Domestic scheme treatment
Use this section only if:
Tokenization Service acts as a TSP broker for a domestic scheme or private label.
You enable one of these xPay Wallets: Apple Pay, Google Pay, or Samsung Pay.
In push provisioning, the issuer application prepares a payload. The issuer application passes it to Tokenization Service through the token requestor (wallet provider).
This payload is called App2App enrollment data (CryptoOTP). It has two parts:
Funding card data that contains the details to tokenize (PAN, expiry date, and so on).
Authentication value that contains an additional security proof.
There are two implementation options for the authentication value:
Option 1 (recommended): Tokenization Service validates the authentication value.
The authentication value must follow the Thales format.
Option 2: The issuer backend validates the authentication value.
The authentication value format is issuer-dependent.
App2App enrollment data (JWE)
This section applies only to Samsung Pay and Google Pay.
The App2App enrollment data is a JWE (JSON Web Encryption), as defined in RFC 7516, with these properties:
Use the compact serialization.
Key type: RSA 2048-bit or 4096-bit.
Algorithms:
Key encryption:
RSA1_5(deprecated) orRSA-OAEP-256Content encryption:
A256GCM
alg
Cryptographic algorithm used to encrypt the Content Encryption Key (CEK).
'RSA1_5' (deprecated) or 'RSA-OAEP-256'
M
enc
Content encryption algorithm used to perform authenticated encryption on the plaintext to produce the ciphertext and the authentication tag.
'A256GCM'
M
kid
Identifier of the RSA key used for key encryption. Defined during onboarding. Provided by Thales to the issuer.
string
O
x-gto-issuerid
Custom JWE header containing the issuerId defined during onboarding.
string
M
x-gto-productid
Custom JWE header containing the productId defined during onboarding.
Its presence depends on your onboarding configuration.
string
O
JWE header example:
fpan
FPAN of the funding card to tokenize.
string
M
exp
Expiry date in MMYY format.
string
O
issuerCardLastDigits
Last digits of the funding card to display in the wallet.
string
O
authvalue
Two options:
Thales format validated by Tokenization Service
Opaque identifier passed to the issuer backend in the
requestCardDigitizationoperation
string
C (Not required for the auxiliary flow or format 3 with Apple Pay)
JWE plaintext example:
Full JWE example:
Authentication value (Thales format) (JWT)
This section applies only to Apple Pay, Samsung Pay, and Google Pay.
The authentication value is a JWT (JSON Web Token), as defined in RFC 7519, with these properties:
Key type: RSA 2048-bit or 4096-bit.
typ
Media type of the complete JWT.
'JWT'
M
alg
Algorithm used in the JWT.
Supported algorithms:
'RS256'
'PS256'
'PS512'
M
kid
Identifier of the key used to sign the JWT. Defined during onboarding. Provided by the issuer to Thales
string
O
Example:
iss
Unique issuer identifier assigned during onboarding.
string
M
sub
The issuerCardRefId defined by the issuer.
string
M
iat
Token creation date defined in the RFC 7519.
int
M
exp
Token expiration defined in the RFC 7519.
int
M
productId
The card product identifier defined during onboarding.
string
O
nonce
Private claim used for Apple Pay. It is the nonce value that the issuer application captures through the iOS PassKit SDK.
string
C (applicable to Apple Pay only)
nonceSignature
Private claim used for Apple Pay. It is the nonceSignature value that the issuer application captures through the iOS PassKit SDK.
string
C (applicable to Apple Pay only)
Examples:
Full JWT example:
Last updated
Was this helpful?