS exclusively.
\n

Conventions

https://vault_endpoint is a placeholder for your assigned base URL.
\n
Example requests include realistic payloads and query parameters; adapt as needed for your integration.
\n

\n","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[],"owner":"9471013","collectionId":"b62c0a19-7847-4425-a959-063c09a4ba3f","publishedId":"2sB3HnJecX","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"252525","highlight":"0059db"},"publishDate":"2025-09-08T21:09:25.000Z"},"item":[{"name":"Credit Card Management","item":[{"name":"Create Credit Card","id":"8d2a2093-ba57-4c1f-a86e-729cd1484ba7","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"X-API-Key","value":"","type":"text"},{"key":"X-User-Token","value":"","type":"text"},{"key":"Content-Type","value":"application/json","type":"text"}],"body":{"mode":"raw","raw":"{\n \"card\": {\n \"card_number\": \"4111111111111111\",\n \"card_type\": \"visa\",\n \"cardholder_name\": \"John Doe\",\n \"expiration_month\": 12,\n \"expiration_year\": 2027,\n \"cvv\": \"123\"\n }\n}"},"url":"https://vault_endpoint/api/v1/vault/credit-cards","description":"

Stores a new credit card securely. The response returns masked card data and a token (‘vault_locker’) for future access.

\n","urlObject":{"path":["api","v1","vault","credit-cards"],"host":["https://vault_endpoint"],"query":[],"variable":[]}},"response":[],"_postman_id":"8d2a2093-ba57-4c1f-a86e-729cd1484ba7"},{"name":"Patch Credit Card","id":"036a6633-97d1-4a19-9287-d843686184f9","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"PATCH","header":[{"key":"X-API-Key","value":"","type":"text"},{"key":"X-User-Token","value":"","type":"text"}],"url":"https://vault_endpoint/api/v1/vault/credit-cards/:vault_locker?vault_locker_key=","description":"

Refreshes encryption and metadata for a stored card.

\n","urlObject":{"path":["api","v1","vault","credit-cards",":vault_locker"],"host":["https://vault_endpoint"],"query":[{"key":"vault_locker_key","value":""}],"variable":[{"id":"d3485224-3e53-4066-a184-76bde258114a","type":"any","value":"VAULT_...","key":"vault_locker"}]}},"response":[],"_postman_id":"036a6633-97d1-4a19-9287-d843686184f9"},{"name":"Delete Credit Card","id":"49661d8b-6631-412e-975c-26ff270d8b50","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"DELETE","header":[{"key":"X-API-Key","value":"","type":"text"},{"key":"X-User-Token","value":"","type":"text"}],"url":"https://vault_endpoint/api/v1/vault/credit-cards/:vault_locker","description":"

Deletes a stored card and its metadata.

\n","urlObject":{"path":["api","v1","vault","credit-cards",":vault_locker"],"host":["https://vault_endpoint"],"query":[],"variable":[{"id":"cf5bed2a-6846-4a1e-a6b9-9331f1dce2c2","type":"any","value":"VAULT_...","key":"vault_locker"}]}},"response":[],"_postman_id":"49661d8b-6631-412e-975c-26ff270d8b50"}],"id":"3b45f863-fbfe-48e6-b591-f6a922f3005b","description":"

Create, retrieve, update, and delete stored cards. All examples use the https://vault_endpoint placeholder.

\n","_postman_id":"3b45f863-fbfe-48e6-b591-f6a922f3005b"},{"name":"Capture Proxy","item":[{"name":"Capture from Third Party","id":"9d559f12-1e78-415f-bcf7-900828229fee","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"X-API-Key","value":"","type":"text"},{"key":"X-User-Token","value":"","type":"text"}],"url":"https://vault_endpoint/api/v1/vault/capture?api_key=<3rd_party_key>&method=get&url=https://third.party.example/api/bookings&profile=channex","description":"

HTTPS only. The profile defines how card data is extracted and masked.

\n","urlObject":{"path":["api","v1","vault","capture"],"host":["https://vault_endpoint"],"query":[{"key":"api_key","value":"<3rd_party_key>"},{"key":"method","value":"get"},{"key":"url","value":"https://third.party.example/api/bookings"},{"key":"profile","value":"channex"}],"variable":[]}},"response":[],"_postman_id":"9d559f12-1e78-415f-bcf7-900828229fee"}],"id":"64d2757f-651a-487b-a265-c8a425f97e8a","description":"

Forward a request to a third-party HTTPS API, extract card data using a configured profile, store it, and return masked data with tokens.

\n","_postman_id":"64d2757f-651a-487b-a265-c8a425f97e8a"},{"name":"Send Card Proxy","item":[{"name":"Send Stored Card to Authorized Endpoint","id":"dd0615da-288f-41ec-918a-4051b6bd1c21","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"X-API-Key","value":"","type":"text"},{"key":"X-User-Token","value":"","type":"text"},{"key":"Content-Type","value":"application/json","type":"text"}],"body":{"mode":"raw","raw":"{\n \"card\": {\n \"number\": \"%CARD_NUMBER%\",\n \"holder\": \"%CARDHOLDER_NAME%\",\n \"cvv\": \"%SERVICE_CODE%\",\n \"exp_month\": \"%EXPIRATION_MM%\",\n \"exp_year\": \"%EXPIRATION_YYYY%\"\n },\n \"amount\": 1000,\n \"currency\": \"usd\"\n}"},"url":"https://vault_endpoint/api/v1/vault/cards/:vault_locker/send?api_key=&method=post&url=https://api.stripe.com/v1/charges&vault_locker_key=","description":"

Requires prior authorization of the destination URL. Placeholders are replaced with actual card data at send time.

The following placeholders can be used in request bodies and will be replaced with actual card data:
- `%CARD_NUMBER%` - The full credit card number (e.g., \"4111111111111111\")
- `%CARDHOLDER_NAME%` - The name on the card (e.g., \"John Doe\")
- `%SERVICE_CODE%` - The CVV/CVC security code (e.g., \"123\")
- `%EXPIRATION_MM%` - The expiration month as zero-padded 2 digits (e.g., \"03\")
- `%EXPIRATION_YYYY%` - The expiration year as 4 digits (e.g., \"2025\")
- `%EXPIRATION_YY%` - The expiration year as 2 digits (e.g., \"25\")

\n","urlObject":{"path":["api","v1","vault","cards",":vault_locker","send"],"host":["https://vault_endpoint"],"query":[{"description":{"content":"

Optional API key for the destination service

\n","type":"text/plain"},"key":"api_key","value":""},{"key":"method","value":"post"},{"key":"url","value":"https://api.stripe.com/v1/charges"},{"key":"vault_locker_key","value":""}],"variable":[{"type":"any","value":"VAULT_...","key":"vault_locker"}]}},"response":[],"_postman_id":"dd0615da-288f-41ec-918a-4051b6bd1c21"}],"id":"dcad4c47-6bd1-4ed9-a752-597705ad404f","description":"

Send previously stored card data to an authorized HTTPS endpoint. Destination must be pre-approved (whitelisted) by Mithras before use.

Headers guidance:

Provide target credentials in Authorization (e.g., Bearer/Basic); forwarded as-is.
Optional api_key query param adds X-API-Key to the outbound request unless you already set an X-API-Key header.
Set Content-Type required by the target (application/json, application/x-www-form-urlencoded, etc.).
Idempotency and custom headers are forwarded unchanged.

Body placeholders (applied to body only): %CARD_NUMBER%, %CARDHOLDER_NAME%, %SERVICE_CODE%, %EXPIRATION_MM%, %EXPIRATION_YYYY%.

Note: Send Card counts as a visualization/unmask operation and increments the card’s access counter (default max: 3). Upon reaching the maximum, the card is automatically deleted.

\n","_postman_id":"dcad4c47-6bd1-4ed9-a752-597705ad404f"},{"name":"Forms (optional)","item":[{"name":"Capture Card (iframe)","id":"4a3806f5-870a-418f-b2f6-a4d185cbf623","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"https://vault_endpoint/api/v1/forms/capture-form?session-token=","description":"

Embed the hosted card capture form as an iframe. Example:

</div><div>  id=\\\"cardCaptureIframe\\\"\n<br></div><div>  height=\\\"320\\\"\n<br></div><div>  scrolling=\\\"no\\\"\n<br></div><div>  style=\\\"border:0; width:100%; max-width:420px;\\\"\n<br></div><div>  src=\\\"https://vault_endpoint/api/v1/forms/capture-form?session-token=SESSION_...\\\">\n<br></div><div>&lt;/iframe&gt;\n<br></div></code></pre><p >PostMessage API:</p><ul ><li ><div>Submit form:</div><pre class=javascript><code><div>const iframe = document.getElementById(&#x27;cardCaptureIframe&#x27;);\n<br></div><div>iframe.contentWindow.postMessage(&#x27;submit&#x27;, &#x27;https://vault_endpoint&#x27;);\n<br></div></code></pre></li><li ><div>Validate form (returns validity state):</div><pre class=javascript><code><div>const iframe = document.getElementById(&#x27;cardCaptureIframe&#x27;);\n<br></div><div>iframe.contentWindow.postMessage(&#x27;validate&#x27;, &#x27;https://vault_endpoint&#x27;);\n<br></div></code></pre></li><li ><div>Handle responses:</div><pre class=javascript><code><div>const PCI_PROXY_DOMAIN = &#x27;https://vault_endpoint&#x27;;\n<br></div><div>const listener = (event) => {\n<br></div><div>if (event.origin !== PCI_PROXY_DOMAIN) return;\n<br></div><div>if (event.data.valid !== undefined) {\n<br></div><div>  console.log(&#x27;card valid:&#x27;, event.data.valid);\n<br></div><div>}\n<br></div><div>if (event.data.success) {\n<br></div><div>  console.log(&#x27;submit result:&#x27;, event.data);\n<br></div><div>}\n<br></div><div>};\n<br></div><div>window.addEventListener(&#x27;message&#x27;, listener);\n<br></div></code></pre></li></ul><p >Response examples:</p><ul ><li ><div>Validate</div><pre class=json><code><div>{ \n<br></div><div>\\\"event_type\\\": \\\"validate\\\",\n<br></div><div>\\\"valid\\\": true\n<br></div><div>}\n<br></div></code></pre></li><li ><div>Submit</div><pre class=json><code><div>{\n<br></div><div>\\\"event_type\\\": \\\"submit\\\",\n<br></div><div>\\\"success\\\": true,\n<br></div><div>\\\"card\\\": {\n<br></div><div>  \\\"card_number\\\": \\\"411111******1111\\\",\n<br></div><div>  \\&quot;card_token\\&quot;: \\&quot;&lt;token&gt;\\&quot;,\n<br></div><div>  \\\"cardholder_name\\\": \\\"JOHN DOE\\\",\n<br></div><div>  \\\"expiration_month\\\": \\\"11\\\",\n<br></div><div>  \\\"expiration_year\\\": \\\"2027\\\",\n<br></div><div>  \\\"service_code\\\": \\\"***\\\",\n<br></div><div>  \\\"card_type\\\": \\\"visa\\\"\n<br></div><div>}\n<br></div><div>}\n<br></div></code></pre></li></ul><p >Optional query params (availability by onboarding):</p><ul ><li ><div><code >only</code> or <code >except</code>: comma-separated card brands (e.g., visa, mastercard).</div></li><li ><div><code >lang</code>: localized language code (e.g., en, es, it).</div></li><li ><div><code >style</code>: custom style name.</div></li><li ><div><code >service_code_optional</code>: <code >true|false</code>.</div></li><li ><div><code >service_code_visible</code>: <code >true|false</code>.</div></li></ul><p >Notes:</p><ul ><li ><div>Use a one-off session token for capture scope as provided during onboarding.</div></li><li ><div>Do not render or proxy the iframe server-side.</div></li></ul><p ></p></x-turndown>\n

\n","urlObject":{"path":["api","v1","forms","capture-form"],"host":["https://vault_endpoint"],"query":[{"key":"session-token","value":""},{"disabled":true,"key":"only","value":""},{"disabled":true,"key":"except","value":""},{"disabled":true,"key":"lang","value":""},{"disabled":true,"key":"style","value":""},{"disabled":true,"key":"service_code_optional","value":""},{"disabled":true,"key":"service_code_visible","value":""}],"variable":[]}},"response":[],"_postman_id":"4a3806f5-870a-418f-b2f6-a4d185cbf623"},{"name":"Show Card (iframe)","id":"a127c1bf-1641-4be8-a1e3-79e0cafe7920","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"https://vault_endpoint/api/v1/forms/show-card?x-vault-locker=&x-vault-locker-key=&x-session-token=&x-cvv-session-token=","description":"

Embed in your UI as an iframe to display masked card details. Example iframe HTML (replace placeholders):

Notes:

Provide x-cvv-session-token to enable a user-driven button that reveals the service code (CVV) once and immediately revokes it.
\n
Load on the client side only; never render server-side.
\n
Implement 2FA for viewing.
\n
Log each view (user, time, card, IP, location).
\n

\n","urlObject":{"path":["api","v1","forms","show-card"],"host":["https://vault_endpoint"],"query":[{"key":"x-vault-locker","value":""},{"key":"x-vault-locker-key","value":""},{"key":"x-session-token","value":""},{"key":"x-cvv-session-token","value":""}],"variable":[]}},"response":[],"_postman_id":"a127c1bf-1641-4be8-a1e3-79e0cafe7920"}],"id":"848727e7-ce63-4048-94a9-3b30e0163826","description":"

Hosted display and capture flows for embedding in your application.

Iframe Security Requirements

The iframe URL must be loaded on the client-side in the user's browser (do not render server-side).
Implement 2FA for login into your system or specifically for viewing card details.
Log all view requests on your side (user, timestamp, card, IP, location).
Suspicious activity may result in temporary suspension of view functionality pending investigation.

Access Limits & Auto-Deletion

Cards are subject to a maximum access count (default: 3).
Viewing sensitive data (for example, revealing CVV via the iframe button or sending a card to a third party) increments the access count.
Masked display in the Show Card iframe does not increment the access count.
Once the maximum is reached, the card is automatically deleted. You can also delete a card at any time using the Management API (Delete Credit Card).

\n","_postman_id":"848727e7-ce63-4048-94a9-3b30e0163826"}],"variable":[{"key":"vault_endpoint","value":"https://vault_endpoint","type":"string"},{"key":"api_key","value":"","type":"string"},{"key":"user_token","value":"","type":"string"}]}