Integration architecture

One integration. Three networks. Zero PSP in the path.

Veliro sits between your application and the card networks. Card data enters through Secure Fields, we provision Mastercard, Visa, or Amex tokens in one synchronous call, and you authorize with the acquirer you already have.

Start in sandboxContact sales
Built to PCI DSS Level 1SOC 2 Type II · in progressISO 27001 · in progressSAQ-A via Secure Fields
Live trace · req_b7Hk9e2Lw
synchronous

Architecture trace from merchant checkout through Secure Fields and POST /v1/tokens to Veliro routing at api.veliro.com, then to the matching card network (Visa VTS, Mastercard MDES, or Amex AETS; Visa shown as routed in this example), and back with an active network token reference.

  • TAVV · ECI 05
  • SAQ-A contained
  • Synchronous
Integration path

From PAN to authorization in five steps.

Each step is a REST primitive with a defined PCI boundary and failure mode. No console required on the happy path.

Every mutating call accepts an Idempotency-Key so retries are safe by construction.

01Capture

Secure Fields SDK renders hosted card inputs in your checkout. PAN and CVV never enter your infrastructure.

sf_01HX4P2KRZ9MWF7Csession · 24h TTLSAQ-A boundary
02Provision

One idempotent call enrolls the credential on the correct network. Device binding and token reference returned synchronously.

POST /v1/tokenssynchronous
03Cryptogram

Per-transaction TAVV or UCAF with the correct ECI indicator and unpredictable number. Single‑use, short TTL.

POST …/cryptogramsingle‑use · short TTL
04Authorize

Send the token and cryptogram to your acquirer of choice. Veliro is not in the authorization path.

Your acquirer APItoken, not PAN
05Lifecycle

Signed webhooks for token updates, network‑token state changes, cryptogram invalidation, and deletion. Replayable per delivery.

token.updatedHMAC-SHA256

What you do not have to write.

Bring-your-own network integrations versus Veliro as the credential layer. Build-it-yourself figures reflect typical in-house integration timelines.

DimensionBring your ownVeliro
Network certifications3 separate programs (MDES, VTS, AETS), 18–24 months each in parallel0 · included in platform contract
Vault to operateBuild and audit the vault; HSM estate, key ceremony, annual PCITenant-isolated vault operated by Veliro under Level 1 PCI service-provider scope · included
PCI scope boundaryRaw PAN in your stack or custom hosted fields · SAQ D likelySecure Fields SDK · SAQ-A for checkout path
Time to first authorization9–18 months (typical for in-house builds)< 10 minutes sandbox · production in weeks, not quarters
PSP switch costRe-enrollment · lost tokens · cardholder frictionTokens travel with you · same tok_* on any acquirer
Your applicationout of PCI scope
SAQ-A boundary
Veliro vaultBuilt to PCI DSS Level 1 · FIPS 140-2 Level 3 HSM
Vault data flow

What crosses the boundary.

A single tenant-isolated vault with explicit ingress and egress, serving all three networks. The boundary is enforced in FIPS 140-2 Level 3 HSM hardware and policy.

Visa
VTS
Enters
Secure Fields session, BIN, device fingerprint
Stored
tok_* · vProvisionedTokenID · network_token_state
Leaves
Token ID, TAVV cryptogram, signed webhook
Mastercard
MDES
Enters
PSD2 SCA context, issuer step-up handles
Stored
tok_* · tokenUniqueReference · MDES token status
Leaves
ECI 05/06, UCAF, RTS-aligned auth delegation
Amex
AETS
Enters
Secure Fields session, card + device fingerprint
Stored
tok_* · tokenRefId · AETS lifecycle state
Leaves
AEVV cryptogram, signed webhook, audit export
Provision

Provision in one call.

The same REST contract from sandbox to live; webhook payloads signed with a rotatable secret.

Idempotent by request key
Retries are safe. Duplicate Idempotency-Key values return the original token without double-provisioning.
Encrypted card data, no PAN in transit
Submit card_data as a JWE encrypted with the public key from /.well-known/jwks.json. Veliro derives the scheme from the BIN and provisions on the matching network.
Lifecycle on the same surface
Token and network‑token state transitions arrive as signed webhooks, not a separate subscription product.
provision-token.http
POST /v1/tokens HTTP/1.1
Host: api.veliro.com
Authorization: Bearer vk_live_4kGp8x…
Idempotency-Key: checkout_9f2a1e

{
  "card_data": "eyJhbGciOiJSU0EtT0FFUC0yNTYi…",
  "country": "GB",
  "source": "CARD_ON_FILE",
  "external_customer_id": "cus_8fa92b"
}

API reference at api.veliro.com

What lifecycle owns.

Every state transition is an event with a stable ID, a timestamp, and an HMAC signature. Failed deliveries retry with exponential backoff; every past delivery is queryable and individually replayable via the deliveries endpoint.

Webhook stream · d4e5f6a7-b8c9-… live
  1. token.createda1b2c3d4-… · scheme: VISA · source: CARD_ON_FILE14:32:01.887Zverified
  2. token.network_token.activatedb2c3d4e5-… · VTS · network_token_state: ACTIVE14:32:02.104Zverified
  3. token.updatedc3d4e5f6-… · card_expiry_date: 032914:33:12.004Zverified
  4. token.network_token.suspendedd4e5f6a7-… · network_token_state: SUSPENDED14:41:08.221Zverified

Verify the Veliro-Signature HMAC client‑side; replay any past delivery with POST /v1/webhooks/{id}/deliveries/{d}/replay. Send a test event with POST /v1/webhooks/{id}/test.

Provision your first network token.

Sandbox keys ship with the same REST contract as production. Most teams authorize in under ten minutes in sandbox, and reach production in weeks, not quarters.

Start in sandboxContact sales