API Overview

Token Management Service Developer Guide
- Recent Revisions to This Document
- VISA Platform Connect: Specifications and Conditions for Resellers/Partners
- TERMS OF USE APPLICABLE TO CARD NETWORK TOKENS

Introduction to the Token Management Service
- Types of Tokens
  - Instrument Identifier Tokens
  - Customer Tokens
  - Shipping Address Tokens
  - Payment Instrument Tokens
  - Network Tokens

Token Management Service Workflows
- PAN Tokenization Process Using TMS
- Network Token Tokenization Process
- Push Provisioning Process
- Network Token Provisioning for Merchants
- Network Token CIT for Merchants
- Network Token MIT for Merchants
- Network Token Provisioning for Partners
- Network Token CIT for Partners
- Network Token MIT for Partners

Requesting the Token Management Service API
- HTTP Response Headers
- Case Sensitivity
- Metadata
- Patching Considerations
  - Pagination
- Supported Processors
- Test Card Numbers

Token Management Service Onboarding
- Merchant ID Hierarchy
- Merchant ID Registration
- Portfolio MIDs for Partners
- Token Vault Management
  - Configure the Token Vault Settings Using the Business Center
  - Configure the Token Vault Access Using the Business Center
  - Configure Network Tokenization Using the Business Center
- Message-Level Encryption Keys
  - Creating a Message-Level Encryption Key

Network Tokenization
- Network Token Enablement
- Network Token Onboarding—Partner Model
- Network Token Life-Cycle Management
- Network Token Life-Cycle Management Reports
- Token Requestor IDs

Manage Webhook Subscriptions
- Create a Digital Signature Key
- Create Webhook Subscription
- Retrieve the Details of a Webhook Subscription
- Update Webhook Subscription
- Delete Webhook Subscription

Network Tokens
- Authorize a Payment While Ignoring Network Token
- Update Merchant-Initiated Transaction Authorization Options
- Provision a Network Token for a Card Number
- Provision a Network Token for an Existing Instrument Identifier
- Provision a Network Token for a Consumer
- Provision a Network Token for a Token
- Retrieve a Standalone Network Token
- Delete a Standalone Network Token
- Retrieve Network Token Payment Credentials
- Retrieve Network Token AFT Payment Credentials
- Provision a Network Token with Push Provisioning
- Simulate Life-Cycle Management Events
  - Available Fields for Simulating Life-Cycle Management Events
  - REST Example: Simulating Life-Cycle Management Events
- Network Token Provision Failures

Create Multiple Tokens

Instrument Identifier Tokens
- Manage Instrument Identifier Tokens
  - Create an Instrument Identifier
  - Create an Instrument Identifier for Enrollable Network Tokens
  - Create an Instrument Identifier and Network Token Using EMV Tags
  - Retrieve an Instrument Identifier
  - Update an Instrument Identifier
  - Retrieve an Instrument Identifier's Payment Instruments
  - Retrieve an Instrument Identifier with an Unmasked Card Number
  - Delete an Instrument Identifier
- Payments with Instrument Identifier Tokens
  - Create an Instrument Identifier Token with Validated Payment Details
  - Authorize a Payment with an Instrument Identifier
  - Making a Credit with an Instrument Identifier

Payment Instrument Tokens
- Manage Payment Instrument Tokens
  - Create a Payment Instrument
  - Retrieve a Payment Instrument
  - Find Payment Instruments by Card Number
  - Retrieve a Payment Instrument with an Unmasked Card Number
  - Update a Payment Instrument
  - Delete a Payment Instrument
- Payments with Payment Instrument Tokens
  - Authorizing a Payment with a Payment Instrument
  - Making a Credit with a Payment Instrument

Customer Tokens
- Manage Customer Tokens
  - Create a Customer
  - Retrieve a Customer
  - Update a Customer
  - Delete a Customer
  - Retrieve a Customer's Default Payment with an Unmasked Card Number
  - Retrieve a Customer's Default Payment and Shipping Details
- Payments with Customer Tokens
  - Create a Customer Token with Validated Payment Details
  - Authorizing a Payment with a Customer Token
  - Making a Credit with a Customer Token
- Shipping Address Tokens
  - Manage Shipping Address Tokens
  - Create a Customer Shipping Address
  - Add a Default Shipping Address
  - Add a Non-Default Shipping Address
  - Change a Default Shipping Address
  - Retrieve a Customer Shipping Address
  - Retrieve All Customer Shipping Addresses
  - Update a Customer Shipping Address
  - Delete a Customer Shipping Address
  - Payments with Shipping Address Tokens
  - Authorizing a Payment with a Non-Default Shipping Address
- Customer Payment Instruments
  - Manage Customer Payment Instruments
    - Create a Customer Payment Instrument
    - Add a Default Payment Instrument Using Instrument Identifier
    - Add a Default Payment Instrument with Validated Payment
    - Add a Non-Default Payment Instrument Using Instrument Identifier
    - Add a Non-Default Payment Instrument with Validated Payment
    - Change a Customer's Default Payment Instrument
    - Retrieve a Customer Payment Instrument
    - Retrieve a Customer Payment Instrument with an Unmasked Card Number
    - List Payment Instruments for a Customer
    - Update a Customer Payment Instrument
    - Delete a Customer Payment Instrument
  - Payments with Customer Payment Instruments
    - Authorizing a Payment with a Non-Default Payment Instrument
    - Making a Credit with a Non-Default Payment Instrument

Payment Passkey
- Iframe Requirements
- Create Tokenized Card Authentication Options
- Authenticate with Passkey
  - Step 1: Cardholder authentication with FIDO
  - Step 2: Create payment credentials with FIDO data
- Register a Passkey and Authenticate
  - Step 1: Determine FIDO availability
  - Step 2: Cardholder authentication with FIDO
  - Step 3: Create payment credentials with FIDO data
- Step-up Authentication for Registration
  - Step-Up Authentication Methods
  - Step-up Authentication for Web Application or Phone
    - Step 1: Determine FIDO availability
    - Step 2: Cardholder authentication with FIDO
    - Step 3: Create payment credentials with FIDO data
  - Step-up Authentication for External Web Application
    - Step 1: Validate the one-time password code
    - Step 2: Determine FIDO availability
    - Step 3: Cardholder authentication with FIDO
    - Step 4: Create payment credentials with FIDO data
  - Step-up Authentication for One-Time Passwords
    - Step 1: Issuer sends a one-time password code
    - Step 2: Validate the one-time password code
    - Step 3: Determine FIDO availability
    - Step 4: Cardholder authentication with FIDO
    - Step 5: Create payment credentials with FIDO data

Tap to Add Card

Card Art
- Retrieve Card Art

BIN Lookup Service and TMS
- REST Example: Retrieving an Instrument Identifier with BIN Details

Using Token Management Service with Wallet Apps
- Manage Tokens with Wallet Apps
  - Create a New Customer Account
  - Add a New Shipping Address
  - Edit or Delete a Shipping Address
  - Create a New Payment Instrument with the Payments API
  - Edit or Delete a Payment Method
  - Change the Default Payment Method
  - Add a New Payment Method Address
  - View Wallet
- Payments with Tokens and Wallet Apps
  - Authorize a Payment

Reference Information
- Encrypt and Decrypt Data
- HTTP Status Codes

On This Page

Create a Digital Signature Key

This section describes how to create a digital signature key
. You must create a digital signature key to enable Cybersource to send notifications to your servers. We recommend that you replace the digital signature key every year. When you generate a new digital signature key, it overrides the old key and new transactions must use the new key.

Notifications that use message-level encryption must also the digital signature key.

IMPORTANT

Store the created digital signature key in a secure location in your system.

Optional Notification Validation

After you set up a webhook subscription, you can validate each notification you receive using your digital signature key. For more information, see Using the Digital Signature Key to Validate a Notification.

Endpoints

Send a POST request to one of these endpoints:

Test:

POST https://apitest.cybersource.com/kms/egress/v2/keys-sym

Production:

POST https://api.cybersource.com/kms/egress/v2/keys-sym

India Production:

POST https://api.in.cybersource.com/kms/egress/v2/keys-sym

Required Fields for Creating a Digital Signature Key

clientRequestAction: Set the value to
CREATE
.
keyInformation.expiryDuration
keyInformation.keyType: Set the value to
sharedSecret
.
keyInformation.organizationId: Set the value to the organization ID of the organization requesting the key.
keyInformation.provider: Set the value to
nrtd
.
keyInformation.tenant: Set the value to the organization ID of the organization requesting the key.

REST Example: Creating a Digital Signature Key

{
  "clientRequestAction": "CREATE",
  "keyInformation": {
    "provider": "nrtd",
    "tenant": "merchantName",
    "keyType": "sharedSecret",
    "organizationId": "merchantName"
  }
}

{
"submitTimeUtc": "2021-03-17T06:53:06+0000",
"status": "SUCCESS",
"keyInformation": {
"provider": "NRTD",
"tenant": "merchantName",
"organizationId": "merchantName",
"keyId": "bdc0fe52-091e-b0d6-e053-34b8d30a0504", //ID associated with the key in the key field
"key": "u3qgvoaJ73rLJdPLTU3moxrXyNZA4eo5dklKtIXhsAE=", //Base64 encoded key
"keyType": "sharedSecret",
"status": "Active",
"expirationDate": "2022-03-17T06:53:06+0000"
}

Back to top