Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Token Provisioning and Management API

TSP-API-OUT-v1-Provisioning-Management-oas2.yaml

POST /tokens

post

This method is used by TSH to request the creation of a new token.

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
cardRefIdstring · min: 1 · max: 64Required

A unique identifier of the issuer that aims to identify the funding card.
This parameter is provided by the TSH.
Upon configuration it corresponds either to issuerCardRefId or walletCardRefId (e.g. for ApplePay, it corresponds to the FPANID in such case)

walletProviderIdstring · min: 1 · max: 32Optional

Wallet Provider identifier, defined by Thales
For:

  • Apple Pay, the value is 'APPLE_PAY'
  • Samsung Pay HCE/TEE, the value is 'SPAYHCE'
  • Android Pay, the value is 'ANDROID_PAY'
  • For other wallet (such as HCE Wallet), id is provided during on-boarding phase Value always provided except for ECOM.
cipheredCardInfostring · min: 1 · max: 8196Optional

TSH sends card information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
fpanThe funding pan to digitizeMUp to 19
expThe expiry date in the format MMYYO4
cvvDepending of the OEM, this value is provided or notO3 or 4
additionalCardInfosOptional JSON Open format, in order to add additional card info - project dependentOUp to 8177

Note: If not provided, the TSP must rely on the cardRefId provided to find the funding card to digitize from its token vault.

publicKeyIdentifierstring · min: 1 · max: 32Optional

Identifier of the key used to encrypt cipheredCardInfo.
Provided by TSP to Thales during onboarding.

tokenProductIdstring · min: 1 · max: 48Optional

ID of the token product (Identify token domain).

As the token products are mapped to Issuer card products, the values shall be defined at the begining of the project with the TSP.

tokenRequestorIdstring · min: 1 · max: 48Required

ID of the token requestor in the format expected by the TSP

merchantGatewayIdstring · min: 10 · max: 10Optional

Unique identifier of the merchant gateway.
Applicable to ECOM only.

Example: MGW_123456
tokenStorageIdstring · min: 1 · max: 64Optional

Token storage unique identifier (also known as deviceId or applicationId).
Indicates the storage in which the token has been digitized.
For ApplePay, it corresponds to the device SEID.
Not applicable for ECOM.

reusedTokenIdstring · min: 1 · max: 48Optional

The tokenId provided in case the Wallet Provider wants to re-use an existing token

initialStatestring · enumOptional

Initial state of the token when created.
Default value is SUSPENDED

Example: SUSPENDEDPossible values:
Responses
200

createToken response payload

application/json
tokenIdstring · min: 1 · max: 48Required

Unique Token Identifier

post
/tokens

PUT /tokens/{tokenId}/cardInfo

put

This method is used by TSH to request the update of funding pan information of the token

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
newCipheredCardInfostring · min: 1 · max: 8196Required

TSH sends new card information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
newFpanThe new funding pan value to updateOUp to 19
newExpThe new expiry date in the format MMYYO4
newAdditionalCardInfosOptional JSON Open format, in order add/update/delete additional card info - project dependentOUp to 8177

Note: At least one of the three JSON fields needs to be provided.

publicKeyIdentifierstring · min: 1 · max: 32Optional

Identifier of the key used to encrypt newCipheredCardInfo.
Provided by TSP to Thales during onboarding.

newCardRefIdstring · min: 1 · max: 64Optional

A unique identifier of the issuer that aims to identify the funding card.
This parameter is provided by the TSH.
Upon configuration it corresponds either to issuerCardRefId or walletCardRefId (e.g. for ApplePay, it corresponds to the FPANID in such case)

Responses
put
/tokens/{tokenId}/cardInfo
No content

PUT /tokens/{tokenId}/state

put

This method is used by TSH to request the update of token state

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
newStatestring · enumRequired

state of the token

Possible values:
reasonstring · min: 1 · max: 16Optional

The reason of the state update

Possible values are:

reason codedescription
11001Activation from user interaction
21001Activation initiated by the issuer
21002Deletion initiated by the issuer
11002Deletion initiated by the user
21003Suspension initiated by the issuer
11003Suspension initiated by the user
21004Resumption initiated by the issuer
11004Resumption initiated by the user
Responses
put
/tokens/{tokenId}/state
No content

GET /issuers/{issuerId}/tokens/{tokenId}/credentials

get

This method is used by TSH to request the credentials of an existing token.

Path parameters
issuerIdstring · min: 10 · max: 10Required

Identifier of the issuer

tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Responses
200

getTokenCredentials response payload

application/json
encryptedDatastringRequired

The token credentials data encrypted with JWE format (https://datatracker.ietf.org/doc/html/rfc7516) using following encryption parameters:

  • JWE base64url encoded string
  • "alg" (Algorithm) header parameter: ECDH-ES
  • "enc" (Encryption Algorithm) header parameter: A256GCM
  • "kid" (Key ID) header parameter: Key identifier corresponding to EC public key of the recipient
  • EC curve: P-256 The JSON object that is encrypted is defined as follows:
JSON field parameter namedescriptionMOCLength
dpanThe token PAN valueMUp to 19
expThe token expiry date in the format MMYYM4
fpanThe funding PAN valueMUp to 19
fpanExpThe funding PAN expiry date in the format MMYYM4
paymentAccountReferenceThe payment account referenceO29
serviceCodeThe service code used in track2 dataO3
psnThe token PAN sequence numberO2
Example: {"dpan:"9580981500100002", "exp":"1232", "fpan":"9680981500100003", "fpanExp":"1230", "paymentAccountReference":"23R0PAYMENTACCOUNTREFERENCEXX", "serviceCode":"123", "psn":"01"}
get
/issuers/{issuerId}/tokens/{tokenId}/credentials

POST /tokens/{tokenId}/replenishment

post

This method is used by TSH, in case of HCE, to request replenishment of payment credentials in the mobile wallet. This API only applies to TSH Pay solution (Issuer HCE wallet).

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
atcstring · min: 4 · max: 4Required

Value of the application transaction counter that will be used in the next payment transaction. The ATC is encoded as an hexa string on 4 digits.

lastRepCounterstring · max: 5Required

Value of the replenishment counter for the last replenishment.

schemeTranRecordsstring · max: 2000Optional

Transaction records for the last transactions as specified by the payment scheme. The transaction records data is encoded in base 64.

schemeTranRecSigstring · max: 200Optional

Signature of the transaction records computed according to the scheme specifications and encoded in hexa.

Responses
200

requestReplenishment response payload

application/json
repCounterstring · max: 5Required

Value of the replenishment counter for the last replenishment.

post
/tokens/{tokenId}/replenishment

PUT /tokens/{tokenId}/replenishment/status

put

This method is used by TSH, in case of HCE, to notify the TSP the replenishment of payment credentials has been completed in the mobile wallet. This API only applies to TSH Pay solution (Issuer HCE wallet).

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
repCounterstring · max: 5Required

Value of the replenishment counter for the last replenishment.

diversifiersstring[]Optional

Payment credential diversifier:

  • For an SUK, this is an ATC which is a string of 4 hexa digits.
  • For an LUK, this is an "YHHHHCC" Visa CBP diversifier which is a string of 7 digits.
Responses
put
/tokens/{tokenId}/replenishment/status
No content

PUT /tokens/{tokenId}/newData/status

put

This method is used by TSH to inform the TSP about the token re-personalization result in case of token renewal.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
statusstring · enumRequiredPossible values:
Responses
put
/tokens/{tokenId}/newData/status
No content

GET /healthCheck

get

This method is used by TSH to monitor TSP health. It should be used every 30 seconds in production environment.

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Responses
get
/healthCheck
No content

POST /tokens/{tokenId}/reperso

post

This request is triggered when TSH has to repersonalize a token and requires all the data elements associated.

After this request, TSP shall recover all the existing elements and submit it to the TSH through Submit New Token Data.

TSH will callback TSP through the Notify Token Reperso Result to notify the profile has been pushed to the device with success. At this moment, TSP shall set the ATC to zero to sync with the ATC personalized in the device.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 48Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Optional

Unique Identifier of Issuer

Example: ISSUER1234
newTokenProductIdstring · min: 1 · max: 48Optional

ID of the token product (Identify token domain).

As the token products are mapped to Issuer card products, the values shall be defined at the begining of the project with the TSP.

Responses
post
/tokens/{tokenId}/reperso
No content

POST /listTokens

post

This method is used by TSH to request the list of tokens associated to either a funding PAN, a card reference ID or a token PAN. In case of a search by token PAN, the list returned by TSP shall contain 1 element at most.

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
cipheredCardInfostring · min: 1 · max: 8196Optional

TSH sends card information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
fpanThe funding panMUp to 19
cipheredTokenInfostring · min: 1 · max: 8196Optional

TSH sends token information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
dpanThe token PANMUp to 19
cardRefIdstring · min: 1 · max: 64Optional

A unique identifier of the issuer that aims to identify the funding card.
This parameter is provided by the TSH.
Upon configuration it corresponds either to issuerCardRefId or walletCardRefId (e.g. for ApplePay, it corresponds to the FPANID in such case)

publicKeyIdentifierstring · min: 1 · max: 32Optional

Identifier of the key used to encrypt cipheredCardInfo.
Provided by TSP to Thales during onboarding.

Responses
200

listTokens response payload

application/json
post
/listTokens

POST /tokens/{tokenId}/replenish

post

This request is triggered when TSH has to replenish a token. This API only applies to Google Pay solution.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 48Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Optional

Unique Identifier of Issuer

Example: ISSUER1234
Responses
200

replenishToken response payload

application/json
kekLabelstringOptional

Label of the key used to encrypt paymentKeys

kekKcvstringOptional

KCV of the Key Encryption Key

paymentKeysstringOptional

String representation of JSON array of objects containing payment keys
as defined in Data Preparation section

post
/tokens/{tokenId}/replenish

PUT /tokens/{tokenId}/replenish/done

put

This method is used by TSH to inform the TSP that the token replenishment has been done. This API only applies to Google Pay solution.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
Responses
put
/tokens/{tokenId}/replenish/done
No content

POST /merchant-gateways/{merchantGatewayId}/merchants

post

This method is used by TSH to request the creation of a new merchant.

Path parameters
merchantGatewayIdstring · min: 10 · max: 10Required

Identifier of the merchant gateway

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique request identifier use to trace function calls across system

Body
merchantNamestring · min: 1 · max: 64Required

An unique merchant name that is end user friendly.

Example: My MerchantPattern: ^[A-Za-z0-9-_. ]+$
Responses
200

createMerchant response payload

application/json
merchantIdstring · min: 11 · max: 11Required

Merchant ID generated by TSP.
It is computed as per EMVCo TRID format.

Example: 10610027312
post
/merchant-gateways/{merchantGatewayId}/merchants
PreviousOutgoing operations (to TSP)NextPSD2 Cryptogram Swap API

Last updated

Was this helpful?