On This Page {#jumplink-list} [Markdown](/docs/cybs/en-us/digital-accept-flex/developer/all/rest/digital-accept-flex/ctp-intro/ctp-tokens-intro.md) Filter FILTER BY TAG Transient Tokens {#ctp-tokens-intro} ==================================== The response to a successful customer interaction with the `Unified Checkout` is a transient token. This is returned in the response from the `unifiedPayments.show()` function. The transient token is a reference to the payment data collected on your behalf. Transient tokens enable secure card payments without risking exposure to sensitive payment information. The transient token is a short-term token with a duration of 15 minutes. Transient Token Format {#ctp-tokens-format} =========================================== The transient token is issued as a JSON Web Token (JWT) ([RFC 7519](https://tools.ietf.org/html/rfc7519 "")). For information on JSON Web Tokens, see [JSON Web Tokens](/docs/cybs/en-us/digital-accept-flex/developer/all/rest/digital-accept-flex/uc-intro/uc-appendix/uc-appendix-jwts.md ""). The payload portion of the token is a Base64URL-encoded JSON string and contains various claims. For more information, see [JSON Web Tokens](/docs/cybs/en-us/digital-accept-flex/developer/all/rest/digital-accept-flex/uc-intro/uc-appendix/uc-appendix-jwts.md ""). Example: Transient Token Format {#uc-trans-tkn-ex} ================================================== Transient Token Payload ``` eyJraWQiOiIwMEl1NWJDT2NINVpPWjFNYldsQktodzFZeFFjSkVlZSIsImFsZyI6IlJTMjU2In0.eyJtZXRhZGF0YSI6eyJzZXF1ZW5jZU51bWJlciI6IjEiLCJjYXJkaG9sZGVyQXV0aGVudGljYXRpb25TdGF0dXMiOmZhbHNlLCJwYXltZW50VHlwZSI6IlNSQ01BU1RFUkNBUkQifSwiaXNzIjoiRmxleC8wMCIsInBheW1lbnRDcmVkZW50aWFsc1JlZmVyZW5jZSI6eyJ1Y19hZ25vc3RpY19wb3J0Zm9saW9fdmFsaWQiOiJXaWUyM2NBS3RGblFlSXpqeDRFUXgifSwiZXhwIjoxNzY1ODg1MDcyLCJ0eXBlIjoiZ2RhLTAuMTAuMCIsImlhdCI6MTc2NTg4NDE3MywianRpIjoiMUQwMlk4Q09FQURYS1k5VjRHTjRNUDJOSVNMVjNQM1dSUUNEV0VZNDJHUjNBRzIzTUI3WjY5NDE0NDkwQkI1MSIsImNvbnRlbnQiOnsiZGV2aWNlSW5mb3JtYXRpb24iOnsiZmluZ2VycHJpbnRTZXNzaW9uSWQiOnt9fSwicHJvY2Vzc2luZ0luZm9ybWF0aW9uIjp7InBheW1lbnRTb2x1dGlvbiI6eyJ2YWx1ZSI6IjAyNyJ9fSwib3JkZXJJbmZvcm1hdGlvbiI6eyJiaWxsVG8iOnsiY291bnRyeSI6e30sImxhc3ROYW1lIjp7fSwiZmlyc3ROYW1lIjp7fSwicGhvbmVOdW1iZXIiOnt9LCJhZGRyZXNzMSI6e30sInBvc3RhbENvZGUiOnt9LCJsb2NhbGl0eSI6e30sImFkbWluaXN0cmF0aXZlQXJlYSI6e30sImVtYWlsIjp7fX0sImFtb3VudERldGFpbHMiOnsidG90YWxBbW91bnQiOnt9LCJjdXJyZW5jeSI6e319LCJzaGlwVG8iOnsiZmlyc3ROYW1lIjp7fSwiY291bnRyeSI6e30sImxhc3ROYW1lIjp7fSwiYWRkcmVzczEiOnt9LCJwb3N0YWxDb2RlIjp7fSwibG9jYWxpdHkiOnt9LCJhZG1pbmlzdHJhdGl2ZUFyZWEiOnt9fX0sInBheW1lbnRJbmZvcm1hdGlvbiI6eyJjYXJkIjp7ImV4cGlyYXRpb25ZZWFyIjp7InZhbHVlIjoiMjAyNyJ9LCJudW1iZXIiOnsibWFza2VkVmFsdWUiOiJYWFhYWFhYWFhYWFg5OTA4IiwiYmluIjoiNTE4NjAwIn0sImV4cGlyYXRpb25Nb250aCI6eyJ2YWx1ZSI6IjAzIn0sInR5cGUiOnsidmFsdWUiOiIwMDIifSwidHlwZVNlbGVjdGlvbkluZGljYXRvciI6eyJ2YWx1ZSI6IjEifX19fSwiXyI6IkwrYnlQL2FIRnhEUDRPc0NGNFI5RkhjbElkZkFXR0g4VkF3NGdta0NubGRyZzQ3WDdnR1hseUZRTWM4aU5KWjBzSlNhTlFOTzM5RHVCVWdWaW1SeC9zRUJJS2VQYXFvRVRoWDZpRjFrWWs1ZkxjWDRqU1gvTmtzb1U0bGQzU0RNTnJHcS8ybDRoM0laTjd1WEVON1g5azA5K3FaRFNaWVk3S1dzaVJXeXNwcHpFZE5uQy9ORGYxY1ZqNUJHZTZnN3Jjckt0THYyT1VzYUIyb3hicVkwL2VuUFY4N0JHakMrUk9lSmFYa3VGeml0RDVrQ0paZHdoYnorRStRVmtnejdBVTZnNG5pa0dsWDFNUklkeXVVNnY4QlJsWG42ZEF3c252TW5pZ3Yvc05NUE4zV0hSaUhZWHZubTdramVOd2k2YW1EbkdTSzVqY3RFMmJPWDZUU0RmWG5RSE01eVhWcFdMRHZxa0VQOVZzM2NBNmhTbTlZcHFaaXRSSjZ5OWtMSGFNemsydm9TWlhUV1JQU210UkZ2TWdcdTAwM2RcdTAwM2QifQ.M1ttoaMyKz9NjQ7nYfhGqrt7Gga1YvUph8FH4-0aV98tNbZilEqF4ANQHKFjNQavJ5_EKB_4cDayuwa7xyZzrz2WNXSlRS97EJYfvFAYza8cq2SpvHlR1DvJdMuYsyui-fZafdkxqTudsAUUYJErWezliWOvCw2gi18hb3bS3V_evt8zznRdgbwd7Q1BgSmQwgnIDI-H4wdZMByMbpG1zC8UjbvyPB5OUQxOTCljmbsiAquSI_8LFJoasRUK9txVjezO49E_DX1ClETbnzuiUlJ6MzBlTNAtdbxGB5ELjuf8-SSj4ojlZZTMWARllskZsx_DUtqLBUdNXKpPKEJtzg ``` EPC Token Payload ``` eyJhdWQiOiJ1Y19hZ25vc3RpY19wb3J0Zm9saW9fdmFsaWQiLCJzdWIiOiJ1Y19hZ25vc3RpY192YWxpZDAwMSIsImtpZCI6IjIwMjMwNTE0LWRyYWZ0LXBzcC1lbmNyeXB0IiwiY3R5IjoiSldUIiwiZW5jIjoiQTI1NkdDTSIsImV4cCI6MTc2NTg4NDc3MiwiYWxnIjoiUlNBLU9BRVAtMjU2IiwianRpIjoiV2llMjNjQUt0Rm5RZUl6ang0RVF4In0.H4UAdHUKUm4DRDfTnxQkRG9swxVBFWd63ikf4wo4niF7mBb4sMsm0SVrILu3IbWb6SThDJUnjyfE84QbJ5UmXBSk9k585n9iJYNCMq_-OE72N9MxOwg9rSrO302TkH1Nob7pvENm0AaMPk3SLeYzBur6fVvxj7sf2Ybl8ZnoTME_f_c2XVzZh5JzruamR5Y4_i7T90GRFxYlGpXFbm1WQcJdLkVumWp9My8rubk4fkgkKFUVT76J_dSXPIPqEiSM8NyGtXw-fkhXqq-iTzqDxd07Cp1PMrqFgKsSWUhV647TmnnUmC0bQ8GrMW2Bag18q9UNmEJl5alb-CE_WW1H6A.h__wQ3yafSI9TD-3.t3zvYlmp4G24HYG08OHBVh-tlX120MqXe_IK5dmUuOTzk-v3nWOU7mdp6cM66mwGSPOlie9rUn_oZG34gxMXK-uxGuOo4d-D1SvYaPfhGLyq_LQRIO1iCtdKaKNIyU7AuWkg3G0IS4TMb3hqxG0mMI0XzCbOyEkZzPjkwPFkyE-T1cScesuiK8_qRhQjGNRT57WIhemI64eNUoLaBjTv6HrHTYVGBHgR7J49quaTkVbv9IJaU4qklQUuT4HMWCr6YapApRpuuqGXgJ7_f4oLPJC4UpoxE5cJypdm3lJRFBPp4JZmod9nfA8onRIJbWSC6EdU7SscIV2yEFJybqUGED70fBgBL4rwWMxxw81aEK41CEqlr1XgWAARA1bVsljsrmAsYRLZ38lM1hqZrspENW8hVBLzcO_wyuCQRNZOIufOhl_CCc3Xnq0LKlLR6_hCcafcg2Skxqm4m2_E_iiYWVPSy_DQIVErvidQ9JDjKDdNxTJkhiBe1q4RKs5bNmy4KajKJ2gdOnwblFcxYTB3hs4kuIZdHvU-Lw2UjohCQkv0RtO5QziS_RQAxbT0FG8hHJFnMDR83YU1-38mpM2xSQPaGhQ_2Vzyz7Uwt-fS7gfISg8pF4JX1X4s4n3_bCUfuK1RF2CGOIQdtyxYvdA6iTypH55tDa51idfRS7URmKacsvofB6IavM9sCNcFpe8J0lX3UOQ0H_AIFG9XSs1iu-ct2xAQduOPgeUUkmEMBYUl245Y2dIY0NUrwWZJ_y_13WA6hs1r8Nu2S5E547u-_XhVCuXkuBluhO24UetZbr8pm1B0-YxKtIMLMeUDEyUvLHcihYhRcC02rI8KDl9Nl-NGXenxFf5X6Bhapla7HHCbpd7lrf8MpYCqs7mpO6EHJgDDZxW1mEzcB4x9-ZeTeThJ8_Dwl3E-LtqOcgHbC7PI_QGqMdPKWeEyQqKv-m7KRnEL-fsPT2s9SMtxrxPonGCHtnQ3LqUKqmRIbx0-yalxa6fGGu-od83OMR9FbKhKcAKmk14bIFo8LCkjG3siSjbVr3lK65kmfRoQdiBGOw2Uzb_613dwDLh2yjjpFuuZLS9Bn1lkzxZq5qtNLIKw8CMJ5k_BD8LIGR7iuYB9iRCJiWFjUVj8yVW2zKpk1tdfx_2fhQu13cIUZRx-nOQqYgrfv2KEwfeuJPdSmlzHbN7YplEA2ZvSdIc08rteZaRkVXcWK7rp3Wt7I4AUwUVV8i--Ep6X8SgytFP_FHN4-S_xGAJmljKf9XpBUBvmXxt-Lrba_xnKW1aaGtz-8iOQ4V0K5Gmao7E1gUpta6BjXIXV1HqNLusavOUpTbTTk-CtJnCHZ4BkoAWCPa3QxLQZ0jQAYg71aoi2thSNcTL7_3Qgrxj5nsGMX_cBBSRhCDS8G6Zq0ZLf2sJYK2lNMwax6EwK0NGi8KMUt_X6-lsk2d00ha43fKdtyKqRtB5nnwmD0ONZC2Qp6OsQUxnn066on0jY4khUydBejypMd_93D8rb60q7FHRbGPKpo4aKVvsOp_A0FMWBTR9TTjwIvB3psvSgZChoDO0qZW_RgDHCVDiJbA4umeTCvhTmLgToay1JH7IBH_BBiCm-GADIsIf0is2BFswZIy8PAqpw4DKk164Gw16KHZt7ukZ7uIz6t_HIatBGAEzKav5Xcy33XUfp_SDrOr-QruYQ22kb0TKE9yjfj_dwjEz4VEAJQqnP_ci9_YeLz2VCFY23mGVtgyvcwmJ-L7U4QlVVeUOWIuxl63wWJSZIfm_0H5VYvJo_O9uI7kvccayhaWwHqaSKytefQZ-_HU5EiELxArQziIPByqR97DdDgmutRBxNnGBvLPRwytMGVwmVZOxafrkN5xVLrkif7yRqP3mr5KhUvcTN9zhfWh3s-SqESHL1G-XjET1FpG-TdwVP7ZK3VYFuaoCx2_11U3H1N7FcFXuQqeVvkwEZpvmPd4bFAN9az2q0C8_HyKkjsyvGAuBFerhYrGQQ3lDWIvwcGu09VygK_COH7ZIK212B8F0wFllbyuJW1z4i9-fv8f0KCewyVU7lzwGDLXIR.qJp4DNmwKcsTj_q0Xj8TJw ``` Encrypted Transient Token Payload ``` { "metadata": { "sequenceNumber": "1", "cardholderAuthenticationStatus": false, "paymentType": "PANENTRY" }, "iss": "Flex/00", "exp": 1762870464, "type": "gda-0.10.0", "iat": 1762869564, "jti": "1D4Q8FJSSZ9ASKQ9ZCJ7E13IFOITOOH2GGHY6TRZ3O28TUQ1BN8H691344C098CA", "content": { "deviceInformation": { "fingerprintSessionId": {} }, "orderInformation": { "billTo": { "country": {}, "lastName": {}, "firstName": {}, "phoneNumber": {}, "address1": {}, "postalCode": {}, "locality": {}, "buildingNumber": {}, "company": { "name": {} }, "administrativeArea": {}, "email": {} }, "amountDetails": { "totalAmount": {}, "currency": {} }, "shipTo": { "firstName": {}, "lastName": {}, "country": {}, "address1": {}, "postalCode": {}, "locality": {}, "buildingNumber": {}, "administrativeArea": {} } }, "paymentInformation": { "card": { "expirationYear": { "value": "2027" }, "number": { "maskedValue": "XXXXXXXXXXXX1111", "bin": "411111" }, "securityCode": {}, "expirationMonth": {} } } } } ``` IMPORTANT The empty field values in the transient token indicate which fields were captured by the application without exposing you to personally identifiable information directly. PAN BIN in `metadata` Object The `cardDetails` object, including the PAN BIN, is included in the transient token `metadata` when a `Click to Pay` network token is used as a payment method. This allows you to display information about the card on invoices and see the BIN details that are linked to the underlying card. ``` "metadata": { "cardDetails": { "suffix": "9876", "prefix": "123456", "expirationMonth": "MM", "expirationYear": "YYYY" } } ``` Authentication Status in metadata Object The `cardholderAuthenticationStatus` object is included in the `metadata` and enables you to determine if the payload is fully authenticated. When `cardholderAuthenticationStatus` is set to `true`, the payload is fully authenticated. When `cardholderAuthenticationStatus` is set to `false`, the transaction is not authenticated. If you are using `Unified Checkout` with unifiedPayment.complete() and consumerAuthentication is set to `true` in the complete mandate request, then `Payer Authentication` is called automatically if it is available for the selected payment method and card network. If you use a transient token to request follow-on services directly, the value of this field indicates if the transaction has been authenticated. ``` "metadata": { "cardholderAuthenticationStatus": "true" } } ``` Token Verification {#ctp-tokens-verification} ============================================= When you receive the transient token, you should cryptographically verify its integrity using the public key embedded within the capture context. Doing so verifies that `Cybersource` issued the token and that the data has not been tampered with in transit. Verifying the transient token JWT involves verifying the signature and various claims within the token. Programming languages each have their own specific libraries to assist. For an example in Java, see: [Java Example in Github](https://github.com/CyberSource/cybersource-unified-checkout-sample-java/blob/main/src/main/java/com/cybersource/example/service/JwtProcessorService.java ""). PAN BIN in metadata Object -------------------------- The `cardDetails` object, including the PAN BIN, is included in the transient token `metadata` when a `Click to Pay` network token is used as a payment method. This allows you to display information about the card on invoices and see the BIN details that are linked to the underlying card. ``` "metadata": { "cardDetails": { "suffix": "9876", "prefix": "123456", "expirationMonth": "MM", "expirationYear": "YYYY" } } ``` The `cardholderAuthenticationStatus` object is included in the `metadata` and enables you to determine if the payload is fully authenticated. When `cardholderAuthenticationStatus` is set to `true`, the payload is fully authenticated. When `cardholderAuthenticationStatus` is set to `false`, the transaction is not authenticated. If you are using `Unified Checkout` with unifiedPayment.complete() and consumerAuthentication is set to `true` in the complete mandate request, then `Payer Authentication` is called automatically if it is available for the selected payment method and card network. If you use a transient token to request follow-on services directly, the value of this field indicates if the transaction has been authenticated. ``` "metadata": { "cardholderAuthenticationStatus": "true" } } ``` Dual-Branded Cards {#dual-co-brand-card-support} ================================================ `Unified Checkout` accepts dual-branded cards. To use this feature, you must include the card networks that have overlapping BIN ranges in the capture context request. For example: ``` "allowedCardNetworks": ["VISA", "MASTERCARD", "AMEX", "CARTESBANCAIRES"] ``` When a card number within an overlapping BIN range is entered, the network that is listed first in the value array for the allowedCardNetworks field is used. Based on the previous example, if the card number 403550XXXXXXXXXX is entered, the payment network for payment processing is Visa. During the transaction, the card type is populated with the first network in the list, and the detectedCardTypes field returned in the transient token includes all of the detected card types in the transient token. The detectedCardTypes field is returned in the transient token response only when more than one card type is detected. If you include Cartes Bancaires as a supported dual-branded card type, `Unified Checkout` displays a radio button with Visa and Mastercard options at checkout. This enables the customer to select which payment scheme they want to use to process the payment. The radio button defaults to the card type that you specify in the capture context request, but the payment is processed using the option that the customer selects during checkout. RELATED TO THIS PAGE