Skip to main content

Cards

MuPag never handles PAN or CVV inside your system. Tokenization happens in the approved PSP flow and your backend sends only a safe token or reference.

Boundary rule

  • pk_* belongs to the approved tokenization context.
  • sk_* is still required to create a charge, subscription or card update.
  • Never log a full card number in support, analytics or runtime traces.

When this matters

  • Charges with payment_method: "credit_card"
  • Public checkout session payment steps
  • POST /v1/subscriptions/{id}/update-card when rotating the saved token

Did this page unblock the next step?

Feedback stays inside the docs flow and should never include customer or card data.