> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/merchant-tokenization/mastercard-taf/overview.md).
# Overview
Mastercard Token Authentication Framework (TAF) adds an extra layer on top of Tokenization.
It authenticates the end user during an e-commerce transaction. Mastercard verifies the authentication proof and sends indicators to the Issuer in the authorization request.
## How it works
An ECDSA key pair is generated on the mobile device (browsers are not supported yet).
The private key stays securely on the device. The public key is shared with Mastercard TAF.
During the transaction, the end user authenticates to unlock the private key. The private key then signs a payload.
The signed payload is sent to TAF in exchange for a cryptogram.
To link the on-device private key with the server-side token, the end user completes a device binding flow involving an authentication by the issuer.
Thales provides the Thales SDK for the merchant application. It generates and secures the TAF key pair.
## End user experience
The merchant application controls the UI. The merchant can customize the end user experience.
Example:
Example of an end user authentication prompt in a merchant application.
## Assets and parameters
To support Mastercard TAF, Thales introduces these assets and parameters.
| Parameter | Description |
| ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| deviceId | A 24-character string that identifies the device to bind with the token. The Thales SDK generates this value and provides it to Mastercard. |
| srcDigitalTokenID | A Mastercard token identifier for a cloud token. |
| TAF ECDSA Key Pair | A key pair generated and stored once on the device. The public key is shared with TAF. The private key signs predefined payloads during device binding and transactions. The Thales SDK manages the key pair lifecycle and usage. |
| OTP | During device binding, the end user can authenticate using an OTP. The merchant application collects the OTP and passes it to the Thales SDK. |
| binding | The state that links a device to a token. A binding is either ACTIVE or DELETED. A single device can have multiple bindings. |
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.payments.thalescloud.io/merchant-tokenization/mastercard-taf/overview.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.