Skip to content
SumUp Developer

Save Customer Cards

Shows how to tokenize cards with the Payment Widget so you can save payment instruments for future charges.

About Card Tokenization

Section titled “About Card Tokenization”

In this guide, you will learn how to use the Payment Widget to store card details for future use, and how to set up recurring payments, as SumUp handles the UI/UX and consent collection for you. Alternatively, you can process payments with your own UI, following the API guidelines also provided in this document. This feature is also known as card on file or tokenization.

You will go through the following steps:

  1. Create a customer.
  2. Create checkout intended for card tokenization, where we specify it’s for tokenization purpose. This is where 3DS verification takes place. The transaction amount is instantly reimbursed.
  3. Process payment with the payment widget or process payment directly with SumUp API.
  4. Retrieve the tokenized card.
  5. Make subsequent payments with the tokenized card.

Prerequisites

Section titled “Prerequisites”
  • You have a merchant account with SumUp and have already filled in your account details.
  • You have an API Key. For more details see the Authorization Guide.
  • You have control over the backend server to retrieve data securely.

Creating Customer

Section titled “Creating Customer”

A customer resource is a representation of a person or business that is paying for a product or service. It contains personal information such as their name, contact details, postal address, as well as a unique identifier that is relevant to your business logic (customer_id).

To create a new customer resource, make a POST request to the https://api.sumup.com/v0.1/customers endpoint:

curl -X POST \
  https://api.sumup.com/v0.1/customers \
  -H "Authorization: Bearer $SUMUP_API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{
  "customer_id": "MYCUSTOMERID-123",
  "personal_details": {
    "address": {
      "city": "Venice",
      "state": "California",
      "country": "US",
      "line1": "606 Venezia Ave",
      "line2": "Front",
      "postal_code": "90291"
    },
    "birthdate": "1949-11-11",
    "email": "thedude@example.com",
    "first_name": "Jeffrey",
    "last_name": "Lebowski",
    "phone": "+1 310-555-1234"
  }
}'

You should expect a standard 201 Created response, with the customer details you passed. For more details see the create a customer endpoint. Having created the customer, we can now proceed to making a payment

Creating Checkout to Save Card

Section titled “Creating Checkout to Save Card”

Now, we need to tokenize the customer’s card, and we will need a checkout for this. The checkout resource is a representation of a payment being made by the previously created customer. It contains information such as the amount, currency, and a unique checkout_reference identifier that is relevant to your business logic.

The flow is initiated with the create a checkout endpoint. It is important to pass the customer_id parameter in this step, for future linking to a payment instrument. Critically, a purpose parameter is passed to indicate the payment type as recurring payment and process an authorization charge of the checkout amount indicated, which is instantly reimbursed. Note that this doesn’t automatically imply further payments from this customer - at this point, we’re just tokenizing the card.

To create a new checkout resource, make a POST request to the https://api.sumup.com/v0.1/checkouts endpoint.

Example of such request:

curl -X POST \
  https://api.sumup.com/v0.1/checkouts \
  -H "Authorization: Bearer $SUMUP_API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{
        "checkout_reference": "MYCHECKOUT",
        "amount": 1,
        "currency": "EUR",
        "merchant_code": "MDEERENR",
        "description": "My checkout",
        "customer_id": "MYCUSTOMERID-123",
        "purpose": "SETUP_RECURRING_PAYMENT"
      }'

You should expect a standard 201 Created response, with the checkout reference and both merchant and customer information.

{
    "amount": 1,
    "checkout_reference": "MYCHECKOUT",
    "checkout_type": "checkout",
    "currency": "EUR",
    "customer_id": "MYCUSTOMERID-123",
    "date": "2025-10-29T15:09:11.550+00:00",
    "description": "My checkout",
    "id": "7164c99b-13cb-42a1-8ba1-3c2c46a29de7",
    "merchant_code": "MDEERENR",
    "merchant_country": "PL",
    "merchant_name": "Test Account",
    "pay_to_email": "a8e019f9bb2f49159182e8bd61eb5ea6@developer.sumup.com",
    "purpose": "SETUP_RECURRING_PAYMENT",
    "status": "PENDING",
    "transactions": []
}

For more information, see the create a checkout endpoint.

Processing Request with Payment Widget

Section titled “Processing Request with Payment Widget”

The SumUp’s Payment Widget is a JavaScript library that allows you to securely process checkouts and collect card details securely, handling consent collection and 3DS verification. These steps are mandatory due to legal requirements, which is why we recommend processing the checkout with our widget.

Once you have a checkout reference from the step above, you can mount the payment widget into your website and collect the card details. Pass the checkout_reference from above as the checkoutId here.

<div id="sumup-card"></div>
<script
  type="text/javascript"
  src="https://gateway.sumup.com/gateway/ecom/card/v2/sdk.js"
></script>
<script type="text/javascript">
  SumUpCard.mount({
    id: "sumup-card",
    checkoutId: `${checkout_id}`, // Ex: '7164c99b-13cb-42a1-8ba1-3c2c46a29de7'
    onResponse: function (type, body) {
      console.log("Type", type);
      console.log("Body", body);
    },
  });
</script>

Upon mounting the Payment Widget with a recurring purpose checkout, you should see the following screen:

Card on file with payment widget
Card on file with payment widget

The user is prompted to enter their card details, give consent to store their card details and complete the checkout. The widget uses the Process Checkout endpoint to securely process the checkout. We strongly recommend using the widget over direct integration, as the widget correctly handles all legal requirements for payments.

If the previous operation is successful, and the card is stored with the Save for future payments option, a payment_instrument object containing a token representing the card is created (AKA tokenized card) for this customer.

"payment_instrument": {
    "mandate_reference": "2078683",
    "token": "6878cb7f-6515-47bf-bdd9-1408d270fdce"
}

At any time, you can fetch the list of tokenized cards of a customer by requesting them via the list payment instruments endpoint.

curl -X GET \
  "https://api.sumup.com/v0.1/customers/${CUSTOMER_ID}/payment-instruments" \
  -H "Authorization: Bearer $SUMUP_API_KEY" \
  -H "Content-Type: application/json;charset=UTF-8"

Processing Request Directly

Section titled “Processing Request Directly”

In case you want to provide a fully customized experience, you can process the request using SumUp API directly. In this case, you need to make sure to handle all legal requirements yourself. Critically, SumUp API expects the mandate object in the request. By providing the mandate object, you are stating that you have obtained the consent of the customer. The mandate object establishes the authorization framework for storing and reusing card details. It defines what the card token will be used for (only recurring payments for the time being), while also capturing technical details about the tokenization request for security and compliance purposes.

{
  "payment_type": "card",
  "installments": 1,
  "card": {
    "name": "FIRSTNAME LASTNAME",
    "number": "4111111111111111",
    "expiry_year": "2023",
    "expiry_month": "01",
    "cvv": "123",
    "zip_code": "12345"
  },
  "mandate": {
    "type": "recurrent",
    "user_agent": "Chrome: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36.",
    "user_ip": "2001:0db8:85a3:0000:0a00:8a2e:0370:7300"
  }
}

Again, a payment_instrument object containing a token representing the card is created (AKA tokenized card) for this customer.

"payment_instrument": {
    "mandate_reference": "2078683",
    "token": "6878cb7f-6515-47bf-bdd9-1408d270fdce"
}

At any time, you can fetch the list of tokenized cards of a customer by requesting them via the list payment instruments endpoint.

curl -X GET \
  "https://api.sumup.com/v0.1/customers/${CUSTOMER_ID}/payment-instruments" \
  -H "Authorization: Bearer $SUMUP_API_KEY" \
  -H "Content-Type: application/json;charset=UTF-8"

Retrieving Tokenized Card

Section titled “Retrieving Tokenized Card”

If you have successfully processed the checkout, a token representing the payment instrument (card) is created. You can now retrieve the checkout to find the token within a payment_instrument object for later recurrent payment.

{
  "id": "cd36780e-f43d-4f22-1i9e-e32a1a1bafc8",
  "checkout_reference": "0BYNWLYC7KV",
  "amount": 3.51,
  "currency": "EUR",
  ...
  "payment_instrument": {
    "token": "2fa27578-e765-5dbh-aa97-d45d3d6cdfbb"
  }
}

Processing Recurring Payments

Section titled “Processing Recurring Payments”

Having tokenized the customer’s card, you can now process recurring payments by referencing the saved token and the associated customer. Both token and customer_id fields are required.

  1. Create a checkout again. This time, it’s for the actual payment. The previous checkout was for tokenizing the card only.
  2. Process the checkout. Make sure to pass the following data (installments is only valid for the Brazilian market):
{
  "payment_type": "card",
  "installments": 1,
  "token": "{{CARD_TOKEN}}"
  "customer_id": "{{CUSTOMER_ID}}",
}

What’s Next?

Section titled “What’s Next?”

You may be interested in the following resources related to Online Payments: