On This Page
FILTER BY TAG

Transient Tokens

The response to a successful customer interaction with the
Unified Checkout
 is a transient token. This is returned in the response from the
unifiedPayments.show()
 function. The transient token is a reference to the payment data collected on your behalf. Transient tokens enable secure card payments without risking exposure to sensitive payment information. The transient token is a short-term token with a duration of 15 minutes.

Transient Token Format

The transient token is issued as a JSON Web Token (JWT) (RFC 7519). For information on JSON Web Tokens, see JSON Web Tokens.
The payload portion of the token is a Base64URL-encoded JSON string and contains various claims. For more information, see JSON Web Tokens.

Example: Transient Token Format

Transient Token Payload
eyJraWQiOiIwMEl1NWJDT2NINVpPWjFNYldsQktodzFZeFFjSkVlZSIsImFsZyI6IlJTMjU2In0.eyJtZXRhZGF0YSI6eyJzZXF1ZW5jZU51bWJlciI6IjEiLCJjYXJkaG9sZGVyQXV0aGVudGljYXRpb25TdGF0dXMiOmZhbHNlLCJwYXltZW50VHlwZSI6IlNSQ01BU1RFUkNBUkQifSwiaXNzIjoiRmxleC8wMCIsInBheW1lbnRDcmVkZW50aWFsc1JlZmVyZW5jZSI6eyJ1Y19hZ25vc3RpY19wb3J0Zm9saW9fdmFsaWQiOiJXaWUyM2NBS3RGblFlSXpqeDRFUXgifSwiZXhwIjoxNzY1ODg1MDcyLCJ0eXBlIjoiZ2RhLTAuMTAuMCIsImlhdCI6MTc2NTg4NDE3MywianRpIjoiMUQwMlk4Q09FQURYS1k5VjRHTjRNUDJOSVNMVjNQM1dSUUNEV0VZNDJHUjNBRzIzTUI3WjY5NDE0NDkwQkI1MSIsImNvbnRlbnQiOnsiZGV2aWNlSW5mb3JtYXRpb24iOnsiZmluZ2VycHJpbnRTZXNzaW9uSWQiOnt9fSwicHJvY2Vzc2luZ0luZm9ybWF0aW9uIjp7InBheW1lbnRTb2x1dGlvbiI6eyJ2YWx1ZSI6IjAyNyJ9fSwib3JkZXJJbmZvcm1hdGlvbiI6eyJiaWxsVG8iOnsiY291bnRyeSI6e30sImxhc3ROYW1lIjp7fSwiZmlyc3ROYW1lIjp7fSwicGhvbmVOdW1iZXIiOnt9LCJhZGRyZXNzMSI6e30sInBvc3RhbENvZGUiOnt9LCJsb2NhbGl0eSI6e30sImFkbWluaXN0cmF0aXZlQXJlYSI6e30sImVtYWlsIjp7fX0sImFtb3VudERldGFpbHMiOnsidG90YWxBbW91bnQiOnt9LCJjdXJyZW5jeSI6e319LCJzaGlwVG8iOnsiZmlyc3ROYW1lIjp7fSwiY291bnRyeSI6e30sImxhc3ROYW1lIjp7fSwiYWRkcmVzczEiOnt9LCJwb3N0YWxDb2RlIjp7fSwibG9jYWxpdHkiOnt9LCJhZG1pbmlzdHJhdGl2ZUFyZWEiOnt9fX0sInBheW1lbnRJbmZvcm1hdGlvbiI6eyJjYXJkIjp7ImV4cGlyYXRpb25ZZWFyIjp7InZhbHVlIjoiMjAyNyJ9LCJudW1iZXIiOnsibWFza2VkVmFsdWUiOiJYWFhYWFhYWFhYWFg5OTA4IiwiYmluIjoiNTE4NjAwIn0sImV4cGlyYXRpb25Nb250aCI6eyJ2YWx1ZSI6IjAzIn0sInR5cGUiOnsidmFsdWUiOiIwMDIifSwidHlwZVNlbGVjdGlvbkluZGljYXRvciI6eyJ2YWx1ZSI6IjEifX19fSwiXyI6IkwrYnlQL2FIRnhEUDRPc0NGNFI5RkhjbElkZkFXR0g4VkF3NGdta0NubGRyZzQ3WDdnR1hseUZRTWM4aU5KWjBzSlNhTlFOTzM5RHVCVWdWaW1SeC9zRUJJS2VQYXFvRVRoWDZpRjFrWWs1ZkxjWDRqU1gvTmtzb1U0bGQzU0RNTnJHcS8ybDRoM0laTjd1WEVON1g5azA5K3FaRFNaWVk3S1dzaVJXeXNwcHpFZE5uQy9ORGYxY1ZqNUJHZTZnN3Jjckt0THYyT1VzYUIyb3hicVkwL2VuUFY4N0JHakMrUk9lSmFYa3VGeml0RDVrQ0paZHdoYnorRStRVmtnejdBVTZnNG5pa0dsWDFNUklkeXVVNnY4QlJsWG42ZEF3c252TW5pZ3Yvc05NUE4zV0hSaUhZWHZubTdramVOd2k2YW1EbkdTSzVqY3RFMmJPWDZUU0RmWG5RSE01eVhWcFdMRHZxa0VQOVZzM2NBNmhTbTlZcHFaaXRSSjZ5OWtMSGFNemsydm9TWlhUV1JQU210UkZ2TWdcdTAwM2RcdTAwM2QifQ.M1ttoaMyKz9NjQ7nYfhGqrt7Gga1YvUph8FH4-0aV98tNbZilEqF4ANQHKFjNQavJ5_EKB_4cDayuwa7xyZzrz2WNXSlRS97EJYfvFAYza8cq2SpvHlR1DvJdMuYsyui-fZafdkxqTudsAUUYJErWezliWOvCw2gi18hb3bS3V_evt8zznRdgbwd7Q1BgSmQwgnIDI-H4wdZMByMbpG1zC8UjbvyPB5OUQxOTCljmbsiAquSI_8LFJoasRUK9txVjezO49E_DX1ClETbnzuiUlJ6MzBlTNAtdbxGB5ELjuf8-SSj4ojlZZTMWARllskZsx_DUtqLBUdNXKpPKEJtzg
EPC Token Payload
eyJhdWQiOiJ1Y19hZ25vc3RpY19wb3J0Zm9saW9fdmFsaWQiLCJzdWIiOiJ1Y19hZ25vc3RpY192YWxpZDAwMSIsImtpZCI6IjIwMjMwNTE0LWRyYWZ0LXBzcC1lbmNyeXB0IiwiY3R5IjoiSldUIiwiZW5jIjoiQTI1NkdDTSIsImV4cCI6MTc2NTg4NDc3MiwiYWxnIjoiUlNBLU9BRVAtMjU2IiwianRpIjoiV2llMjNjQUt0Rm5RZUl6ang0RVF4In0.H4UAdHUKUm4DRDfTnxQkRG9swxVBFWd63ikf4wo4niF7mBb4sMsm0SVrILu3IbWb6SThDJUnjyfE84QbJ5UmXBSk9k585n9iJYNCMq_-OE72N9MxOwg9rSrO302TkH1Nob7pvENm0AaMPk3SLeYzBur6fVvxj7sf2Ybl8ZnoTME_f_c2XVzZh5JzruamR5Y4_i7T90GRFxYlGpXFbm1WQcJdLkVumWp9My8rubk4fkgkKFUVT76J_dSXPIPqEiSM8NyGtXw-fkhXqq-iTzqDxd07Cp1PMrqFgKsSWUhV647TmnnUmC0bQ8GrMW2Bag18q9UNmEJl5alb-CE_WW1H6A.h__wQ3yafSI9TD-3.t3zvYlmp4G24HYG08OHBVh-tlX120MqXe_IK5dmUuOTzk-v3nWOU7mdp6cM66mwGSPOlie9rUn_oZG34gxMXK-uxGuOo4d-D1SvYaPfhGLyq_LQRIO1iCtdKaKNIyU7AuWkg3G0IS4TMb3hqxG0mMI0XzCbOyEkZzPjkwPFkyE-T1cScesuiK8_qRhQjGNRT57WIhemI64eNUoLaBjTv6HrHTYVGBHgR7J49quaTkVbv9IJaU4qklQUuT4HMWCr6YapApRpuuqGXgJ7_f4oLPJC4UpoxE5cJypdm3lJRFBPp4JZmod9nfA8onRIJbWSC6EdU7SscIV2yEFJybqUGED70fBgBL4rwWMxxw81aEK41CEqlr1XgWAARA1bVsljsrmAsYRLZ38lM1hqZrspENW8hVBLzcO_wyuCQRNZOIufOhl_CCc3Xnq0LKlLR6_hCcafcg2Skxqm4m2_E_iiYWVPSy_DQIVErvidQ9JDjKDdNxTJkhiBe1q4RKs5bNmy4KajKJ2gdOnwblFcxYTB3hs4kuIZdHvU-Lw2UjohCQkv0RtO5QziS_RQAxbT0FG8hHJFnMDR83YU1-38mpM2xSQPaGhQ_2Vzyz7Uwt-fS7gfISg8pF4JX1X4s4n3_bCUfuK1RF2CGOIQdtyxYvdA6iTypH55tDa51idfRS7URmKacsvofB6IavM9sCNcFpe8J0lX3UOQ0H_AIFG9XSs1iu-ct2xAQduOPgeUUkmEMBYUl245Y2dIY0NUrwWZJ_y_13WA6hs1r8Nu2S5E547u-_XhVCuXkuBluhO24UetZbr8pm1B0-YxKtIMLMeUDEyUvLHcihYhRcC02rI8KDl9Nl-NGXenxFf5X6Bhapla7HHCbpd7lrf8MpYCqs7mpO6EHJgDDZxW1mEzcB4x9-ZeTeThJ8_Dwl3E-LtqOcgHbC7PI_QGqMdPKWeEyQqKv-m7KRnEL-fsPT2s9SMtxrxPonGCHtnQ3LqUKqmRIbx0-yalxa6fGGu-od83OMR9FbKhKcAKmk14bIFo8LCkjG3siSjbVr3lK65kmfRoQdiBGOw2Uzb_613dwDLh2yjjpFuuZLS9Bn1lkzxZq5qtNLIKw8CMJ5k_BD8LIGR7iuYB9iRCJiWFjUVj8yVW2zKpk1tdfx_2fhQu13cIUZRx-nOQqYgrfv2KEwfeuJPdSmlzHbN7YplEA2ZvSdIc08rteZaRkVXcWK7rp3Wt7I4AUwUVV8i--Ep6X8SgytFP_FHN4-S_xGAJmljKf9XpBUBvmXxt-Lrba_xnKW1aaGtz-8iOQ4V0K5Gmao7E1gUpta6BjXIXV1HqNLusavOUpTbTTk-CtJnCHZ4BkoAWCPa3QxLQZ0jQAYg71aoi2thSNcTL7_3Qgrxj5nsGMX_cBBSRhCDS8G6Zq0ZLf2sJYK2lNMwax6EwK0NGi8KMUt_X6-lsk2d00ha43fKdtyKqRtB5nnwmD0ONZC2Qp6OsQUxnn066on0jY4khUydBejypMd_93D8rb60q7FHRbGPKpo4aKVvsOp_A0FMWBTR9TTjwIvB3psvSgZChoDO0qZW_RgDHCVDiJbA4umeTCvhTmLgToay1JH7IBH_BBiCm-GADIsIf0is2BFswZIy8PAqpw4DKk164Gw16KHZt7ukZ7uIz6t_HIatBGAEzKav5Xcy33XUfp_SDrOr-QruYQ22kb0TKE9yjfj_dwjEz4VEAJQqnP_ci9_YeLz2VCFY23mGVtgyvcwmJ-L7U4QlVVeUOWIuxl63wWJSZIfm_0H5VYvJo_O9uI7kvccayhaWwHqaSKytefQZ-_HU5EiELxArQziIPByqR97DdDgmutRBxNnGBvLPRwytMGVwmVZOxafrkN5xVLrkif7yRqP3mr5KhUvcTN9zhfWh3s-SqESHL1G-XjET1FpG-TdwVP7ZK3VYFuaoCx2_11U3H1N7FcFXuQqeVvkwEZpvmPd4bFAN9az2q0C8_HyKkjsyvGAuBFerhYrGQQ3lDWIvwcGu09VygK_COH7ZIK212B8F0wFllbyuJW1z4i9-fv8f0KCewyVU7lzwGDLXIR.qJp4DNmwKcsTj_q0Xj8TJw
Encrypted Transient Token Payload
{
  "metadata": {
    "sequenceNumber": "1",
    "cardholderAuthenticationStatus": false,
    "paymentType": "PANENTRY"
  },
  "iss": "Flex/00",
  "exp": 1762870464,
  "type": "gda-0.10.0",
  "iat": 1762869564,
  "jti": "1D4Q8FJSSZ9ASKQ9ZCJ7E13IFOITOOH2GGHY6TRZ3O28TUQ1BN8H691344C098CA",
  "content": {
    "deviceInformation": {
      "fingerprintSessionId": {}
    },
    "orderInformation": {
      "billTo": {
        "country": {},
        "lastName": {},
        "firstName": {},
        "phoneNumber": {},
        "address1": {},
        "postalCode": {},
        "locality": {},
        "buildingNumber": {},
        "company": {
          "name": {}
        },
        "administrativeArea": {},
        "email": {}
      },
      "amountDetails": {
        "totalAmount": {},
        "currency": {}
      },
      "shipTo": {
        "firstName": {},
        "lastName": {},
        "country": {},
        "address1": {},
        "postalCode": {},
        "locality": {},
        "buildingNumber": {},
        "administrativeArea": {}
      }
    },
    "paymentInformation": {
      "card": {
        "expirationYear": {
          "value": "2027"
        },
        "number": {
          "maskedValue": "XXXXXXXXXXXX1111",
          "bin": "411111"
        },
        "securityCode": {},
        "expirationMonth": {}
      }
    }
  }
}
IMPORTANT
The empty field values in the transient token indicate which fields were captured by the application without exposing you to personally identifiable information directly.
PAN BIN in
metadata
 Object
The
cardDetails
 object, including the PAN BIN, is included in the transient token
metadata
 when a
Click to Pay
 network token is used as a payment method. This allows you to display information about the card on invoices and see the BIN details that are linked to the underlying card.
"metadata": {
  "cardDetails": {
    "suffix": "9876",
    "prefix": "123456",
    "expirationMonth": "MM",
    "expirationYear": "YYYY"
  }
}
Authentication Status in
metadata
 Object
The
cardholderAuthenticationStatus
 object is included in the
metadata
 and enables you to determine if the payload is fully authenticated. When
cardholderAuthenticationStatus
 is set to
true
, the payload is fully authenticated. When
cardholderAuthenticationStatus
 is set to
false
, the transaction is not authenticated.
If you are using
Unified Checkout
 with
unifiedPayment.complete()
 and
consumerAuthentication
 is set to
true
 in the complete mandate request, then
Payer Authentication
 is called automatically if it is available for the selected payment method and card network. If you use a transient token to request follow-on services directly, the value of this field indicates if the transaction has been authenticated.
"metadata": {
  "cardholderAuthenticationStatus": "true"
  }
}

Token Verification

When you receive the transient token, you should cryptographically verify its integrity using the public key embedded within the capture context. Doing so verifies that
Cybersource
 issued the token and that the data has not been tampered with in transit. Verifying the transient token JWT involves verifying the signature and various claims within the token. Programming languages each have their own specific libraries to assist.
For an example in Java, see: Java Example in Github.

PAN BIN in
metadata
 Object

The
cardDetails
 object, including the PAN BIN, is included in the transient token
metadata
 when a
Click to Pay
 network token is used as a payment method. This allows you to display information about the card on invoices and see the BIN details that are linked to the underlying card.
"metadata": {
  "cardDetails": {
    "suffix": "9876",
    "prefix": "123456",
    "expirationMonth": "MM",
    "expirationYear": "YYYY"
  }
}
The
cardholderAuthenticationStatus
 object is included in the
metadata
 and enables you to determine if the payload is fully authenticated. When
cardholderAuthenticationStatus
 is set to
true
, the payload is fully authenticated. When
cardholderAuthenticationStatus
 is set to
false
, the transaction is not authenticated.
If you are using
Unified Checkout
 with
unifiedPayment.complete()
 and
consumerAuthentication
 is set to
true
 in the complete mandate request, then
Payer Authentication
 is called automatically if it is available for the selected payment method and card network. If you use a transient token to request follow-on services directly, the value of this field indicates if the transaction has been authenticated. 
"metadata": {
  "cardholderAuthenticationStatus": "true"
  }
}

Dual-Branded Cards

Unified Checkout
 accepts dual-branded cards. To use this feature, you must include the card networks that have overlapping BIN ranges in the capture context request. For example:
"allowedCardNetworks": ["VISA", "MASTERCARD", "AMEX"
, "CARTESBANCAIRES"
]
When a card number within an overlapping BIN range is entered, the network that is listed first in the value array for the
allowedCardNetworks
 field is used. Based on the previous example, if the card number 403550XXXXXXXXXX is entered, the payment network for payment processing is Visa.
During the transaction, the card type is populated with the first network in the list, and the
detectedCardTypes
 field returned in the transient token includes all of the detected card types in the transient token.
The
detectedCardTypes
 field is returned in the transient token response only when more than one card type is detected.
If you include Cartes Bancaires as a supported dual-branded card type,
Unified Checkout
 displays a radio button with Visa and Mastercard options at checkout. This enables the customer to select which payment scheme they want to use to process the payment. The radio button defaults to the card type that you specify in the capture context request, but the payment is processed using the option that the customer selects during checkout.
RELATED TO THIS PAGE