> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/classic-tokenization/use-cases/card-enrolment/generic-enrollment-flow/step-1-capture-card-details/domestic-scheme-treatment.md). # Domestic scheme treatment Use this section only if: * Tokenization Service acts as a TSP broker for a domestic scheme or private label. * You enable one of these xPay Wallets: Apple Pay, Google Pay, or Samsung Pay. In push provisioning, the issuer application prepares a payload. The issuer application passes it to Tokenization Service through the token requestor (wallet provider). This payload is called **App2App enrollment data** (CryptoOTP). It has two parts: * **Funding card data** that contains the details to tokenize (PAN, expiry date, and so on). * **Authentication value** that contains an additional security proof. There are two implementation options for the authentication value:

Authentication value validation options.

* **Option 1 (recommended): Tokenization Service validates the authentication value.** * The authentication value must follow the Thales format. * **Option 2: The issuer backend validates the authentication value.** * The authentication value format is issuer-dependent. ### App2App enrollment data (JWE) {% hint style="info" %} This section applies only to Samsung Pay and Google Pay. {% endhint %} The App2App enrollment data is a JWE (JSON Web Encryption), as defined in RFC 7516, with these properties: * Use the compact serialization. * Key type: RSA 2048-bit or 4096-bit. * Algorithms: * Key encryption: `RSA1_5` (deprecated) or `RSA-OAEP-256` * Content encryption: `A256GCM` | JWE HEADER | DESCRIPTION | VALUE | MOC | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------- | --- | | alg | Cryptographic algorithm used to encrypt the Content Encryption Key (CEK). | 'RSA1\_5' (deprecated) or 'RSA-OAEP-256' | M | | enc |

Content encryption algorithm used to perform authenticated encryption on the
plaintext to produce the ciphertext and the authentication tag.

| 'A256GCM' | M | | kid | Identifier of the RSA key used for key encryption. Defined during onboarding. Provided by Thales to the issuer. | string | O | | x-gto-issuerid | Custom JWE header containing the `issuerId` defined during onboarding. | string | M | | x-gto-productid |

Custom JWE header containing the productId defined during onboarding.

Its presence depends on your onboarding configuration.

| string | O | JWE header example: ```json { "alg":"RSA1_5", "enc":"A256GCM", "kid":"key_123", "x-gto-issuerid":"IssuerABC", "x-gto-productid":"Product123" } ``` | JWE PLAINTEXT | DESCRIPTION | TYPE | MOC | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ------------------------------------------------------------------ | | fpan | FPAN of the funding card to tokenize. | string | M | | exp | Expiry date in `MMYY` format. | string | O | | issuerCardLastDigits | Last digits of the funding card to display in the wallet. | string | O | | authvalue |

Two options:

  1. Thales format validated by Tokenization Service
  2. Opaque identifier passed to the issuer backend in the requestCardDigitization operation
| string | C (Not required for the auxiliary flow or format 3 with Apple Pay) | JWE plaintext example: ```json { "fpan":"3450163332324735", "authvalue":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJCYW5jb21hdEkxIiwic3ViIjoiYzQxZTdiZmQ3MWQ3ZiIsImV4cCI6MTUzMTgyOTUyNiwiaWF0IjoxNTMxODI1OTI2LCJwcm9kdWN0SWQiOiJCYW5jb21hdF9QVVJFIn0.Pjv-rS6s2O8I5IXSKi8eBxwhIDquUUYEegDQzqWqQjxAfYyQlJ7fNAt33p7cFhbWSuEVHowyy0xkYOorqZHC3TaAGMqB-pcU5KrwtGkXKUPPzdTOfUnZ8qmg1opiN1PfgCOHF0jja61QmAjcMPEHRSrTeK7EUogA-WM7ozSn6BAX0nTDb4dICr9bpksVKvB53DG5GTqTV00cX4EjSP_QuuiUpAvuiZFRcWaDzGzTECB8DptcOUmaHhuuuHIgPng5DNJeMtPvPqEmCNdSpMJ7eq-kg0RWsHmkbNpgVpk2pLm8AB_MPoq0wZ7hs660qnnU9d-9AG28VQrASsvkBolHZg", "exp":"0221" } ``` Full JWE example: ``` eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMjU2R0NNIiwieC1ndG8tcHJvZHVjdGlkIjoiQmFuY29tYXRfUFVSRSIsIngtZ3RvLWlzc3VlcmlkIjoiQmFuY29tYXRJMSJ9.m0WJhih-DYQOFJBHHvJGyuMcFYMsUTeEFkfRB1YOgODMNzZoYDhyhnx2kNQWr382Zw8qc-QmhGGnrhVw5EVoffpS5CSF5JP4Y1aSffssTFTeYtGGrVWF4GWSvQGCBZs9fEJMT9SpKpCLbVl7LJXJ5oHbsFu_MG9jkYZFvyyVVJ6xq97iQE6Co8zEYD5uPrQXX7jJlqqGX1VhA_Bs1aklTgaPYvt-mpYauPl8qIKSFL2w2yJZ3LwQxffuQxCMc6aaAu5k0VWPGtez7zimRd044n5WqErUfguSTxVOLhODpB0HanOwq7YVqeE40TqOtzzgWENzNm2KSraXjXUHuL5smg.z3nyT9uJ30YRNarp.Tt3avmBS0_Svg0yxG-yq0WLJ6BZn7xEtOcYHg0465T_TAP-3tKbCsDe5RG-kGADHB6oHy-oJa1YYn3nybkBl9SVsBWBPTJ9f1gPJvtY4jLkbq7nolTr3XjvK9ljtdE2G0IbcCZ4s7pLoQHf459AxilP8U-M3R3SEayMRsJocJQOlhVBLz6rTMgKEwAV52mtPccOTPpwL351fX4ssCG4oeTcM_gB7kDMuYgHLBmCW3XCKkRg7QLBybPP7TNhBy78JHcZe8DZ3mNHfL8tFEntnEYEGAWWHUQKm3H8qYoIlEVGqAz9j-UpDfyok8wohm5RxblH0NWMitarPjH01MNouMvomfM5FCaze7PErNNoaAw5Mp5I2h0QeEI3sJJkAkbzDq0R0UEbheNbhFdm3h10qSZ-mnJCp8ju1dcneOFxxlGwCQFO13EnDKFLuj4Qvnm9ARdIoQJiqWl4M8deiRPq2jrksrlEnavyADTnr4Dj1J56KS-eI8QIlSZEMqzGKZ6LsxLkEQE7Jy9-RW1-VctBczTJvdUpk-41IxrJdeGUV8UQPQGGwZ9CCa_2gmxjxByEL0UtO0mzno8UBUaI-Rmho7xvOjHLm73fkk2OeXJzNVgbNo4f5IrEW-e6GKAMhsBudcw2upSh0u2Cew8ruvPKzfu3JNSdSUaQv8lO_Yc6yH8x4UxqsylO1hsGaEpIogkTqnMWfTJHDTkK0VVwuoDye48aOhDWv8XWIsiyMIyFp0bEDCkfKQpDCXaANUhXgqQ.fewcSD5vzA5ICFBT_XBISg ``` ### Authentication value (Thales format) (JWT) {% hint style="info" %} This section applies only to Apple Pay, Samsung Pay, and Google Pay. {% endhint %} The authentication value is a JWT (JSON Web Token), as defined in RFC 7519, with these properties: * Key type: RSA 2048-bit or 4096-bit. | JWT HEADER | DESCRIPTION | VALUE | MOC | | ---------- | ------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | --- | | typ | Media type of the complete JWT. | 'JWT' | M | | alg | Algorithm used in the JWT. |

Supported algorithms:

| M | | kid | Identifier of the key used to sign the JWT. Defined during onboarding. Provided by the issuer to Thales | string | O | Example: ```json { "typ":"JWT", "alg":"RS256", "kid":"key_456" } ``` | JWT CLAIMS | DESCRIPTION | VALUE | MOC | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------ | -------------------------------- | | iss | Unique issuer identifier assigned during onboarding. | string | M | | sub | The `issuerCardRefId` defined by the issuer. | string | M | | iat | Token creation date defined in the RFC 7519. | int | M | | exp | Token expiration defined in the RFC 7519. | int | M | | productId | The card product identifier defined during onboarding. | string | O | | nonce | Private claim used for Apple Pay. It is the `nonce` value that the issuer application captures through the iOS PassKit SDK. | string | C (applicable to Apple Pay only) | | nonceSignature | Private claim used for Apple Pay. It is the `nonceSignature` value that the issuer application captures through the iOS PassKit SDK. | string | C (applicable to Apple Pay only) | Examples: {% tabs %} {% tab title="Base claims" %} ```json { "iat":1456815010, "exp":1456851010, "iss":"IssuerABC", "sub":"11111", "productId":"Product123" } ``` {% endtab %} {% tab title="Apple Pay claims" %} ```json { "iat":1456815010, "exp":1456851010, "iss":"acmeBank", "sub":"111111", "nonce":"iYWNtZUJhbmsiLCJzdWIiOiIxMTExMTEifQ.WIo8cL1d71CZuxQ", "nonceSignature":"aXNzIjoiYWNtZUJhbmsiLCJzdWIiOiIxMTExMTEifQ.WIo8cL1d71CZuxQZ2re2TnBuRfQy-6p_OowGuaN9Hp1SMSY01BN-hl1q7TI67WdP5Vz2Em6BXzOdE1I1anPzoLeJXQW-y8UVWOMQN3hLn6hYoNDYye0Y3m-_jsOIJ7a7yr33ODKmgq4ieQoceeaZNpMEGeZr1X3G2a3iS-1tP9515qgcp-UoM9TjrP5kvP1cTjVG7djsb1UNlPwbnXdMRh8cxHa4bYqZ8fJYqcMcUVLLc08C9ejNwn2lL3eX2tU9Ofkrs2sf44stDxhwSLRP3I3x15_rEMeW6FtvN83_ecmROcI" } ``` {% endtab %} {% endtabs %} Full JWT example: ``` eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJCYW5jb21hdEkxIiwic3ViIjoiYzQxZTdiZmQ3MWQ3ZiIsImV4cCI6MTUzMTgyOTUyNiwiaWF0IjoxNTMxODI1OTI2LCJwcm9kdWN0SWQiOiJCYW5jb21hdF9QVVJFIn0.Pjv-rS6s2O8I5IXSKi8eBxwhIDquUUYEegDQzqWqQjxAfYyQlJ7fNAt33p7cFhbWSuEVHowyy0xkYOorqZHC3TaAGMqB-pcU5KrwtGkXKUPPzdTOfUnZ8qmg1opiN1PfgCOHF0jja61QmAjcMPEHRSrTeK7EUogA-WM7ozSn6BAX0nTDb4dICr9bpksVKvB53DG5GTqTV00cX4EjSP_QuuiUpAvuiZFRcWaDzGzTECB8DptcOUmaHhuuuHIgPng5DNJeMtPvPqEmCNdSpMJ7eq-kg0RWsHmkbNpgVpk2pLm8AB_MPoq0wZ7hs660qnnU9d-9AG28VQrASsvkBolHZg ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.payments.thalescloud.io/classic-tokenization/use-cases/card-enrolment/generic-enrollment-flow/step-1-capture-card-details/domestic-scheme-treatment.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.