On This Page

Creating the Server-Side Capture Context

The first step in integrating with
Microform Integration
 is to develop the server-side code that generates the capture context. The capture context is also known as a
session
.
You can use the SDK or call the API directly to generate the capture context.
To use the SDK to generate the capture context, use the sample code here: Flex Samples on Github.
Follow these steps to call the API directly to generate the capture context:
  1. Send an authenticated POST request to the
    /sessions
     endpoint to create your capture context session:
    • Production
      :
      https://api.cybersource.com
      /microform/v2/sessions
    • Test
      :
      https://apitest.cybersource.com
      /microform/v2/sessions
    Include the target origin URL and at least one accepted card type in the content of the body of the request. You must also include the type of
    Microform Integration
     you want to include in the capture context for accepting card information. If you do not include the
    allowedPaymentTypes
     field in your capture request, the value defaults to
    CARD
    .
    For example: 
    {
	"clientVersion": "v2",
	"targetOrigins": ["https://www.example.com"],
	"allowedCardNetworks": ["VISA"],
	"allowedPaymentTypes": ["CARD"]
}
    To embed the target origin URL within multiple nested iframes, you must specify the origins of all the browser contexts used. For example: 
    {
	"clientVersion": "v2",
	"targetOrigins": ["https://www.example.com", "https://www.basket.example.com", "https://ecom.example.com"],
	"allowedCardNetworks": ["VISA",
		"MASTERCARD",
		"AMEX",
		"CARTESBANCAIRES",
		"CARNET",
		"CUP",
		"DINERSCLUB",
		"DISCOVER",
		"EFTPOS",
		"ELO",
		"JCB",
		"JCREW",
		"MADA",
		"MAESTRO",
		"MEEZA"
	],
	"allowedPaymentTypes": ["CARD"]
}
  2. Pass the capture context response data object to your front-end application. The capture context is valid for 15 minutes.
    Successful Encrypted JWT Response
     
    eyJraWQiOiJqNCIsImFsZyI6IlJTMjU2In0.eyJmbHgiOnsicGF0aCI6Ii9mbGV4L3YyL3Rva2VucyIsImRhdGEiOiJ1Q0RERW94M2dDQk1VaHI2T1ZDVGt4QUFFS1pHSTRHcDFvQ2pyYXlVb1MxQzdGOXE2WFpyYXhGbGxMVDMvenE2cjFnNXoxS1U2UDZseldqRVFTVVJoZUtxUThoVWJkZVNNdmt5SERTTXUwV01tMzhcdTAwM2QiLCJvcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJ1c2UiOiJlbmMiLCJuIjoiMXNDY3NZNC1WZTNWU0VKekhnelJ5WjVDOURrM0VHZ2ZPOGd5SDc5bVJfSlN6NzdmWTdfV1loM3psdTkyTFVfeU5KVTBUMzdOQmVzd0szU2c0YnRNaU41Q0FCbWNXLWNSckhta2k0MVZoNUZRMmtjcWZSSlgxNVhZN1A3R25GTnd4QzVkUG9UM29NM1czRFVHaUMyYW56enhIN3pNNlA3N2hFbnc2TkZHSXlBdXhJRWFwRG9DaXlEVW5NdFRwV2lBV3YzTF9OVHZOaHRkVE4tNm1GRWU1RmdVYmlzeWtrTzlWMHZaS0d6SWRWWmdTdE42cHlnUGhVbnlNXzJIVmIxQmkyWjNKaElhZDFLUW02SGl0NklwYjNyUTBHRWZsN0ZWOUV3NGZyNzJpekQ0WVg2WHo0V3ZuMzlLN3J3WkhCRXdNM3l5Wl9ELTBUbjM1MFhvUlBUVjB3Iiwia2lkIjoiMDB4V1A1eUh1UE1kNkFkNHdwVzNzQkt1bWFaQ01zYWMifX0sImN0eCI6W3siZGF0YSI6eyJjbGllbnRMaWJyYXJ5SW50ZWdyaXR5Ijoic2hhMjU2LXZkWWkxaDV1ZTNwcm5iVC8xYThJSkxlUkNrSGVqSHBkRGR3My95RkxaREFcdTAwM2QiLCJjbGllbnRMaWJyYXJ5IjoiaHR0cHM6Ly9zdGFnZWZsZXguY3liZXJzb3VyY2UuY29tL21pY3JvZm9ybS9idW5kbGUvdjIuNS4xL2ZsZXgtbWljcm9mb3JtLm1pbi5qcyIsImFsbG93ZWRDYXJkTmV0d29ya3MiOlsiVklTQSIsIk1BU1RFUkNBUkQiLCJBTUVYIiwiTUFFU1RSTyIsIkRJU0NPVkVSIiwiRElORVJTQ0xVQiIsIkpDQiIsIkNVUCIsIkNBUlRFU0JBTkNBSVJFUyJdLCJ0YXJnZXRPcmlnaW5zIjpbImh0dHBzOi8vdGhlLXVwLWRlbW8uYXBwc3BvdC5jb20iXSwibWZPcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJhbGxvd2VkUGF5bWVudFR5cGVzIjpbIkNBUkQiXX0sInR5cGUiOiJtZi0yLjEuMCJ9XSwiaXNzIjoiRmxleCBBUEkiLCJleHAiOjE3MzY0MzA0MTQsImlhdCI6MTczNjQyOTUxNCwianRpIjoiZDVZbzVhNU0wWFBPQ1BxZiJ9.G4Ea-gIk6SG5ULE4NE5OsdPI41YaAuTEMHDstBgkFzczIWwzJScvXs4hgWiyA-1ZLGITedlumGj-0x8jxmYTWeTm7D0fP8RL0w148EpDLMD8xMHpAJMdMqZTmYHyichsy8uOZKVOn9NbnuQqfDeQS_rLpJV3tMe2NwJL3RdBXdJ894ihKpFP2yXE1wQeLekNiYJ6s-Uuxwf0jf2CSN_TJAjnfVR6bqlpWbUpiUaBLcqDsHHe_pcrd5g2r-1LEfCiOV9RIw7844XKFNLQZvt_alQjItuMy8M9LVhnlRWCSnTKB1iV1RUxuTWtMzTvHmQWPx4nShqzE3j0Hp61c0PmBw

AFTER COMPLETING THE TASK

IMPORTANT
  • Ensure that all endpoints within your ownership are secure with some kind of authentication so they cannot be called at will by bad actors.
  • Do not pass the
    targetOrigin
     field in any external requests. Hard code it on the server side.
For more information on requesting the capture context, see Capture Context.