Payment Tokens

Payment tokens are used to reduce the scope of PCI DSS compliance. A payment token can be made using a different authentication scheme (refer to the public key authentication scheme in the Authentication section), which allows you to create a payment token directly from the browser, bypassing the need to send sensitive cardholder info to your servers. We recommend using this with our Rebilly.js library, which helps you wire a form into this API resource and create payment tokens.

Create a payment token

FramePay is the recommended way to create a payment token because it minimizes PCI DSS compliance. Once a payment token is created, it can only be used once.

A payment token expires upon first use or within 30 minutes of the token creation (whichever comes first).

Request
header Parameters
Organization-Id
string (ResourceId) <= 50 characters
Deprecated

Organization identifier in scope of which need to perform request (if not specified, the default organization will be used).

It is deprecated. Use servers with /organizations/{organizationId} base path instead.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Request Body schema: application/json

PaymentToken resource.

Any of:
method
required
string

The token payment method.

Value: "payment-card"
required
object

The payment card instrument details.

pan
string

Payment Card PAN (Primary Account Number).

cvv
string

Payment Card CVV/CVC.

expMonth
integer

Payment Card expiration month.

expYear
integer

Payment Card expiration year.

object

The billing address object.

firstName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact first name.

lastName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact last name.

organization
string or null <= 255 characters ^[\w\s\-\pL,.'&]+$

The contact organization.

address
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact street address.

address2
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact street address (second line).

city
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact city.

region
string or null <= 45 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact region (state).

country
string or null <= 2 characters ^[A-Z]{2}$

The contact country ISO Alpha-2 code.

postalCode
string or null <= 10 characters ^[\w\s\-]+$

The contact postal code.

Array of objects (ContactPhoneNumbers)

The list of phone numbers.

Array
label
required
string <= 45 characters

The phone label.

value
required
string <= 50 characters

The phone value.

primary
boolean

True if phone is primary.

Array of objects (ContactEmails)

The list of emails.

Array
label
required
string <= 45 characters

The email label.

value
required
string <email> <= 255 characters

The email value.

primary
boolean

True if email is primary.

object

Risk metadata used for 3DS and risk scoring.

ipAddress
string <ipv4 or ipv6>

The customer's IP.

fingerprint
string <= 50 characters

The fingerprint.

object (HttpHeaders)

The HTTP headers.

property name*
string
object (Browser data)

Browser data used for 3DS and risk scoring.

colorDepth
required
integer [ 1 .. 48 ]

The browser's color depth in bits per pixel obtained using the screen.colorDepth property.

isJavaEnabled
required
boolean

Whether Java is enabled in a browser or not. Value is returned from the navigator.javaEnabled property.

language
required
string <= 8 characters

The browser's language settings returned from the navigator.language property.

screenWidth
required
integer [ 0 .. 65535 ]

The browser's screen width returned from the screen.width property.

screenHeight
required
integer [ 0 .. 65535 ]

The browser's screen height returned from the screen.height property.

timeZoneOffset
required
integer [ -1410 .. 1410 ]

The browser's time zone offset in minutes from UTC. A positive offset indicates the local time is behind UTC, and negative is ahead. Can find it with (new Date()).getTimezoneOffset() property.

object (Extra data)

Third party data used for risk scoring.

kountFraudSessionId
string [ 10 .. 32 ]

Alpha-numeric fraudSessionId as provided by the Kount SDK.

payPalMerchantSessionId
string [ 1 .. 64 ]

MerchantSessionID as generated by the PayPal Fraudnet SDK.

object
medium
string

Lead source medium (eg search, display).

source
string

Lead source origin (eg google, yahoo).

campaign
string

Lead source campaign (eg go-big-123).

term
string

Lead source term (eg salt shakers).

content
string

Lead source content (eg smiley faces).

affiliate
string

Lead source affiliate (eg 123, Bob Smith).

subAffiliate
string

Lead source sub-affiliate also called a sub-id or click id in some circles (eg 123456).

salesAgent
string

Lead source sales agent (eg James Bond).

clickId
string

Lead source click id (may come from an ad server).

path
string

Lead source path url (eg www.example.com/some/landing/path).

referrer
string

Lead source referer url as determined (eg www.example.com/some/landing/path).

Responses
201

Token was created.

401

Unauthorized access, invalid credentials was used.

403

Access forbidden.

422

Invalid data was sent.

post/tokens
Request samples
application/json
{
  • "method": "payment-card",
  • "paymentInstrument": {
    },
  • "billingAddress": {
    },
  • "riskMetadata": {
    },
  • "leadSource": {
    }
}
Response samples
application/json
{
  • "method": "payment-card",
  • "paymentInstrument": {
    },
  • "billingAddress": {
    },
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "isUsed": false,
  • "riskMetadata": {
    },
  • "createdTime": "2019-08-24T14:15:22Z",
  • "updatedTime": "2019-08-24T14:15:22Z",
  • "usageTime": "2019-08-24T14:15:22Z",
  • "expirationTime": "2019-08-24T14:15:22Z",
  • "_links": [
    ]
}

Retrieve a list of tokens

Retrieve a list of tokens.

Request
Security:
query Parameters
limit
integer [ 0 .. 1000 ]

The collection items limit.

offset
integer >= 0

The collection items offset.

header Parameters
Organization-Id
string (ResourceId) <= 50 characters
Deprecated

Organization identifier in scope of which need to perform request (if not specified, the default organization will be used).

It is deprecated. Use servers with /organizations/{organizationId} base path instead.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

A list of tokens was retrieved successfully.

401

Unauthorized access, invalid credentials was used.

403

Access forbidden.

get/tokens
Request samples
$paymentCardTokens = $client->paymentCardTokens()->search([
    'filter' => 'token:string',
]);
Response samples
application/json
[
  • {
    }
]

Retrieve a token

Retrieve a token with specified identifier string.

Request
path Parameters
token
required
string

The token identifier string.

header Parameters
Organization-Id
string (ResourceId) <= 50 characters
Deprecated

Organization identifier in scope of which need to perform request (if not specified, the default organization will be used).

It is deprecated. Use servers with /organizations/{organizationId} base path instead.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

Token was retrieved successfully.

401

Unauthorized access, invalid credentials was used.

403

Access forbidden.

404

Resource was not found.

get/tokens/{token}
Request samples
$paymentCardToken = $client->paymentCardTokens()->load('tokenId');
Response samples
application/json
{
  • "method": "payment-card",
  • "paymentInstrument": {
    },
  • "billingAddress": {
    },
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "isUsed": false,
  • "riskMetadata": {
    },
  • "createdTime": "2019-08-24T14:15:22Z",
  • "updatedTime": "2019-08-24T14:15:22Z",
  • "usageTime": "2019-08-24T14:15:22Z",
  • "expirationTime": "2019-08-24T14:15:22Z",
  • "_links": [
    ]
}

Validate a digital wallet session

FramePay is the recommended way to use when validating a digital wallet session.

Request
Request Body schema: application/json

Digital wallet validation request.

type
required
string

Type of the digital wallet to validate.

required
object

The validation request.

validationURL
string

The URL provided by the Apple Pay SDK to perform the validation.

domainName
string

The domain where the client code like FramePay is executed. Should be registered in the Apple Pay console by Rebilly before using.

displayName
string

A name of your store, suitable for display.

Responses
201

Digital wallet validation was made.

401

Unauthorized access, invalid credentials was used.

403

Access forbidden.

422

Invalid data was sent.

post/digital-wallets/validation
Request samples
application/json
{
  • "type": "Apple Pay",
  • "validationRequest": {
    }
}
Response samples
application/json
{
  • "type": "Apple Pay",
  • "validationResponse": { }
}