Create a payment token

FramePay is the recommended way to create a payment token because it minimizes PCI DSS compliance. Once a payment token is created, it can only be used once.

A payment token expires upon first use or within 30 minutes of the token creation (whichever comes first).

SecurityPublishableApiKey or SecretApiKey or JWT
Request
Request Body schema: application/json

PaymentToken resource.

method
required
string

The token payment method.

required
object

The payment card instrument details.

expMonth
required
integer

Payment Card expiration month.

expYear
required
integer

Payment Card expiration year.

pan
string

Payment Card PAN (Primary Account Number). Required to perform a payment.

cvv
string

Payment Card CVV/CVC.

object

The billing address object. Required to perform payments. For payment-card updates, billingAddress can be ignored.

firstName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

Contact's first name.

lastName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

Contact's last name.

organization
string or null <= 255 characters ^[\w\s\-\pL,.'&]+$

The contact's organization.

address
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

First line of the contact's street address.

address2
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

Second line of the contact's street address.

city
string or null <= 45 characters ^[\w\s\-\pL,.']+$

Contact's city of residence.

region
string or null <= 45 characters ^[\w\s\-\/\pL,.#;:()']+$

Contact's region of residence.

country
string or null <= 2 characters ^[A-Z]{2}$

Contact's country of residence in ISO 3166 alpha-2 country code. For examples, see ISO.org.

postalCode
string or null <= 10 characters ^[\w\s\-]+$

Contact's postal code.

Array of objects (ContactPhoneNumbers)

List of phone numbers associated with the contact.

Array
label
required
string <= 45 characters

Phone number label or name.

value
required
string <= 50 characters

Phone number value.

primary
boolean

Specifies whether the phone number is the contact's primary phone number.

Array of objects (ContactEmails)

List of email addresses associated with the contact.

Array
label
required
string <= 45 characters

Email label or name.

value
required
string <email> <= 255 characters

Email address value.

primary
boolean

Specifies whether the email address is the contact's primary email address.

dob
string or null <date>

Contact's date of birth in ISO-8601 YYYY-MM-DD format.

jobTitle
string or null <= 255 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact's job title.

object (Risk metadata)

Risk metadata used for 3D Secure and risk scoring.

ipAddress
string <ipv4 or ipv6>

Customer's IP address.

fingerprint
string <= 50 characters

Customer's fingerprint.

object (HttpHeaders)

The HTTP headers.

property name*
additional property
string
object (Browser data)

Browser data used for 3D Secure and risk scoring.

colorDepth
required
integer [ 1 .. 48 ]

Browser color depth in bits per pixel. This value is obtained using the screen.colorDepth property.

isJavaEnabled
required
boolean

Specifies whether Java is enabled in a browser. This value is obtained from the navigator.javaEnabled property.

language
required
string <= 8 characters

Browser language settings. This value is obtained from the navigator.language property.

screenWidth
required
integer [ 0 .. 65535 ]

Width of the browser screen. This value is obtained from the screen.width property.

screenHeight
required
integer [ 0 .. 65535 ]

Height of the browser screen. This value is obtained from the screen.height property.

timeZoneOffset
required
integer [ -1410 .. 1410 ]

Browser time zone offset in minutes from UTC. A positive offset indicates that the local time is behind UTC. A negative offset indicates that the local time is ahead of UTC. You can find this value using the (new Date()).getTimezoneOffset() property.

object (Extra data)

Third party data used for risk scoring.

kountFraudSessionId
string [ 10 .. 32 ]

Alpha-numeric fraudSessionId as provided by the Kount SDK.

payPalMerchantSessionId
string [ 1 .. 64 ]

MerchantSessionID as generated by the PayPal Fraudnet SDK.

threatMetrixSessionId
string [ 1 .. 128 ] [a-zA-Z0-9_-]+

Temporary identifier that is unique to the visitor's session and passed to ThreatMetrix.

object (LeadSource)
medium
string

Category of the lead source traffic. For example, the medium could be organic search, Google ads, Display ads, and so on.

source
string

Domain, platform, or channel from which the lead source originates.

campaign
string

Campaign name of the lead source.

term
string

Term associated with a lead source.

content
string

Content contained in the lead source content. For example, content could be graphics, video, and so on.

affiliate
string

Individual or entity that is affilated with the lead source.

subAffiliate
string

Individual or entity that is associated with a lead source affiliate. In other products, this field may also be referred to as sub ID or click ID in some.

salesAgent
string

Name of the sales agent associated with the lead source.

clickId
string

Lead source click ID. This value is passed in the ad click URL for tracking and campaign attribution.

path
string

URL from which the lead source originates.

referrer
string

Lead source referrer URL.

Responses
201

Token was created.

Response Headers
Location
string <uri>

Location of the related resource.

Example: "https://api.rebilly.com/example"
Response Schema: application/json
method
required
string

The token payment method.

required
object

The payment card instrument details.

expMonth
required
integer

Payment Card expiration month.

expYear
required
integer

Payment Card expiration year.

bin
string <bin>

Payment Card BIN (the PAN's first 6 digits).

last4
string

Payment Card PAN's last 4 digits.

brand
string

Payment card brand.

Enum: "Visa" "MasterCard" "American Express" "Discover" "Maestro" "Solo" "Electron" "JCB" "Voyager" "Diners Club" … 4 more
object

The billing address object. Required to perform payments. For payment-card updates, billingAddress can be ignored.

firstName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

Contact's first name.

lastName
string or null <= 45 characters ^[\w\s\-\pL,.']+$

Contact's last name.

organization
string or null <= 255 characters ^[\w\s\-\pL,.'&]+$

The contact's organization.

address
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

First line of the contact's street address.

address2
string or null <= 60 characters ^[\w\s\-\/\pL,.#;:()']+$

Second line of the contact's street address.

city
string or null <= 45 characters ^[\w\s\-\pL,.']+$

Contact's city of residence.

region
string or null <= 45 characters ^[\w\s\-\/\pL,.#;:()']+$

Contact's region of residence.

country
string or null <= 2 characters ^[A-Z]{2}$

Contact's country of residence in ISO 3166 alpha-2 country code. For examples, see ISO.org.

postalCode
string or null <= 10 characters ^[\w\s\-]+$

Contact's postal code.

Array of objects (ContactPhoneNumbers)

List of phone numbers associated with the contact.

Array
label
required
string <= 45 characters

Phone number label or name.

value
required
string <= 50 characters

Phone number value.

primary
boolean

Specifies whether the phone number is the contact's primary phone number.

Array of objects (ContactEmails)

List of email addresses associated with the contact.

Array
label
required
string <= 45 characters

Email label or name.

value
required
string <email> <= 255 characters

Email address value.

primary
boolean

Specifies whether the email address is the contact's primary email address.

dob
string or null <date>

Contact's date of birth in ISO-8601 YYYY-MM-DD format.

jobTitle
string or null <= 255 characters ^[\w\s\-\/\pL,.#;:()']+$

The contact's job title.

hash
string <= 40 characters

Use this value to compare contacts for identical attribute values.

id
string <= 50 characters

The token identifier string.

isUsed
boolean
Default: false

Whether the token was already used.

object (Risk metadata)

Risk metadata used for 3D Secure and risk scoring.

ipAddress
string <ipv4 or ipv6>

Customer's IP address.

fingerprint
string <= 50 characters

Customer's fingerprint.

object (HttpHeaders)

The HTTP headers.

property name*
additional property
string
object (Browser data)

Browser data used for 3D Secure and risk scoring.

colorDepth
required
integer [ 1 .. 48 ]

Browser color depth in bits per pixel. This value is obtained using the screen.colorDepth property.

isJavaEnabled
required
boolean

Specifies whether Java is enabled in a browser. This value is obtained from the navigator.javaEnabled property.

language
required
string <= 8 characters

Browser language settings. This value is obtained from the navigator.language property.

screenWidth
required
integer [ 0 .. 65535 ]

Width of the browser screen. This value is obtained from the screen.width property.

screenHeight
required
integer [ 0 .. 65535 ]

Height of the browser screen. This value is obtained from the screen.height property.

timeZoneOffset
required
integer [ -1410 .. 1410 ]

Browser time zone offset in minutes from UTC. A positive offset indicates that the local time is behind UTC. A negative offset indicates that the local time is ahead of UTC. You can find this value using the (new Date()).getTimezoneOffset() property.

object (Extra data)

Third party data used for risk scoring.

kountFraudSessionId
string [ 10 .. 32 ]

Alpha-numeric fraudSessionId as provided by the Kount SDK.

payPalMerchantSessionId
string [ 1 .. 64 ]

MerchantSessionID as generated by the PayPal Fraudnet SDK.

threatMetrixSessionId
string [ 1 .. 128 ] [a-zA-Z0-9_-]+

Temporary identifier that is unique to the visitor's session and passed to ThreatMetrix.

isProxy
boolean

Specifies whether the customer's IP address is related to a proxy.

isVpn
boolean

Specifies whether the customer's IP address is related to a VPN.

isTor
boolean

Specifies whether the customer's IP address is related to TOR.

isHosting
boolean

Specifies whether the customer's IP address is related to hosting.

vpnServiceName
string

VPN service name, if available.

isp
string

Internet Service Provider (ISP) name, if available.

country
string <= 2 characters

Country ISO Alpha-2 code of the specified IP address.

region
string

Region of the specified IP address.

city
string

City of the specified IP address.

latitude
number <double>

Latitude of the specified IP address.

longitude
number <double>

Longitude of the specified IP address.

postalCode
string <= 10 characters

Postal code of the specified IP address.

timeZone
string

Time zone of the specified IP address.

accuracyRadius
integer

Accuracy radius of the specified IP address, in kilometers.

distance
integer

Distance between the customer's IP address and the billing address geolocation, in kilometers.

hasMismatchedBillingAddressCountry
boolean

Specifies whether the customer's billing address country and geo-IP address are not the same.

hasMismatchedBankCountry
boolean

Specifies whether the customer's bank country and geo-IP address are not the same.

hasMismatchedTimeZone
boolean

Specifies whether the customer's browser time zone and the IP address associated time zone are not the same.

hasMismatchedHolderName
boolean

Specifies whether the customer's billing address name and primary address name are not the same.

hasFakeName
boolean

Specifies whether the holder name seems fake.

isHighRiskCountry
boolean

Specifies whether the geo-IP country, or the customer's billing country, is considered a high risk country.

paymentInstrumentVelocity
integer

Number of transactions for this payment instrument, based on fingerprint, in the last 24 hours.

declinedPaymentInstrumentVelocity
integer

Number of declined transactions for this payment instrument fingerprint in the last 24 hours.

deviceVelocity
integer

Number of transactions for this device, based on fingerprint, in the last 24 hours.

ipVelocity
integer

Number of transactions for this IP address in the last 24 hours.

emailVelocity
integer

Number of transactions for this email address in the last 24 hours.

billingAddressVelocity
integer

Number of transactions for this billing address in the last 24 hours.

score
integer

Computed risk score based on all factors.

createdTime
string <date-time>

Token created time.

updatedTime
string <date-time> (UpdatedTime)

Read-only timestamp. This value updates when the resource is updated.

usageTime
string <date-time>

Token usage time.

expirationTime
string <date-time>

Token expiration time.

Array of objects (Self) non-empty

Related resource links.

Array (non-empty)
href
required
string

Link URL.

rel
required
string

Type of link.

Value: "self"
401

Unauthorized access. Invalid credentials used.

403

Access forbidden.

422

Invalid data was sent.

post/tokens
Request samples
application/json
{
  • "method": "payment-card",
  • "paymentInstrument": {
    },
  • "billingAddress": {
    },
  • "riskMetadata": {
    },
  • "leadSource": {
    }
}
Response samples
application/json
{
  • "method": "payment-card",
  • "paymentInstrument": {
    },
  • "billingAddress": {
    },
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "isUsed": false,
  • "riskMetadata": {
    },
  • "createdTime": "2019-08-24T14:15:22Z",
  • "updatedTime": "2019-08-24T14:15:22Z",
  • "usageTime": "2019-08-24T14:15:22Z",
  • "expirationTime": "2019-08-24T14:15:22Z",
  • "_links": [
    ]
}