Cobru
PaymentsPayoutsPlatformChangelog
PaymentsCards & Services

Tokenization

Tokenized card storage and card-on-file payments for Cobru.

This surface comes from Cobru legacy materials and still needs fresh sandbox verification. Treat it as a beta contract until the official OpenAPI export or a new validation pass confirms each field.

What this capability is for

Use tokenization when your integration needs to:

  • register a card once and charge it later
  • avoid collecting raw PAN details on every payment flow
  • list saved cards for the authenticated account
  • remove card-on-file records when the user requests it

Cobru flow

Fetch Cobru's RSA public key from GET /base/get_constants_key_public/.

Encrypt sensitive card fields client-side or in a PCI-scoped service.

Register the card with POST /register_tc/.

Retrieve cards with GET /list_tc/ and charge a saved instrument with POST /tc_payment/.

Endpoint map

EndpointPurposeStatus
GET /base/get_constants_key_public/Retrieve the RSA public keyLegacy doc
POST /register_tc/Register a credit card tokenLegacy doc
GET /list_tc/List saved cards or inspect one by card_uuidLegacy doc
POST /tc_payment/Pay with a saved or tokenized cardLegacy doc
DELETE /delete_tc/Remove a stored cardLegacy doc

Authentication model

Cobru's Spotlight exports suggest the tokenization endpoints are authenticated user surfaces. Until sandbox verification is complete, assume:

  • standard Cobru auth headers still apply
  • requests must originate from trusted backend or PCI-scoped services
  • x-api-key never belongs in public frontend code

Example: fetch the public key

curl -X GET https://dev.cobru.co/base/get_constants_key_public/ \
  -H "x-api-key: $COBRU_API_KEY" \
  -H "Authorization: Bearer $COBRU_ACCESS_TOKEN"
const response = await fetch('https://dev.cobru.co/base/get_constants_key_public/', {
  method: 'GET',
  headers: {
    'x-api-key': process.env.COBRU_API_KEY!,
    Authorization: `Bearer ${accessToken}`,
  },
});

const payload = await response.json();
console.log(payload.data.text_long_value);
import requests

response = requests.get(
    "https://dev.cobru.co/base/get_constants_key_public/",
    headers={
        "x-api-key": COBRU_API_KEY,
        "Authorization": f"Bearer {access_token}",
    },
)
print(response.json())
<?php

use GuzzleHttp\Client;

$client = new Client();
$response = $client->request('GET', 'https://dev.cobru.co/base/get_constants_key_public/', [
    'headers' => [
        'x-api-key' => getenv('COBRU_API_KEY'),
        'Authorization' => 'Bearer ' . $accessToken,
    ],
]);

$payload = json_decode((string) $response->getBody(), true, 512, JSON_THROW_ON_ERROR);
var_dump($payload);

Operational notes

Next steps

API Reference

Explore the tokenization methods inside the interactive OpenAPI reference.

Cards

Continue with Cobru-issued cards and post-issuance operations.

Buy PINs

Previous Page

Celo

Next Page

On this page

What this capability is forCobru flowEndpoint mapAuthentication modelExample: fetch the public keyOperational notesNext steps