Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Token Provisioning and Management API

TSP-API-OUT-v2-Provisioning-Management-oas2.yaml

POST /tokens

post

This method is used by TSH to request the creation of a new token.

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
issuerCardRefIdstring · min: 1 · max: 64Optional

A unique identifier of the issuer that aims to identify the funding card.
This parameter is provided by the TSH unless it's not connected to Issuer.
This identifier might be updated by Issuer on card replacement/renewal flows.

walletCardRefIdstring · min: 1 · max: 64Required

A unique identifier of the wallet provider that aims to identify the funding card.
This parameter is provided by the TSH.
For ApplePay, it corresponds to the FPANID.
This identifier remains constant even on card replacement/renewal flows.

cipheredCardInfostring · min: 1 · max: 8196Optional

TSH sends card information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
fpanThe funding pan to digitizeMUp to 19
expThe expiry date in the format MMYYO4
cvvDepending of the OEM, this value is provided or notO3 or 4
additionalCardInfosOptional JSON Open format, in order to add additional card info - project dependentOUp to 8177

Note: If not provided, the TSP must rely on the walletCardRefId provided to find the funding card to digitize from its token vault.

publicKeyIdentifierstring · min: 1 · max: 32Optional

Identifier of the key used to encrypt cipheredCardInfo.
Provided by TSP to Thales during onboarding.

tokenProductIdstring · min: 1 · max: 48Optional

ID of the token product (Identify token domain).

As the token products are mapped to Issuer card products, the values shall be defined at the begining of the project with the TSP.

tokenRequestorIdstring · min: 1 · max: 48Required

ID of the token requestor in the format expected by the TSP

tokenStorageIdstring · min: 1 · max: 64Required

Token storage unique identifier (also known as deviceId or applicationId).
Indicates the storage in which the token has been digitized.
For ApplePay, it corresponds to the device SEID.

reusedTokenIdstring · min: 1 · max: 48Optional

The tokenId provided in case the Wallet Provider wants to re-use an existing token.
This is applicable for Apple Pay only and needs to have an agreement on this process at the beginning of a project.

initialStatestring · enumOptional

Initial state of the token when created.
Default value is SUSPENDED

Example: SUSPENDEDPossible values:
Responses
post
/tokens

PUT /tokens/{tokenId}/cardInfo

put

This method is used by TSH to request the update of funding pan information of the token

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
newCipheredCardInfostring · min: 1 · max: 8196Required

TSH sends new card information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
newFpanThe new funding pan value to updateOUp to 19
newExpThe new expiry date in the format MMYYO4
newAdditionalCardInfosOptional JSON Open format, in order add/update/delete additional card info - project dependentOUp to 8177

Note: At least one of the three JSON fields needs to be provided.

publicKeyIdentifierstring · min: 1 · max: 32Optional

Identifier of the key used to encrypt newCipheredCardInfo.
Provided by TSP to Thales during onboarding.

newIssuerCardRefIdstring · min: 1 · max: 64Optional

New unique identifier of the issuer that aims to identify the funding card.

Responses
put
/tokens/{tokenId}/cardInfo
No content

PUT /tokens/{tokenId}/state

put

This method is used by TSH to request the update of token state

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
newStatestring · enumRequired

state of the token

Possible values:
reasonstring · min: 1 · max: 16Optional

The reason of the state update

Possible values are:

reason codedescription
11001Activation from user interaction
21001Activation initiated by the issuer
21002Deletion initiated by the issuer
11002Deletion initiated by the user
21003Suspension initiated by the issuer
11003Suspension initiated by the user
21004Resumption initiated by the issuer
11004Resumption initiated by the user
Responses
put
/tokens/{tokenId}/state
No content

POST /tokens/{tokenId}/replenishment

post

This method is used by TSH, in case of HCE, to request replenishment of payment credentials in the mobile wallet. This API only applies to TSH Pay solution (Issuer HCE wallet).

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
atcstring · min: 4 · max: 4Required

Value of the application transaction counter that will be used in the next payment transaction. The ATC is encoded as an hexa string on 4 digits.

lastRepCounterstring · max: 5Required

Value of the replenishment counter for the last replenishment.

schemeTranRecordsstring · max: 2000Optional

Transaction records for the last transactions as specified by the payment scheme. The transaction records data is encoded in base 64.

schemeTranRecSigstring · max: 200Optional

Signature of the transaction records computed according to the scheme specifications and encoded in hexa.

Responses
post
/tokens/{tokenId}/replenishment

PUT /tokens/{tokenId}/replenishment/status

put

This method is used by TSH, in case of HCE, to notify the TSP the replenishment of payment credentials has been completed in the mobile wallet. This API only applies to TSH Pay solution (Issuer HCE wallet).

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
repCounterstring · max: 5Required

Value of the replenishment counter for the last replenishment.

diversifiersstring[]Optional

Payment credential diversifier:

  • For an SUK, this is an ATC which is a string of 4 hexa digits.
  • For an LUK, this is an "YHHHHCC" Visa CBP diversifier which is a string of 7 digits.
Responses
put
/tokens/{tokenId}/replenishment/status
No content

PUT /tokens/{tokenId}/newData/status

put

This method is used by TSH to inform the TSP about the token re-personalization result in case of token renewal.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
statusstring · enumRequiredPossible values:
Responses
put
/tokens/{tokenId}/newData/status
No content

GET /healthCheck

get

This method is used by TSH to monitor TSP health. It should be used every 30 seconds in production environment.

Header parameters
x-request-idstring · min: 1 · max: 64Required

Unique identifier of the request

Responses
get
/healthCheck
No content

POST /tokens/{tokenId}/reperso

post

This request is triggered when TSH has to repersonalize a token and requires all the data elements associated.

After this request, TSP shall recover all the existing elements and submit it to the TSH through Submit New Token Data.

TSH will callback TSP through the Notify Token Reperso Result to notify the profile has been pushed to the device with success. At this moment, TSP shall set the ATC to zero to sync with the ATC personalized in the device.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Optional

Unique Identifier of Issuer

Example: ISSUER1234
Responses
post
/tokens/{tokenId}/reperso
No content

POST /tokens/{tokenId}/appletUpdate

post

For ApplePay only. This notification informs the TSP that the applet version was updated by Apple.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
appletVersionstring · min: 1 · max: 32Required

Only for ApplePay. Applet version as provided by the Wallet Provider.

Example: 1.22
Responses
post
/tokens/{tokenId}/appletUpdate
No content

POST /listTokens

post

This method is used by TSH to request the list of tokens associated to either a funding PAN, a card reference ID or a token PAN. In case of a search by token PAN, the list returned by TSP shall contain 1 element at most.

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
cipheredCardInfostring · min: 1 · max: 8196Optional

TSH sends card information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
fpanThe funding panMUp to 19
cipheredTokenInfostring · min: 1 · max: 8196Optional

TSH sends token information as JSON encrypted using the PKCS#7 encryption scheme defined in RFC 2315/5652 using following encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding using a randomly generated AES key.
  • The key encryption algorithm is either RSAES-PKCS1-v1_5 (RSA/NONE/PKCS1Padding) or RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256), using the certificate provided during onboarding.
    The key encryption algorithm is defined during onboarding and is by default (if ommitted) the RSA/NONE/PKCS1Padding for legacy purpose.
    It is recommended to configure RSA/NONE/OAEPWithSHA256AndMGF1Padding (with MGF1 using SHA-256) for new TSPs.
  • The encryption result is then encoded using base64.
  • The public key length in the certificate can be 2048-bit or 4096-bit.

Once deciphered, the card info contains the following information:

JSON field parameter namedescriptionMOCLength
dpanThe token PANMUp to 19
issuerCardRefIdstring · min: 1 · max: 64Optional

A unique identifier of the issuer that aims to identify the funding card.
This parameter is provided by the TSH unless it's not connected to Issuer.
This identifier might be updated by Issuer on card replacement/renewal flows.

publicKeyIdentifierstring · min: 1 · max: 32Optional

Identifier of the key used to encrypt cipheredCardInfo.
Provided by TSP to Thales during onboarding.

Responses
post
/listTokens

POST /tokens/{tokenId}/replenish

post

This request is triggered when TSH has to replenish a token. This API only applies to Google Pay solution.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Optional

Unique Identifier of Issuer

Example: ISSUER1234
Responses
post
/tokens/{tokenId}/replenish

PUT /tokens/{tokenId}/replenish/done

put

This method is used by TSH to inform the TSP that the token replenishment has been done. This API only applies to Google Pay solution.

Path parameters
tokenIdstring · min: 1 · max: 48Required

Identifier of the token to update

Header parameters
x-correlation-idstring · min: 1 · max: 64Required

Unique identifier used to trace function calls across systems

Body
issuerIdstring · min: 10 · max: 10Required

Unique Identifier of Issuer

Example: ISSUER1234
Responses
put
/tokens/{tokenId}/replenish/done
No content
PreviousOutgoing operations (to TSP)NextIncoming operations (from TSP)

Last updated

Was this helpful?