Create a payment token

FramePay is the recommended way to create a payment token because it minimizes PCI DSS compliance. Once a payment token is created, it can only be used once.

A payment token expires upon first use or within 30 minutes of the token creation (whichever comes first).

SecurityPublishableApiKey or SecretApiKey or JWT
Request
Request Body schema: application/json

PaymentToken resource.

method
required
string

The token payment method.

required
object

The payment card instrument details.

expMonth
required
integer

Payment Card expiration month.

expYear
required
integer

Payment Card expiration year.

pan
string

Payment Card PAN (Primary Account Number). Required to perform a payment.

cvv
string

Payment Card CVV/CVC.

object

The billing address object. Required to perform payments. For payment-card updates, billingAddress can be ignored.

firstName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact first name.

lastName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact last name.

organization
string or null <= 255 characters ^[\w\s\-\pL,.'&]+$

The contact organization.

address
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact street address.

address2
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact street address (second line).

city
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact city.

region
string or null <= 45 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact region (state).

country
string or null <= 2 characters ^[A-Z]{2}$

The contact country ISO Alpha-2 code.

postalCode
string or null <= 10 characters ^[\w\s\-]+$

The contact postal code.

Array of objects (ContactPhoneNumbers)

The list of phone numbers.

Array
label
required
string <= 45 characters

The phone label.

value
required
string <= 50 characters

The phone value.

primary
boolean

True if phone is primary.

Array of objects (ContactEmails)

The list of emails.

Array
label
required
string <= 45 characters

The email label.

value
required
string <email> <= 255 characters

The email value.

primary
boolean

True if email is primary.

dob
string or null <date>

The contact's date of birth in ISO-8601 format (yyyy-mm-dd).

jobTitle
string or null <= 255 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact's job title.

object (Risk metadata)

Risk metadata used for 3DS and risk scoring.

ipAddress
string <ipv4 or ipv6>

The customer's IP.

fingerprint
string <= 50 characters

The fingerprint.

object (HttpHeaders)

The HTTP headers.

property name*
additional property
string
object (Browser data)

Browser data used for 3DS and risk scoring.

colorDepth
required
integer [ 1 .. 48 ]

The browser's color depth in bits per pixel obtained using the screen.colorDepth property.

isJavaEnabled
required
boolean

Whether Java is enabled in a browser or not. Value is returned from the navigator.javaEnabled property.

language
required
string <= 8 characters

The browser's language settings returned from the navigator.language property.

screenWidth
required
integer [ 0 .. 65535 ]

The browser's screen width returned from the screen.width property.

screenHeight
required
integer [ 0 .. 65535 ]

The browser's screen height returned from the screen.height property.

timeZoneOffset
required
integer [ -1410 .. 1410 ]

The browser's time zone offset in minutes from UTC. A positive offset indicates the local time is behind UTC, and negative is ahead. Can find it with (new Date()).getTimezoneOffset() property.

object (Extra data)

Third party data used for risk scoring.

kountFraudSessionId
string [ 10 .. 32 ]

Alpha-numeric fraudSessionId as provided by the Kount SDK.

payPalMerchantSessionId
string [ 1 .. 64 ]

MerchantSessionID as generated by the PayPal Fraudnet SDK.

threatMetrixSessionId
string [ 1 .. 128 ] [a-zA-Z0-9_-]+

A temporary identifier that is unique to the visitor's session and passed to ThreatMetrix.

object (LeadSource)
medium
string

Lead source medium (eg search, display).

source
string

Lead source origin (eg google, yahoo).

campaign
string

Lead source campaign (eg go-big-123).

term
string

Lead source term (eg salt shakers).

content
string

Lead source content (eg smiley faces).

affiliate
string

Lead source affiliate (eg 123, Bob Smith).

subAffiliate
string

Lead source sub-affiliate also called a sub-id or click id in some circles (eg 123456).

salesAgent
string

Lead source sales agent (eg James Bond).

clickId
string

Lead source click id (may come from an ad server).

path
string

Lead source path url (eg www.example.com/some/landing/path).

referrer
string

Lead source referer url as determined (eg www.example.com/some/landing/path).

Responses
201

Token was created.

Response Headers
Location
string <uri>

The location of the related resource.

Example: "https://api.rebilly.com/example"
Response Schema: application/json
method
required
string

The token payment method.

required
object

The payment card instrument details.

expMonth
required
integer

Payment Card expiration month.

expYear
required
integer

Payment Card expiration year.

bin
string <bin>

Payment Card BIN (the PAN's first 6 digits).

last4
string

Payment Card PAN's last 4 digits.

brand
string

Payment Card brand.

Enum: "Visa" "MasterCard" "American Express" "Discover" "Maestro" "Solo" "Electron" "JCB" "Voyager" "Diners Club" … 4 more
object

The billing address object. Required to perform payments. For payment-card updates, billingAddress can be ignored.

firstName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact first name.

lastName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact last name.

organization
string or null <= 255 characters ^[\w\s\-\pL,.'&]+$

The contact organization.

address
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact street address.

address2
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact street address (second line).

city
string or null <= 45 characters ^[\w\s\-\pL,.']+$

The contact city.

region
string or null <= 45 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact region (state).

country
string or null <= 2 characters ^[A-Z]{2}$

The contact country ISO Alpha-2 code.

postalCode
string or null <= 10 characters ^[\w\s\-]+$

The contact postal code.

Array of objects (ContactPhoneNumbers)

The list of phone numbers.

Array
label
required
string <= 45 characters

The phone label.

value
required
string <= 50 characters

The phone value.

primary
boolean

True if phone is primary.

Array of objects (ContactEmails)

The list of emails.

Array
label
required
string <= 45 characters

The email label.

value
required
string <email> <= 255 characters

The email value.

primary
boolean

True if email is primary.

dob
string or null <date>

The contact's date of birth in ISO-8601 format (yyyy-mm-dd).

jobTitle
string or null <= 255 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact's job title.

hash
string <= 40 characters

A hash that can be used to compare multiple contacts for identical attribute values.

id
string <= 50 characters

The token identifier string.

isUsed
boolean
Default: false

Whether the token was already used.

object (Risk metadata)

Risk metadata used for 3DS and risk scoring.

ipAddress
string <ipv4 or ipv6>

The customer's IP.

fingerprint
string <= 50 characters

The fingerprint.

object (HttpHeaders)

The HTTP headers.

property name*
additional property
string
object (Browser data)

Browser data used for 3DS and risk scoring.

colorDepth
required
integer [ 1 .. 48 ]

The browser's color depth in bits per pixel obtained using the screen.colorDepth property.

isJavaEnabled
required
boolean

Whether Java is enabled in a browser or not. Value is returned from the navigator.javaEnabled property.

language
required
string <= 8 characters

The browser's language settings returned from the navigator.language property.

screenWidth
required
integer [ 0 .. 65535 ]

The browser's screen width returned from the screen.width property.

screenHeight
required
integer [ 0 .. 65535 ]

The browser's screen height returned from the screen.height property.

timeZoneOffset
required
integer [ -1410 .. 1410 ]

The browser's time zone offset in minutes from UTC. A positive offset indicates the local time is behind UTC, and negative is ahead. Can find it with (new Date()).getTimezoneOffset() property.

object (Extra data)

Third party data used for risk scoring.

kountFraudSessionId
string [ 10 .. 32 ]

Alpha-numeric fraudSessionId as provided by the Kount SDK.

payPalMerchantSessionId
string [ 1 .. 64 ]

MerchantSessionID as generated by the PayPal Fraudnet SDK.

threatMetrixSessionId
string [ 1 .. 128 ] [a-zA-Z0-9_-]+

A temporary identifier that is unique to the visitor's session and passed to ThreatMetrix.

isProxy
boolean

True if customer's ip address is related to proxy.

isVpn
boolean

True if customer's ip address is related to VPN.

isTor
boolean

True if customer's ip address is related to TOR.

isHosting
boolean

True if customer's ip address is related to hosting.

vpnServiceName
string

VPN service name, if available.

isp
string

Internet Service Provider name, if available.

country
string <= 2 characters

Country ISO Alpha-2 code for specified ipAddress.

region
string

Region for specified ipAddress.

city
string

City for specified ipAddress.

latitude
number <double>

Latitude for specified ipAddress.

longitude
number <double>

Longitude for specified ipAddress.

postalCode
string <= 10 characters

Postal code for specified ipAddress.

timeZone
string

Time zone for specified ipAddress.

accuracyRadius
integer

Accuracy radius for specified ipAddress (kilometers).

distance
integer

Distance between IP Address and Billing Address geolocation (kilometers).

hasMismatchedBillingAddressCountry
boolean

True if the billing address country and geo-IP address are not the same.

hasMismatchedBankCountry
boolean

True if the bank country and geo-IP address are not the same.

hasMismatchedTimeZone
boolean

True if the browser time zone and IP address associated time zone are not the same.

hasMismatchedHolderName
boolean

True if the customer's name from billing address and from customer's primary address are not the same.

hasFakeName
boolean

True if the holder name seems fake.

isHighRiskCountry
boolean

True if geo-IP country or the customer's billing country is considered a high risk country.

paymentInstrumentVelocity
integer

Number of transactions for this payment instrument (based on fingerprint) in the last 24 hours.

deviceVelocity
integer

Number of transactions for this device (based on fingerprint) in the last 24 hours.

ipVelocity
integer

Number of transactions for this ip address in the last 24 hours.

emailVelocity
integer

Number of transactions for this email address in the last 24 hours.

billingAddressVelocity
integer

Number of transactions for this billing address in the last 24 hours.

score
integer

Risk score computed per all the factors.

createdTime
string <date-time>

Token created time.

updatedTime
string <date-time> (UpdatedTime)

Read-only timestamp updates when the resource is updated.

usageTime
string <date-time>

Token usage time.

expirationTime
string <date-time>

Token expiration time.

Array of objects (Self) non-empty

The links related to resource.

Array (non-empty)
href
required
string

The link URL.

rel
required
string

The link type.

Value: "self"
401

Unauthorized access, invalid credentials were used.

403

Access forbidden.

422

Invalid data was sent.

post/tokens
Request samples
application/json
{
  • "method": "payment-card",
  • "paymentInstrument": {
    },
  • "billingAddress": {
    },
  • "riskMetadata": {
    },
  • "leadSource": {
    }
}
Response samples
application/json
{
  • "method": "payment-card",
  • "paymentInstrument": {
    },
  • "billingAddress": {
    },
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "isUsed": false,
  • "riskMetadata": {
    },
  • "createdTime": "2019-08-24T14:15:22Z",
  • "updatedTime": "2019-08-24T14:15:22Z",
  • "usageTime": "2019-08-24T14:15:22Z",
  • "expirationTime": "2019-08-24T14:15:22Z",
  • "_links": [
    ]
}