👍
Client Side
This API is open for CORS, so you can run it direct from a client side javascript. The PUBLIC key is not a secret and can be included in the client side javascript.

🚧
Use the PUBLIC key
Notice that it is the PUBLIC key that are used for tokenization calls. That is so you can do the tokenization calls from client side javascript. That way you dont have to transmit or store any card number on your server, hence you will not require any PCI certification.

❗️
Avoid PCI requirements - call client side!
If you collect card data and send the tokenization server-side, you will transmit cardholder data, hence you will require PCI certification. This API will only help you to avoid the PCI certification requirement if it is called client side, direct from the clients browser to HIPS. The token you receive from the tokenization api can however be stored server-side, and then be used for all future communication with HIPS in regards to the underlying card.

Read more about the Tokenization here: Client Side Tokenization (hips.js)