`Click to Pay` Developer Guide

This section describes how to use this guide and where to find further information.

Audience and Purpose: This document is written for merchants who want to enable
Click to Pay
so that they can accept payments on their e-commerce page.
Conventions: This statement is used in this document:

IMPORTANT

An Important
statement contains information essential to successfully completing a task or learning a concept.

Recent Revisions to This Document

25.08.01

Initial release.

Introduction to
`Click to Pay`

Click to Pay powered by Unified Checkout provides an interface for easy acceptance of Click to Pay payments from Visa, Mastercard, and American Express cards.

Click to Pay consists of a server-side component and a client-side JavaScript library.

The server-side component authenticates your merchant identity and instructs the system to act within your payment environment. The response contains limited-use public keys. The keys are used for end-to-end encryption and contain merchant-specific payment information that drives the interaction of the application. The client-side JavaScript library dynamically and securely places digital payment options into your e-commerce page.

The provided JavaScript library enables you to place a payment application within your e-commerce environment. This embedded component offers Click to Pay and card entry to your customers.

Whether a customer uses a stored Click to Pay card or enters their payment information manually,

Click to Pay

handles all user interactions and provides a response to your e-commerce system.

IMPORTANT

Each request that you send to Barclays requires header information. For information about constructing the headers for your request, see the Getting Started with REST Developer Guide
.

`Click to Pay` Flow

To integrate Unified Checkout into your platform, you must follow several integration steps. This section gives a high-level overview of how to integrate and launch Unified Checkout on your webpage and process a transaction. You can find the detailed specifications of the APIs later in this document.

You send a server-to-server API request for a capture context. This request is fully authenticated and returns a JSON Web Token (JWT) that is necessary to invoke the frontend JavaScript library. For information on setting up the server side, see Server-Side Set Up.

You invoke the Unified Checkout JavaScript library using the JWT response from the capture context request. For information on setting up the client side, see Client-Side Set Up.

You use the response from

Click to Pay

to retrieve payment credentials for payment processing or other steps.

This figure illustrates the system's payment flow.

Diagram that shows the sequence and flow of a Click to Pay payment. — `Click to Pay` Payment Flow

For more information on the specific APIs referenced, see these topics:

Capture Context API

Payment Details API

Payment Credentials API

Enabling `Unified Checkout` in the `Smartpay Fuse Portal`

To begin using

Click to Pay

powered by Unified Checkout, you must first ensure that your merchant ID (MID) is configured to use the service and that Click to Pay is properly set up.

Log in to the Smartpay Fuse Portal:

Test URL:

https://admin.smartpayfuse-test.barclaycard/ebc2

Production URL:

https://admin.smartpayfuse.barclaycard/ebc2/

In the Smartpay Fuse Portal, go to the left navigation panel and choose

Payment Configuration

>

Unified Checkout

.

Click Setup
and follow the instructions to enroll your business in Click to Pay. When Click to Pay is enabled, it appears on the payment configuration page.

Click Manage
to alter your Click to Pay enrollment details. For more information on registering for Click to Pay, see Enable Click to Pay.

Server-Side Set Up

This section contains the information you need to set up your server. Initializing Unified Checkout within your webpage begins with a server-to-server call to the sessions API. This step authenticates your merchant credentials, and establishes how the Unified Checkout frontend components will function. The sessions API request contains parameters that define how Unified Checkout performs.

The server-side component provides this information:

A transaction-specific public key that is used by the customer's browser to protect the transaction.

An authenticated context description package that manages the payment experience on the client side. It includes available payment options such as card networks, payment interface styling, and interaction methods.

The functions are compiled in a JSON Web Token (JWT) object referred to as the capture context
. For information JSON Web Tokens, see JSON Web Tokens.

Capture Context

The capture context request is a signed JSON Web Token (JWT) that includes all of the merchant-specific parameters. This request tells the frontend JavaScript library how to behave within your payment experience. The request provides authentication, one-time keys, the target origin to the Unified Checkout integration in addition to allowed card networks and payment types. The capture context request includes these elements:

allowedCardNetworks

allowedPaymentTypes

clientVersion

targetOrigin

completeMandate

Use the

targetOrigins

and the

allowedPaymentTypes

fields to define the target origin and the accepted digital payment methods in your capture context. For example:

{
  "targetOrigins": [
    "https://www.test.com"
  ],
  "clientVersion": "0.23",
  "allowedCardNetworks": [
    "VISA",
    "MASTERCARD",
    "AMEX"
  ],
  "allowedPaymentTypes": [
    "CLICKTOPAY"
  ],
  "country": "US",
  "locale": "en_US",
  "captureMandate": {
    "billingType": "FULL",
    "requestEmail": true,
    "requestPhone": true,
    "requestShipping": true,
    "shipToCountries": [
      "US",
      "GB"
    ],
    "showAcceptedNetworkIcons": true
  },
  "orderInformation": {
    "amountDetails": {
      "totalAmount": "1.01",
      "currency": "USD"
    }
  }  
}

For more information on requesting the capture context, see Capture Context API.

Client-Side Set Up

This section contains the information you need to set up the client side. You use the Unified Checkout JavaScript library to integrate with your e-commerce website. It has two primary components:

The button widget, which lists the payment methods available to the customer.

The payment acceptance page, which captures payment information from the cardholder.

The Unified Checkout JavaScript library supports Click to Pay and manual card entry payment methods.

Follow these steps to set up the client:

Load the JavaScript library.

Initialize the accept object the capture context JWT. For information JSON Web Tokens, see JSON Web Tokens.

Initialize the unified payment object with optional parameters.

Show the button list or payment acceptance page or both.

The response to these interactions is a transient token that you use to retrieve the payment information captured by the UI.

Loading the JavaScript Library and Invoking the Accept Function

Use the client library asset path and client library integrity value that is returned by the capture context response to invoke Unified Checkout on your page.

You can retrieve these values from the

clientLibrary

and

clientLibraryIntegrity

fields that are returned in the JWT from

https://api.smartpayfuse-test.barclaycard/up/v1/capture-contexts

. You can use these values to create your script tags.

You must perform this process for each transaction, as these values may be unique for each transaction. You must avoid hard-coding values for the

clientLibrary

and

clientLibraryIntegrity

fields to prevent client-side errors.

For example, a response from

https://api.smartpayfuse-test.barclaycard/up/v1/capture-contexts

would include:

"data": {
    "clientLibrary":"[EXTRACT clientLibrary VALUE from here]",
    "clientLibraryIntegrity": "[EXTRACT clientLibraryIntegrity VALUE from here]"
}

Below is an example script tag:

<script src="[INSERT clientLibrary VALUE HERE]" 
    integrity=”[INSERT clientLibraryIntegrity VALUE HERE]”
    crossorigin=”anonymous”></script>

IMPORTANT

Use the

clientLibrary

and

clientLibraryIntegrity

parameter values in the capture context response to obtain the Unified Checkout JavaScript library URL and the integrity value. This ensures that you are always using the most up-to-date library and protects against fraud. Do not hard-code the Unified Checkout JavaScript library URL or integrity value.

When you load the library, the capture context from your initial server-side request is used to invoke the accept function.

JavaScript Example: Initializing the SDK

try {
        const accept = await Accept(captureContext);
        const up = await accept.unifiedPayments(sidebar);


      } catch (error) {
        // merchant logic for handling issues
        console.error("something went wrong: " + error);
      }

In this example,

captureContext

refers to the capture context JWT.

JavaScript Example: Displaying the Button List

After you initialize the Unified Checkout object, you can add the payment application and payment acceptance pages to your webpage. You can attach the embedded Unified Checkout tool and payment acceptance pages to any named element within your HTML. Typically, they are attached to explicit named components that are replaced with Unified Checkout’s iframes.

try {
    const accept = await Accept(captureContext);
    const up = await accept.unifiedPayments(sidebar);
    const tt = await up.show(showArgs);
} catch (error) {
    // merchant logic for handling issues
    console.error("something went wrong: " + error);
}

To display the Unified Checkout Button List within your payment page, a call is made to the unifiedPayments.Show() function. This function accepts a JSON object that links the

<div>

tags within your payment page to place the Unified Checkout button list and optional embeddable payment page.

const showArgs = {
    containers: {
        paymentSelection: '#buttonPaymentListContainer',
        paymentScreen: '#embeddedPaymentContainer'
    }
};

The response to the unifiedPayment.show() method is a JWT data object referred to here as a transient token. The transient token contains all the payment information captured during the Unified Checkout payment journey.

Adding the Payment Application and Payment Acceptance

After you initialize the Unified Checkout object, you can add the payment application and payment acceptance pages to your webpage. You can attach the Unified Checkout embedded tool and payment acceptance pages to any named element within your HTML. Typically, they are attached to explicit named

<div>

components that are replaced with

Click to Pay

iframes

.

IMPORTANT

If you do not specify a location for the payment acceptance page, it is placed in the sidebar.

JavaScript Example: Setting Up with Full Sidebar

<html>
<head>
  <script
    src="[INSERT clientLibrary VALUE HERE]"
    integrity="[INSERT clientLibraryIntegrity VALUE HERE]”
    crossorigin=”anonymous"
  ></script>
</head>
<body>
  <h1>Unified Checkout Integration</h1>
  <input
    type="hidden"
    name="captureContext"
    value="[INSERT captureContext HERE]"
  />
  <script type="text/javascript">
    const sidebar = true;
    const captureContext = document.getElementById("captureContext").value;
const showArgs = { containers: {
paymentSelection: '#buttonPaymentListContainer', 
}
};
    
    async function launchCheckout() {
      try {
        const accept = await Accept(captureContext);
        const up = await accept.unifiedPayments(sidebar);
        const tt = await up.show(showArgs);
        const completeResponse = await up.complete(tt);
    
        console.log(completeResponse); // merchant logic for handling complete response
      } catch (error) {
        // merchant logic for handling issues
        console.error("something went wrong: " + error);
      }
    }

    // Call the function
    launchCheckout();
  </script>
</body>

JavaScript Example: Setting Up with the Embedded Component

The main difference between using an embedded component and the sidebar is that the

accept.unifiedPayments

object is set to

false

, and the location of the payment screen is passed in the containers argument.

IMPORTANT

If you do not specify a location for the payment acceptance page, it is placed in the side bar.

<html>
<head>
  <script
    src="[INSERT clientLibrary VALUE HERE]"
    integrity="[INSERT clientLibraryIntegrity VALUE HERE]”
    crossorigin=”anonymous"
  ></script>
</head>
<body>
  <h1>Unified Checkout Integration</h1>
  <input
    type="hidden"
    name="captureContext"
    value="[INSERT captureContext HERE]"
  />
  <script type="text/javascript">
    const sidebar = false;
    const captureContext = document.getElementById("captureContext").value;
    const showArgs = {
      containers: { paymentSelection: "#buttonPaymentListContainer",
paymentScreen:	'#embeddedPaymentContainer' }
    };
    
    async function launchCheckout() {
      try {
        const accept = await Accept(captureContext);
        const up = await accept.unifiedPayments(sidebar);
        const tt = await up.show(showArgs);
        const completeResponse = await up.complete(tt);
    
        console.log(completeResponse); // merchant logic for handling complete response
      } catch (error) {
        // merchant logic for handling issues
        console.error("something went wrong: " + error);
      }
    }

    // Call the function
    launchCheckout();
  </script>
</body>

Transient Tokens

The response to a successful customer interaction with

Click to Pay

is a transient token. The transient token is a reference to the payment data collected on your behalf. Tokens enable secure card payments without risking exposure to sensitive payment information. The transient token is a short-term token with a duration of 15 minutes.

Transient Token Format

The transient token is issued as a JSON Web Token (JWT) (RFC 7519). For information on JSON Web Tokens, see JSON Web Tokens.

The payload portion of the token is a Base64-encoded JSON string and contains various claims.

Token Verification

When you receive the transient token, you should cryptographically verify its integrity using the public key embedded within the capture context. Doing so verifies that Barclays issued the token and that the data has not been tampered with in transit. Verifying the transient token JWT involves verifying the signature and various claims within the token. Programming languages each have their own specific libraries to assist.

Dual-Branded Cards

Unified Checkout accepts dual-branded cards. To use this feature, you must include the card networks that have overlapping BIN ranges in the capture context request. For example:

"allowedCardNetworks": ["VISA", "MASTERCARD", "AMEX", "CARTESBANCAIRES"]

When a card number within an overlapping BIN range is entered, the network that is listed first in the value array for the

allowedCardNetworks

field is used. For example, if the card number 403550XXXXXXXXXX is entered, the payment network is Visa.

During the transaction, the card type is populated with the first network in the list, and the detectedCardTypes
field includes all of the detected card types in the transient token.

The

detectedCardTypes

field is returned in the transient token response only when more than one card type is detected.

Capture Context API

This section contains the information you need to request the capture context using the capture context API.

The capture context request contains all of the merchant-specific parameters that tell the frontend JavaScript library how to behave within your payment experience.

The capture context is a signed JSON Web Token (JWT) containing this information:

Merchant-specific parameters that dictate the customer payment experience for the current payment transaction.

A one-time public key that secures the information flow during the current payment transaction.

The capture context request includes these elements:

allowedCardNetworks

allowedPaymentTypes

clientVersion

targetOrigins

transientTokenResponseOptions.includeCardPrefix

completeMandate

For information on JSON Web Tokens, see JSON Web Tokens.

Target Origin: The target origin is defined by the scheme (protocol), hostname (domain) and port number (if used).

You must use the https:// protocol. Sub domains must also be included in the target origin.

Any valid top-level domains, such as .com, .co.uk, and .gov.br, are supported. Wildcards are not supported.

For example, if you are launching Click to Pay on example.com, the target origin could be any of the following:

https://example.com
https://subdomain.example.com
https://example.com:8080

You can define the payment cards and digital payments that you want to accept in the capture context.
Allowed Card Networks: Use the
allowedCardNetworks
field to define the card types.

These card networks are available for card entry:
American Express
Diners Club
Discover
Maestro
Mastercard
Visa

To support dual-branded or co-badged cards, you must list your supported card types values for the
allowedCardNetworks
field based on your preference for processing card numbers. For example, if a card is dual-branded as Visa and Cartes Bancaires and Cartes Bancaires is listed first, the card type is set to Cartes Bancaires after the card number is enter in your Unified Checkout card collection form. For information on dual-branded or co-badged cards, see Dual-Branded Cards.

Include Card Prefix: You can control the length of the card number prefix to be received in the response to the capture context
/sessions
request:
6 digits
8 digits
no prefix at all
IMPORTANT

When you request the card number prefix for a Click to Pay tokenized credential, 6 digits are returned.
To specify your preferred card number prefix length, include or exclude the
transientTokenResponseOptions.includeCardPrefix
field in the capture context
/sessions
request.; If you want to receive a 6-digit card number prefix in the response
Do not
include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context
/sessions
request.
This example shows how a 6-digit card number prefix
411111
is returned in the transient token response:
"maskedValue" : "XXXXXXXXXXXX1111”, "bin" : "411111"; If you want to receive an 8-digit card number prefix in the response
Include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context request, and set the value to
true
.
IMPORTANT

Per PCI DSS requirements, this requirement applies only to card numbers longer than 15 digits and for Discover, JCB, Mastercard, UnionPay, and Visa brands.
If the card type entered is not part of these brands, a 6-digit card number prefix is returned instead.
If the card type entered is not part of these brands but is co-branded
with these brands, an 8-digit card number prefix is returned.
This example shows how an 8-digit card prefix
41111102
is returned in the transient token response:
"maskedValue" : "XXXXXXXXXXXX1111”, "prefix" : "41111102"; If you do not want to receive a card number prefix in the response
Include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context request, and set the value to
false
.
This example shows how a card number is returned without a card number prefix in the transient token response:
"maskedValue" : "XXXXXXXXXXXX1111"; Best practice:
If your application does not require card number prefix information for routing or identification purposes, Barclays recommends that you include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context request and set its value to
false
. Doing so limits the exposure of payment data to only what is necessary for your processing needs.
For more information about PCI DSS, see
Frequently Asked Questions
on the PCI Security Standards Council site.

IMPORTANT

When integrating with Barclays APIs, Barclays recommends that you dynamically parse the response for the fields that you are looking for. Additional fields may be added in the future.

You must ensure that your integration can handle new fields that are returned in the response. While the underlying data structures will not change, you must also ensure that your integration can handle changes to the order in which the data is returned. Barclays uses semantic versioning practices, which enables you to retain backwards compatibility as new fields are introduced in minor version updates.

Features

This section includes information on the features that are supported in Click to Pay.

Save Card: Save Card is supported for the Click to Pay payment method. When the feature is enabled, the Click to Pay payment flow offers the customer the option to save their card information for future purchases placed at your website.
IMPORTANT

This feature is available only for card credentials that are manually entered during checkout. If Click to Pay is an available payment method, do not
select Save this card with Click to Pay
.

When the customer selects the checkbox and finalizes their purchase, you receive a notification in the transient token response to your capture context request. The transient token payload includes the
consumerPreference.saveCard
field value set to
true
.
Email Autolookup: Automatic email lookup occurs when an email address is included in the capture context request. If the user has a Click to Pay account but is not on a recognized device, a one-time password (OTP) screen appears and the user is prompted to enter their OTP. If the user does not have a Click to Pay account, the user must enter their card information manually and they will have the option to create a Click to Pay account.
To enable email autolookup, you must include
CLICKTOPAY
as a value in the
allowedPaymentTypes
field and include an email address in the capture context.

Requesting the Capture Context

This section shows you how to request the capture context.

Endpoint

Production:

POST https://api.smartpayfuse.barclaycard/up/v1/capture-contexts

Test:

POST https://api.smartpayfuse-test.barclaycard/up/v1/capture-contexts

Required Fields for Requesting the Capture Context

Use these required fields to request the capture context:

Required Fields for Requesting the Capture Context

Your capture context request must include these fields:

allowedPaymentTypes: Set to
CLICKTOPAY
.
clientVersion
country
locale
orderInformation.amountDetails.currency
orderInformation.amountDetails.totalAmount
targetOrigins: The URL in this field value must contain
https
.

Required Fields for Enabling the Save Card Feature

allowedPaymentTypes: Set to
CLICKTOPAY
,
PANENTRY
, or both to support the Save Card feature for Click to Pay.
captureMandate.requestSaveCard: Set to
true
to enable the Save Card feature for Unified Checkout.
clientVersion: Set to
0.24
or newer to support the Save Card feature for Click to Pay.

REST Example: Requesting the Capture Context

Request

{
  {
    "targetOrigins": [
      "https://unified-payments.appspot.com"
    ],
    "clientVersion": "0.23",
    "allowedCardNetworks" : [ "VISA", "MASTERCARD", "AMEX" ],
    "allowedPaymentTypes" : [ "CLICKTOPAY" ],
    "country": "US",
    "locale": "en_US",
    "captureMandate": {
      "billingType": "FULL",
      "requestEmail": true,
      "requestPhone": true,
      "requestShipping": true,
      "shipToCountries": [
        "US",
        "UK"
      ],
      "showAcceptedNetworkIcons": true
    },
    "orderInformation": {
      "amountDetails": {
        "totalAmount": "21.00",
        "currency": "USD"
      },
      "billTo": {
        "address1": "1111 Park Street",
        "address2": "Apartment 24B",
        "administrativeArea": "NY",
        "country": "US",
        "district": "district",
        "locality": "New York",
        "postalCode": "00000",
        "company": {
          "name": "Visa Inc",
          "address1": "900 Metro Center Blvd",
          "administrativeArea": "CA",
          "buildingNumber": "1",
          "country": "US",
          "district": "district",
          "locality": "Foster City",
          "postalCode": "94404"
        },
        "email": "[email protected]",
        "firstName": "Maya",
        "lastName": "Tran",
        "middleName": "S",
        "title": "Ms",
        "phoneNumber": "1234567890",
        "phoneType": "phoneType"
      },
      "shipTo": {
        "address1": "Visa",
        "address2": "123 Main Street",
        "address3": "Apartment 102",
        "administrativeArea": "CA",
        "buildingNumber": "string",
        "country": "US",
        "locality": "Springfield",
        "postalCode": "99999",
        "firstName": "Joe",
        "lastName": "Soap"
      }
    }
  }
}

Successful Encrypted JWT Response to Request

eyJraWQiOiJqNCIsImFsZyI6IlJTMjU2In0.eyJmbHgiOnsicGF0aCI6Ii9mbGV4L3YyL3Rva2VucyIsImRhdGEiOiJHeUhXV0d5SG5lK2Fld1JsalVUaGJoQUFFQVZMbTR6QTA0UHBqaGFXOHVSZ2UvNFQweEtIbW9KUWNYaE1hd0RmVzVQVFBLNXBlZ05vRkVocnNacjdnbldLeHBRdTNWSm4vTDBjbmZOaTRSdjdlTElcdTAwM2QiLCJvcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJ1c2UiOiJlbmMiLCJuIjoibVhHbi1DbllDX1pkODVQdTJaaDluVDdZOUpQX1RjUV9BSzlBQTFHQkJfOFVXd2FHWEZIMGxfa2EwXzV0ekFleU5uVWZLQ016WFFHV2dMZ2hnZXdLMjJzWlVXVTdDT0k4RkNTWktpUjBYRGJ2TTVZYkYxejk0TmNmWVJGc0p0ZzhTbE1jY0stS00tOUFjdldYQWlxUEs0Mk5GZnlIVE5uX3BpVDdhZHRDMGFZQlhCdkw2WXFmcWM5bXBua05FQTJVN0x5VWFyRy1rVFVIQW8xX2tjdW1tTEF1X1Y5OEQyMndsaHMtekhEcnFVTFhsNEdKSGF6WjNXVWJDWHc5c0o2dFowVmVnX1Bpbnhmck9mazA0RWNaVlM5clBXWW1HRnA3V2NyR0FQTkRCQzFPZ0NKNW1mRmpMNEtpcVpVNURpTWFsbURGdzg5VVp1bllBVWlrdUU1SURRIiwia2lkIjoiMDBDeWg5UHhhdDdCUkMwa0pXUG5hUVJsOU9jTGMzZVoifX0sImN0eCI6W3siZGF0YSI6eyJhbGxvd2VkUGF5bWVudFR5cGVzIjpbeyJwYWdlIjoxLCJ0eXBlIjoiUEFORU5UUlkifSx7InBhZ2UiOjIsInR5cGUiOiJTUkNWSVNBIn0seyJwYWdlIjozLCJ0eXBlIjoiU1JDTUFTVEVSQ0FSRCJ9LHsicGFnZSI6NCwidHlwZSI6IlNSQ0FNRVgifSx7InBhZ2UiOjUsInR5cGUiOiJHT09HTEVQQVkifSx7InBhZ2UiOjYsInR5cGUiOiJBUFBMRVBBWSJ9XSwicGF5bWVudENvbmZpZ3VyYXRpb25zIjp7IlNSQ1ZJU0EiOnsib3JpZ2luIjoiaHR0cHM6Ly9zYW5kYm94LWFzc2V0cy5zZWN1cmUuY2hlY2tvdXQudmlzYS5jb20iLCJwYXRoIjoiL2NoZWNrb3V0LXdpZGdldC9yZXNvdXJjZXMvanMvc3JjLWktYWRhcHRlci92aXNhU2RrLmpzIiwicGFuRW5jcnlwdGlvbktleSI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsInVzZSI6ImVuYyIsImtpZCI6IldaTEQzS0VBUFdJRThMS0pEMU0xMTNYMXExamZUZE5pNTI0al9aQWxLVmtlanBxM0EiLCJuIjoic1pQSXVzRGY3eVFubmhCa1U5bXUxNFZPTzNDcnVpM2I3ckFmMktZZW9iVVJtWEExN2IxSlg5amcwQ2QtdmdwbXV5VHJ4QlVTYy00YjAtVVBnU3dHRnFQV1VweDA4RXhxcndQRE92Rm9qQm91MndseXE4YmN5MFVzLUJmZUN6U0U1bE1WZFNYVFhYWGNOcXUtcWIyMmpDQ0NKQUxweHNBcnNib01PWHNMZWRoM000WE5RNVhHQXRSZjdiLS11VFk1RHI5S0xZeVV2WktBblkwNE1LSlBFTzU0WWlJRk01RFRBaE5PbXMwODlqZE1keC1VUklLSmpQVTItUnBIRzF1OExDRzAyOFJUSXBQc05iUmFudVM1VEFZX3pseERnYjFoS0ozNlliWkVOSExnOVBYVEJoZE9NbFU5MERUTGxmY2JMVGEtRDdEZ2xqQWFXQ3V2ekxQYUd3In0sInBhcmFtZXRlcnMiOnsic3JjSW5pdGlhdG9ySWQiOiJSNDVOMzQzRDZLWFpSWU1CSVhMSTIxeDgtWGtMaWh4Q21lcFMzaEFlUm91RWcwaTVVIiwic3JjaURwYUlkIjoiOTBhZDlhN2QtOTU5Ni00ZWQxLWE3MTEtMmJjOTllM2JjNWZmIiwic3JjaVRyYW5zYWN0aW9uSWQiOiIzMWJkNTRjZi1hOGIyLTQwMTEtODQ0Ny1jYjczZDM4OGU0NjYiLCJkcGFUcmFuc2FjdGlvbk9wdGlvbnMiOnsiZHBhTG9jYWxlIjoiZW5fVVMiLCJwYXlsb2FkVHlwZUluZGljYXRvciI6IkZVTEwiLCJyZXZpZXdBY3Rpb24iOiJjb250aW51ZSIsImRwYUFjY2VwdGVkQmlsbGluZ0NvdW50cmllcyI6W10sImRwYUFjY2VwdGVkU2hpcHBpbmdDb3VudHJpZXMiOltdLCJkcGFCaWxsaW5nUHJlZmVyZW5jZSI6IkFMTCIsImRwYVNoaXBwaW5nUHJlZmVyZW5jZSI6IkFMTCIsImNvbnN1bWVyTmFtZVJlcXVlc3RlZCI6dHJ1ZSwiY29uc3VtZXJFbWFpbEFkZHJlc3NSZXF1ZXN0ZWQiOnRydWUsImNvbnN1bWVyUGhvbmVOdW1iZXJSZXF1ZXN0ZWQiOnRydWUsInRyYW5zYWN0aW9uQW1vdW50Ijp7InRyYW5zYWN0aW9uQW1vdW50IjoiMS4wMSIsInRyYW5zYWN0aW9uQ3VycmVuY3lDb2RlIjoiVVNEIn0sInBheW1lbnRPcHRpb25zIjp7ImRwYUR5bmFtaWNEYXRhVHRsTWludXRlcyI6MTUsImR5bmFtaWNEYXRhVHlwZSI6IlRBVlYiLCJkcGFQYW5SZXF1ZXN0ZWQiOmZhbHNlfX19fSwiU1JDTUFTVEVSQ0FSRCI6eyJvcmlnaW4iOiJodHRwczovL3NhbmRib3guc3JjLm1hc3RlcmNhcmQuY29tIiwicGF0aCI6Ii9zZGsvc3Jjc2RrLm1hc3RlcmNhcmQuanMiLCJwYW5FbmNyeXB0aW9uS2V5Ijp7Imt0eSI6IlJTQSIsImUiOiJBUUFCIiwidXNlIjoiZW5jIiwia2lkIjoiMjAyMzAyMDcyMjM1MjEtc2FuZGJveC1mcGFuLWVuY3J5cHRpb24tc3JjLW1hc3RlcmNhcmQtaW50Iiwia2V5X29wcyI6WyJlbmNyeXB0Iiwid3JhcEtleSJdLCJhbGciOiJSU0EtT0FFUC0yNTYiLCJuIjoidDA2SThzamxTLXJyczd1Q2FnSDhldm9ldW1hUm92S3ppWlNJOVMyTjlJRFE5dFcyUGFwZlJhOUxjMUt2ZUVCRFZzMjdQa2hrVTVPeUhnUDBpRWpUdUtWcHZoNTlUNGxhLW1CU0lsczdVZWNVUUxMYTBXa21idEw3ak5kbHRBNWZxN0FoY0FyNXFjYTk4OHFyTGQ3SXlyOUUwQzNUeGJUOXRvMWlRY3B6OG9jWk9EUlhvaWRGQW5PVkw1WUdGbWxzcmVEYko0VmhzaTBwQWRjY1FjaWwteWRTZ3VyS0ItcnFLcHBiOWVwb211NFFVaDMzODJDdjhOb2JZbUYzb3M4bkdHZ0dQLWN5WG8wbnNLY1BBZ2ZybFF6b3M3cUh4VU9yRmUyeF9sWjFHMUFFLVhya3J4akJ5czlxNTNHTVJTTkNROGMtX21jRjlwYnE0SFlCcy12RDVRIn0sInBhcmFtZXRlcnMiOnsic3JjaVRyYW5zYWN0aW9uSWQiOiIzMWJkNTRjZi1hOGIyLTQwMTEtODQ0Ny1jYjczZDM4OGU0NjYiLCJzcmNpRHBhSWQiOiI5ODQ4Y2ZmNC1jODY0LTRmMTgtOWYwMy1hOGY1MGE2OTJlZGRfc3lzdGVtdGVzdCIsInNyY0luaXRpYXRvcklkIjoiNmY1ZDZjMDktZjhlMi00MzMwLWEzZGYtMjBiOWFkN2E0NTJiIiwiZHBhVHJhbnNhY3Rpb25PcHRpb25zIjp7InRyYW5zYWN0aW9uVHlwZSI6IlBVUkNIQVNFIiwiZHBhTG9jYWxlIjoiZW5fVVMiLCJkcGFBY2NlcHRlZFNoaXBwaW5nQ291bnRyaWVzIjpbXSwiY29uc3VtZXJFbWFpbEFkZHJlc3NSZXF1ZXN0ZWQiOnRydWUsImNvbnN1bWVyUGhvbmVOdW1iZXJSZXF1ZXN0ZWQiOnRydWUsInRyYW5zYWN0aW9uQW1vdW50Ijp7InRyYW5zYWN0aW9uQW1vdW50IjoiMS4wMSIsInRyYW5zYWN0aW9uQ3VycmVuY3lDb2RlIjoiVVNEIn0sImRwYUFjY2VwdGVkQmlsbGluZ0NvdW50cmllcyI6W10sImRwYUJpbGxpbmdQcmVmZXJlbmNlIjoiRlVMTCIsImRwYVNoaXBwaW5nUHJlZmVyZW5jZSI6IkZVTEwiLCJjb25zdW1lck5hbWVSZXF1ZXN0ZWQiOnRydWUsInBheWxvYWRUeXBlSW5kaWNhdG9yIjoiRlVMTCIsInBheW1lbnRPcHRpb25zIjp7ImR5bmFtaWNEYXRhVHlwZSI6IkNBUkRfQVBQTElDQVRJT05fQ1JZUFRPR1JBTV9TSE9SVF9GT1JNIn19fX0sIlNSQ0FNRVgiOnsib3JpZ2luIjoiaHR0cHM6Ly9xd3d3LmFleHAtc3RhdGljLmNvbSIsInBhdGgiOiIvYWthbWFpL3JlbW90ZWNvbW1lcmNlL3NjcmlwdHMvYW1leFNESy0xLjAuMC5qcyIsInBhbkVuY3J5cHRpb25LZXkiOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJ1c2UiOiJlbmMiLCJraWQiOiJzcmMtYW1leC1jYXJkLWVuYy0yMDI0IiwiYWxnIjoiUlNBLU9BRVAtMjU2IiwibiI6Im1FazBibUxDMlpRVy1hNEtYMW5EWTNaZlBMRnJIOHRuVXlJYjVrVEtnemFlYWdpbWFINFhxUDRadzA1aWk2TXZkdk4wVDJweVNKUTRqb2toUEMySVdlbWlWUEc4ZkNQQk1KeHhqeTJFdTlvdGJpd0dSQkNneHdjdS1hY2pZYXVwVlB0RE43ZW5nSERkbk9nYXJsb0dyUFVNNklFRVpXX3ZFQjljU3JNX0JhOFNjQzhSYWZnTlNZODFpeGF4UEE4Y09oQUF2ckxRN0toRTVReFN6SU1mcnpiMUxCWUdMNFlQQnVuZk5BMnczZnZMd2ZCbDJfLVJGUkNVbVBFdjFOdVhxeG8xUk4wOGoydW44ZWljR3ZudDBndC0yMW5HcmJjNnhwcDdwWlkyb2otaGMwWlVsTnlFX2tKcExTNU9VWjhHZU9acDRxVlJ4aGtJUEd4RWVGLVFXaVNnOHVXazF4Nm5jdGhyTVVKWVYxSFB1OHRIa0pEbThBYS1Ec2hQTmVpeERqX1ZGVkVTOFYteUlJUndnLVUyODJXUGIwVDJ0S1JYZG5qbE52Y2xCc0lfNFZ3ZzVjV0VoU2tTc3pVQXkxUENTRm5rWjVJRU9yaGdfMFRwZTdhaU84dzVzUndOaFpuUnBKeUlzUHQtbE1Dbzd6cjg1QjJ2eGNvUGZmU1NwM0ZaIn0sInBhcmFtZXRlcnMiOnsic3JjaVRyYW5zYWN0aW9uSWQiOiIzMWJkNTRjZi1hOGIyLTQwMTEtODQ0Ny1jYjczZDM4OGU0NjYiLCJzcmNJbml0aWF0b3JJZCI6ImQyZTdkOTc1LWIwYWEtNGZhYS05YTUxLTY4MDAyMjkwZDc1NiIsImRwYURhdGEiOnsiZHBhTmFtZSI6InRlc3QgU2hvcCB3ZWJzaXRlIFJlZ2lzdHJhdGlvbiIsImRwYUxvZ29VcmkiOiJodHRwOi8vd3d3LnRlc3RzcmNyZWdpc3RyYXRpb24uY29tIiwiZHBhUHJlc2VudGF0aW9uTmFtZSI6InRlc3QgU2hvcCB3ZWJzaXRlIFJlZ2lzdHJhdGlvbiIsImRwYVVyaSI6Imh0dHA6Ly93d3cudGVzdHNyY3JlZ2lzdHJhdGlvbi5jb20ifSwiZHBhVHJhbnNhY3Rpb25PcHRpb25zIjp7ImRwYUxvY2FsZSI6ImVuX1VTIiwiZHBhQWNjZXB0ZWRCaWxsaW5nQ291bnRyaWVzIjpbXSwiZHBhQWNjZXB0ZWRTaGlwcGluZ0NvdW50cmllcyI6W10sImRwYUJpbGxpbmdQcmVmZXJlbmNlIjoiQUxMIiwiZHBhU2hpcHBpbmdQcmVmZXJlbmNlIjoiQUxMIiwiY29uc3VtZXJOYW1lUmVxdWVzdGVkIjp0cnVlLCJjb25zdW1lckVtYWlsQWRkcmVzc1JlcXVlc3RlZCI6dHJ1ZSwiY29uc3VtZXJQaG9uZU51bWJlclJlcXVlc3RlZCI6dHJ1ZSwicmV2aWV3QWN0aW9uIjoiY29udGludWUiLCJ0aHJlZURzUHJlZmVyZW5jZSI6Ik5PTkUiLCJwYXltZW50T3B0aW9ucyI6W3siZHluYW1pY0RhdGFUeXBlIjoiRFlOQU1JQ19DQVJEX1NFQ1VSSVRZX0NPREUiLCJkcGFEeW5hbWljRGF0YVR0bE1pbnV0ZXMiOiIxNSJ9XX19fSwiR09PR0xFUEFZIjp7ImNsaWVudExpYnJhcnkiOiJodHRwczovL3BheS5nb29nbGUuY29tL2dwL3AvanMvcGF5LmpzIiwicGF5bWVudE9wdGlvbnMiOnsiZW52aXJvbm1lbnQiOiJURVNUIn0sInBheW1lbnREYXRhUmVxdWVzdCI6eyJhcGlWZXJzaW9uIjoyLCJhcGlWZXJzaW9uTWlub3IiOjAsIm1lcmNoYW50SW5mbyI6eyJtZXJjaGFudElkIjoiQkNSMkRONFQ3RERZQlRUViIsIm1lcmNoYW50TmFtZSI6IlVuaWZpZWQgQ2hlY2tvdXQgTWVyY2hhbnQifSwiYWxsb3dlZFBheW1lbnRNZXRob2RzIjpbeyJ0eXBlIjoiQ0FSRCIsInBhcmFtZXRlcnMiOnsiYWxsb3dlZEF1dGhNZXRob2RzIjpbIlBBTl9PTkxZIiwiQ1JZUFRPR1JBTV8zRFMiXSwiYWxsb3dlZENhcmROZXR3b3JrcyI6WyJWSVNBIiwiTUFTVEVSQ0FSRCIsIkFNRVgiXSwiYmlsbGluZ0FkZHJlc3NSZXF1aXJlZCI6dHJ1ZSwiYmlsbGluZ0FkZHJlc3NQYXJhbWV0ZXJzIjp7ImZvcm1hdCI6IkZVTEwiLCJwaG9uZU51bWJlclJlcXVpcmVkIjp0cnVlfX0sInRva2VuaXphdGlvblNwZWNpZmljYXRpb24iOnsidHlwZSI6IlBBWU1FTlRfR0FURVdBWSIsInBhcmFtZXRlcnMiOnsiZ2F0ZXdheSI6ImN5YmVyc291cmNlIiwiZ2F0ZXdheU1lcmNoYW50SWQiOiJwc19ocGEifX19XSwidHJhbnNhY3Rpb25JbmZvIjp7InRvdGFsUHJpY2VTdGF0dXMiOiJGSU5BTCIsInRvdGFsUHJpY2UiOiIxLjAxIiwiY291bnRyeUNvZGUiOiJVUyIsImN1cnJlbmN5Q29kZSI6IlVTRCJ9LCJlbWFpbFJlcXVpcmVkIjp0cnVlLCJzaGlwcGluZ0FkZHJlc3NSZXF1aXJlZCI6dHJ1ZSwic2hpcHBpbmdBZGRyZXNzUGFyYW1ldGVycyI6eyJwaG9uZU51bWJlclJlcXVpcmVkIjp0cnVlfX19LCJBUFBMRVBBWSI6eyJzZXNzaW9uUGF0aCI6Ii9mbGV4L3YyL2FwcGxlL3BheW1lbnQtc2Vzc2lvbnMiLCJtZXJjaGFudElkZW50aWZpZXIiOiJtZXJjaGFudC5jb20uY3liZXJzb3VyY2Uuc3RhZ2VmbGV4IiwiZGlzcGxheU5hbWUiOiJVQyBUZXN0In19LCJjYXB0dXJlTWFuZGF0ZSI6eyJiaWxsaW5nVHlwZSI6IkZVTEwiLCJyZXF1ZXN0RW1haWwiOnRydWUsInJlcXVlc3RQaG9uZSI6dHJ1ZSwicmVxdWVzdFNoaXBwaW5nIjp0cnVlLCJzaGlwVG9Db3VudHJpZXMiOltdLCJzaG93QWNjZXB0ZWROZXR3b3JrSWNvbnMiOnRydWV9LCJvcmRlckluZm9ybWF0aW9uIjp7ImFtb3VudERldGFpbHMiOnsidG90YWxBbW91bnQiOiIxLjAxIiwiY3VycmVuY3kiOiJVU0QifX0sInRhcmdldE9yaWdpbnMiOlsiaHR0cHM6Ly90aGUtdXAtZGVtby5hcHBzcG90LmNvbSJdLCJpZnJhbWVzIjp7Im1jZSI6Ii9tY2UvaWZyYW1lLmh0bWwiLCJidXR0b25zIjoiL2J1dHRvbmxpc3QvaWZyYW1lLmh0bWwiLCJzcmMiOiIvc2VjdXJlLXJlbW90ZS1jb21tZXJjZS9zcmMuaHRtbCIsImN0cCI6Ii9jdHAvY3RwLmh0bWwiLCJnb29nbGVwYXkiOiIvZ29vZ2xlcGF5L2dvb2dsZXBheS5odG1sIiwiYXBwbGVwYXkiOiIvYXBwbGVwYXkvYXBwbGVwYXkuaHRtbCIsInBhemUiOiIvcGF6ZS9wYXplLmh0bWwifSwiY2xpZW50VmVyc2lvbiI6IjAuMTkiLCJjb3VudHJ5IjoiVVMiLCJsb2NhbGUiOiJlbl9VUyIsImFsbG93ZWRDYXJkTmV0d29ya3MiOlsiVklTQSIsIk1BU1RFUkNBUkQiLCJBTUVYIl0sImNyIjoiNmM0dUcyemFXdVBvbkxLM0R2NEwxVlJpTFVOMkFVczY4QU84bVdaUTA0X1RNLVFDdDhNUDNTQklvcGQ2Y2NtOTdmSEo1QXViVzh6VFhJTW91TTRjQWFrbm80NktIVndGRFpxQ0tfWTVwMEVzRHJmdFVTREFrZ21KZ0pNbHJ2cnYzTkpFOWdzcldBMl8zdDJBR2hQbEtfMU9rZyIsInNlcnZpY2VPcmlnaW4iOiJodHRwczovL3N0YWdldXAuY3liZXJzb3VyY2UuY29tIiwiY2xpZW50TGlicmFyeSI6Imh0dHBzOi8vc3RhZ2V1cC5jeWJlcnNvdXJjZS5jb20vdXAvdjEvYXNzZXRzLzAuMTkuMC9TZWN1cmVBY2NlcHRhbmNlLmpzIiwibG9nZ2luZ1BhdGgiOiIvdXAvdjEvbG9nLWV2ZW50cyIsImFzc2V0c1BhdGgiOiIvdXAvdjEvYXNzZXRzLzAuMTkuMCIsImNsaWVudExpYnJhcnlJbnRlZ3JpdHkiOiJzaGEyNTYtWllDT2tucVh5bjRad3NyOFYwaE5OcjZaUitZYThJbHNkdFplTkhPbDJYVVx1MDAzZCJ9LCJ0eXBlIjoiZ2RhLTAuOS4wIn1dLCJpc3MiOiJGbGV4IEFQSSIsImV4cCI6MTcxMDk2NDc4MCwiaWF0IjoxNzEwOTYzODgwLCJqdGkiOiI4SWs4bHU2NEh3NmpDVDhsIn0.XWXmjiZZGyHWIhT1hbBnc2xfhcYczpBYxhTn4g9NMt2utMaPR8wWcZ8TYDXd8HRLBWZkktkXxFFetJ4Tc6dQ4irZ6KmalWItWEUJpjN-5sLC4Qr1gG1JOOH5_hK6n_1hnjcQeRUBg-MsCSRBE_MA6ROSZgyfc1_WwL0g1TQUiKN5SvaM_37ooimebPQfvYyXyR_6Zkn9fu51w6NF_Qj0wtuQP4J4P3cgyZzzOFNKuHOwi7ISmyW6BcQXQrec577SRBfcMhhC3PBxl5OrXua4qUJ_qYbplA8P4n6f2--onAYef3UXFHmc28eRiTEeN0l0P1Yj45CIotbuw36mZrnRPQ

Decrypted Capture Context Header

{
          "kid": "j4", 
          "alg": "RS256"
          }

Decrypted Capture Context Body with Selected Fields

{ 
          "flx" : { 
          // filled with token metadata 
          }, 
          "ctx" : [ { 
          // filled with data related to your capture context request parameters 
          "data" : { 
          "clientLibrary" : "https://https://api.smartpayfuse-test.barclaycard/up/v1/assets/0.23.0/SecureAcceptance.js" 
          }, 
          "type" : "gda-0.9.0" 
          } ], 
          "iss" : "Flex API", 
          "exp" : 1710964780, 
          "iat" : 1710963880, 
          "jti" : "8Ik8lu64Hw6jCT8l" 
          }

Validating the Capture Context

The capture context that you generate is a JSON Web Token (JWT) data object. The JWT is digitally signed using a public key and confirms the validity of the JWT and that it comes from Barclays. When you do not have a key in the JWT header, Barclays recommends that you follow cryptography best practices and validate the capture context signature.

To validate a JWT, you must obtain its public key. This public RSA key is in JSON Web Key (JWK) format. The public key is associated with the capture context on the Barclays domain.

To get the public key of a capture context from the header of the capture context itself, you must retrieve the key ID associated with the public key and then pass the key ID to the

/flex/v2/public-keys

endpoint:

From the header of the capture context, get the key ID (

kid

):

{
    "kid": "3g",
    "alg": "RS256"
}

Send a GET request to the

/flex/v2/public-keys

endpoint and include the key ID. For example:

Test:

GET https://api.smartpayfuse-test.barclaycard/flex/v2/public-keys/{3g}

Production:

GET https://api.smartpayfuse.barclaycard/flex/v2/public-keys/{3g}

Depending on the cryptographic method you use to validate the public key, you might need to convert the key to privacy-enhanced mail (PEM) format.

The resource returns the public key:

eyJmbHgiOnsicGF0aCI6Ii9mbGV4L3YyL3Rva2VucyIsImRhdGEiOiI2bUFLNTNPNVpGTUk5Y3RobWZmd2doQUFFRGNqNU5QYzcxelErbm8reDN6WStLOTVWQ2c5bThmQWs4czlTRXBtT21zMmVhbEx5NkhHZ29oQ0JEWjVlN3ZUSGQ5YTR5a2tNRDlNVHhqK3ZoWXVDUmRDaDhVY1dwVUNZWlZnbTE1UXVFMkEiLCJvcmlnaW4iOiJodHRwczovL3Rlc3RmbGV4LmN5YmVyc291cmNlLmNvbSIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsInVzZSI6ImVuYyIsIm4iOiJyQmZwdDRjeGlkcVZwT0pmVTlJQXcwU1JCNUZqN0xMZjA4U0R0VmNyUjlaajA2bEYwTVc1aUpZb3F6R3ROdnBIMnFZbFN6LVRsSDdybVNTUEZIeTFJQ3BfZ0I3eURjQnJ0RWNEanpLeVNZSTVCVjNsNHh6Qk5CNzRJdnB2Smtqcnd3QVZvVU4wM1RaT3FVc0pfSy1jT0xpYzVXV0ZhQTEyOUthWFZrZFd3N3c3LVBLdnMwNmpjeGwyV05STUIzTS1ZQ0xOb3FCdkdCSk5oYy1uM1lBNU5hazB2NDdiYUswYWdHQXRfWEZ0ZGItZkphVUVUTW5WdW9fQmRhVm90d1NqUFNaOHFMOGkzWUdmemp2MURDTUM2WURZRzlmX0tqNzJjTi1OaG9BRURWUlZyTUtiZ3QyRDlwWkJ1d2gzZlNfS3VRclFWTVdPelRnT3AzT2s3UVFGZ1EiLCJraWQiOiIwOEJhWXMxbjdKTUhjSDh1bkcxc1NDUVdxN2VveWQ1ZyJ9fSwiY3R4IjpbeyJkYXRhIjp7InRhcmdldE9yaWdpbnMiOlsiaHR0cHM6Ly93d3cudGVzdC5jb20iXSwibWZPcmlnaW4iOiJodHRwczovL3Rlc3RmbGV4LmN5YmVyc291cmNlLmNvbSJ9LCJ0eXBlIjoibWYtMC4xMS4wIn1dLCJpc3MiOiJGbGV4IEFQSSIsImV4cCI6MTYxNjc3OTA5MSwiaWF0IjoxNjE2Nzc4MTkxLCJqdGkiOiJ6SG1tZ25uaTVoN3ptdGY0In0.GvBzyw6JKl3b2PztHb9rZXawx2T817nYqu6goxpe4PsjqBY1qeTo19R-CP_DkJXov9hdJZgdlzlNmRY6yoiziSZnGJdpnZ-pCqIlC06qrpJVEDob3O_efR9L03Gz7F5JlLOiTXSj6nVwC5mRlcP032ytPDEx5TMI9Y0hmBadJYnhEMwQnn_paMm3wLh2v6rfTkaBqd8n6rPvCNrWMOwoMdoTeFxku-

Use this public RSA key to validate the capture context.

Base64 decode the capture context to get the

kid

from its header:

{
    "kid": "3g",
    "alg": "RS256"
}

Send a GET request to retrieve the public key from

/flex/v2/public-keys/3g

:

{
    "kty":"RSA",    
    "use":"enc",
    "kid":"3g",
    "n":"ir7Nl1Bj8G9rxr3co5v_JLkP3o9UxXZRX1LIZFZeckguEf7Gdt5kGFFfTsymKBesm3Pe
     8o1hwfkq7KmJZEZSuDbiJSZvFBZycK2pEeBjycahw9CqOweM7aKG2F_bhwVHrY4YdKsp
     _cSJe_ZMXFUqYmjk7D0p7clX6CmR1QgMl41Ajb7NHI23uOWL7PyfJQwP1X8HdunE6ZwK
     DNcavqxOW5VuW6nfsGvtygKQxjeHrI-gpyMXF0e_PeVpUIG0KVjmb5-em_Vd2SbyPNme
     nADGJGCmECYMgL5hEvnTuyAybwgVwuM9amyfFqIbRcrAIzclT4jQBeZFwkzZfQF7MgA6QQ",
     "e":"AQAB"
}

Payment Details API

This section contains the information you need to retrieve the non-sensitive data associated with a Unified Checkout transient token and the payment details API. This API can be used to retrieve personally identifiable information, such as the cardholder name and billing and shipping details, without retrieving payment credentials, which helps ease the PCI compliance burden.

There are two methods of authentication, and they are described in the

Getting Started with REST Developer Guide

:

Constructing Messages Using JSON Web Tokens

Constructing Messages Using HTTP Signature Security

IMPORTANT

Barclays recommends that you dynamically parse the response for the fields that you are looking for when you integrate with Barclays APIs. Barclays may add additional fields in the future.

You must ensure that your integration can handle new fields that are returned in the response. Even though the underlying data structures do not change, you must also ensure that your integration can handle changes to the order in which the data is returned. Barclays uses semantic versioning practices, which enables you to retain backwards compatibility as new fields are introduced in minor version updates.

Endpoint

Production:

GET https://api.smartpayfuse.barclaycard/up/v1/payment-details/{id}

Test:

GET https://api.smartpayfuse-test.barclaycard/up/v1/payment-details/{id}

The

{id}

is the full JWT received from Unified Checkout as the result of capturing payment information. The transient token is a JWT object that you retrieved as part of a successful capture of payment information from a cardholder.

Required Field for Retrieving Transient Token Payment Details

Your payment credentials request must include this field:

id: The
{id}
is the full JWT received from Unified Checkout as the result of capturing payment information.

REST Example: Retrieving Transient Token Payment Details

Request

GET https://api.smartpayfuse-test.barclaycard/up/v1/payment-details/{id}

Response to Successful Request

{
  "paymentInformation": {
    "card": {
      "expirationYear": "2024",
      "number": "XXXXXXXXXXXX1111",
      "expirationMonth": "05",
      "type": "001"
    }
  },
  "orderInformation": {
    "amountDetails": {
      "totalAmount": "21.00",
      "currency": "USD"
    },
    "billTo": {
      "lastName": "Lee",
      "country": "US",
      "firstName": "Tanya",
      "email": "[email protected]"
    },
    "shipTo": {
      "locality": "Small Town",
      "country": "US",
      "administrativeArea": "CA",
      "address1": "123 Main Street",
      "postalCode": "98765"
    }
  }
}

Payment Credentials API

This section contains the information you need to retrieve the full payment credentials collected by the Unified Checkout tool using the payment credentials API. The payment information is returned in a redundantly signed and encrypted payment object. It uses the JSON Web Tokens (JWTs) as the data standard for communicating this sensitive data.

IMPORTANT

Payment information returned by the

payment-credentials

endpoint will contain Personal Identifiable Information (PII). Retrieving this sensitive information requires your system to comply with PCI security standards. For more information on PCI security standards, see: https://www.pcisecuritystandards.org/

The response is returned using a JWE data object that is encrypted with your public key created during the Unified Checkout tool's integration. For more information, see Upload Your Encryption Key.

To decrypt the JWE response, use your private key created during the Unified Checkout tool's integration. The decrypted content is a JWS data object containing a JSON payload. This payload can be validated with the Unified Checkout public signature key.

IMPORTANT

Barclays recommends that you dynamically parse the response for the fields that you are looking for when you integrate with Barclays APIs. Barclays may add additional fields in the future.

You must ensure that your integration can handle new fields that are returned in the response. Even though the underlying data structures do not change, you must also ensure that your integration can handle changes to the order in which the data is returned. Barclays uses semantic versioning practices, which enables you to retain backwards compatibility as new fields are introduced in minor version updates.

Returned Credentials

A payment account number (PAN) or network token is returned on your request depending on your payment method and Click to Pay account status:

Payment Credentials Returned by Card Type and `Click to Pay` Account Status
`Click to Pay` Account Status	American Express	Mastercard	Visa
New card not saved in `Click to Pay`	PAN	PAN	PAN
New card saved in `Click to Pay`	PAN	Network Token	Network Token
Existing card stored in `Click to Pay`	PAN	Network Token	Network Token

When you retrieve PAN information from the Payment Credentials API, the response includes the PAN, card expiration date, and the card verification value (CVV). When you retrieve network token information, the response includes the network token and network token cryptogram.

IMPORTANT

Visa and Mastercard always attempt to provision a network token. When a network token is not provisioned, the default payment method is the PAN. When there is a PAN transaction, the PAN is not stored in the consumers wallet and it is treated as a single transaction.

Network tokens are generated in the wallet of the Click to Pay token requestor ID (TRID). When tokenization is successful, Visa attempts to complete authentication during the Click to Pay experience. For information on authentication, see Customer Authentication.

You must meet these requirements for tokenization to be successfully configured for your merchant ID (MID):

Click to Pay is enabled as a digital payment in the Smartpay Fuse Portal.

The transacting MID is configured for tokenization with Click to Pay. Contact your Implementation Consultant or Technical Account Manager to configure tokenization with Click to Pay.

The

allowedPaymentTypes

field value is set to

CLICKTOPAY

in the capture context. For information on the capture context, see Capture Context API.

Endpoint

Production:

GET https://api.smartpayfuse.barclaycard/flex/v2/payment-credentials/{ReferenceID}

Test:

GET https://api.smartpayfuse-test.barclaycard/flex/v2/payment-credentials/{ReferenceID}

The

{ReferenceID}

is the reference ID returned in the

id

field when you created the payment credentials.

Required Field for Retrieving Payment Credentials

Your payment credentials request must include this field:

ReferenceID: The reference ID that is returned in the
id
field when you created the payment credentials.

REST Example: Retrieving Payment Credentials

Request

https://api.smartpayfuse.barclaycard/flex/v2/payment-credentials/E-firqlLk7GiziQwXxAsq

Encrypted Response to Successful Request

eyJhdWQiOiJwc3AiLCJzdWIiOiJwc19ocGEiLCJraWQiOiIyMDIzMDUxNC1kcmFmdC1wc3AtZW5jcnlwdCIsI
mN0eSI6IkpXVCIsImVuYyI6IkEyNTZHQ00iLCJleHAiOjE2ODQxNDk2NjQsImFsZyI6IlJTQS1PQUVQLTI1Ni
IsImp0aSI6IjA0NDUwNWNiLTM1ZDYtNDU2ZS05OTBlLWRkZjQwYzI5NzlhNCJ9.enhUfZJOjbMX-wZPIOb1zj
8sFZiix6JSJyNw2i9QJ4k_hd7Iy_UMYvOmS-X1FJwjH0IQxMIblSV8XqMegIOm5dYBYdqouUfC8zq4Zm_dsMo
Tp3m9T6z-A_eJ8MGaxqTHSf2vWiXB-EMrww2eCXPyVTBkI1OdmYIX-s85vsqYpW-s0ThlCKaGI7B4_rJKNa7m
ou9VMBtBnfzhHLtnHDW8vsX8rLmTT76Ct2jMdIoQnlQRgEOi-zYu0Jm0gHERavUtq_7lDw9Ta73_TFw3KA2fs
G13CURyR7ZXoZy9_nRifwHjwNVbaFRceAzXoVtvM8H8F-ZzIC8AdA1FRye7RqcK9Q.OlrMxOMDkVDU6goS.TP
fBhm1eBfRjCSSvuT6SxFeZ3SGwOC6qX2Z4rlAEY9lOor2Q2E1CMqB6o-q6DNkGtASFONBzKtoB0yAgXBpx3S7
2FltR8bd40qmRnPyTOAscXa3eWbP45EqZqHW58lwUtMwcBORcfSjxPnWUo-OGmKCtIgiUO4MTlBsl9HdCLx7R
Wpwslo0pKQAuFrURHJyhdE1JUArgjNQMdQwPvCjoZ2RxTzECEqE1l0KmBGM-w8suowrnTNZl8cwVUZKzHQEJV
-twAGykQIIRCI3ydHfCupyUuA-5-Wvlk6nhcL3qND4JF-E3EIRpzm7WH8pCV5nzByUue-grHejg774c7fi1eh
fTBUZ8v6X7rTZUBLL0V5343X3zQQy_G-vq5qcaJZ8AS2XWSi17r8UEHoU5emYu5QAuXy1AhL32nDRZuXzOzQ1
9JsrTN2CD8qxU7tDpkUCEmY2GEMp4sd-rfu_2qBZDdr74tjYNgMsTIXSpgGDiwjLMJu4r460YencO6-JweGCT
8woIySjBRYpX1_axxcO6I9RUTSopPbslZwq_zpy3UuDa9InlSexM--fatYfAehY857F7bFVXlnXeqr7X0_Lri
bJsx6CWJU1ihjMVtnF-SxeE3IdpJxyFYBb7D1iL3ywFooxcGqarXU-3_CBuDHvnJFDC_iQPaeH7csb-EMeNqF
TmFf8dWNQYG7IJDfEnrnRW_XtnczH-ZS67iVuGzGwJZDQfJZ-KLhnWr6FE1EnT1VLyXPM78WeocT7cnLXmr9B
gevNmU3q_SV5nxlDLPuCqF0PmFNxaTjqfF2Qw_zOCvazwFWuBdUDdHilPqhj3gfsOesAJVA7VoTDw2U3zte3V
09KcJLaHygwPomopWOODinKzcZeWfJ39984pQa5cOMSEToGegkRZyvSxpf5PTht30uB3F3qC4cVLOu4qukYsr
jXqOtxg3icde7lXywfAtEZgf54jAP2Cl8JFmGWL5YnIY44-zj-GVz2C8iCN1CCUP3U4eVxz2GtxNNSXuwY8OR
Udino4rF-OpqqdjX5F0Uw6J2D3uR9cWB4Ee3v8TIA3-tRkG4ScAcclEwjkwsILPgVLU57HOm0AnaEsznyHrd9
-Qfz_p-UjbsaD3e-_sr56-x2UZVVL6TAMmJqmS2C55CHgkkhtHBCu-vb0KOmssopIvaQA5jK6ZoCftewE8-98
816ZmoU8Sty05PSeK0yBlxFwTIeJxt-moszRawFuBrLAbOu72y_eeUtk1tHpHV2Db7T6XvaRD4NvOFZg8ianY
Y6uHidoTl1ApjCp8VG9oTJ-uKWAEp9TU6qEHUswZZUIBeGTKjzBkRAQ20cZs5POb-qtjteoWo9QdnczipZ8de
my-FSZwNRFPkeedl3oHLepeTgwVnmij9ovk0e5Wqq2GVUMe8sLa-4eEnjliIjAVUQ9YNJBeqLf6_wo3HF8o2k
4ZgSJTuPHAuP41-D6sYrOcM6WvkCfKRTXw7ue5unri3M0Rpd2TEnzyw.TaLt6G8QyRykbrxb0iV9Jg

Decrypted Response to Successful Request

{ // header
  kid = "zu"
  cty = "json+pc"
}.
{
  // registered claims
  iss = "https://flex.visa.com"            
  sub = "ps_hpa"                                  // Merchant ID 
  aud = "https://online.MyBank.com"              
  exp = 1683105553                                // expiry of payment credentials
  iat = 1683104035                                // timestamp when JWT was created
  jti = "ae798686-a849-4dfa-836d-43e09cb183a4"    // transaction id
  
  "paymentInformation": {    
    "tokenizedCard": {
      "number": "4111111111111111",
      "expirationMonth": "12",
      "expirationYear": "2031",
      "type": "001",
      "cryptogram": "",
      "transactionType": "1"
    }    
  },
  "orderInformation": {
    "amountDetails": {
      "totalAmount": "102.21",
      "currency": "USD"
    },
    "billTo": {
      "firstName": "John",
      "lastName": "Doe",
      "address1": "1 Market St",
      "locality": "san francisco",
      "administrativeArea": "CA",
      "postalCode": "94105",
      "country": "US",
      "email": "[email protected]",
      "phoneNumber": "4158880000"
    }
  }
}
.SIGNATURE

`Unified Checkout` Configuration

This section contains information necessary to configure Unified Checkout in the Smartpay Fuse Portal:

Upload Your Encryption Key

Enable Click to Pay

Manage Permissions

Upload Your Encryption Key

Payment information can be retrieved from the Unified Checkout platform by invoking the Payment Credentials API. This API retrieves all of the data captured by Unified Checkout. This information is transmitted in an encrypted format to ensure the security of the payment information while in transit.

You must generate an encryption key pair to retrieve this encrypted payment information, and the public encryption key must uploaded to the Unified Checkout system.

Generate a Public Private Key Pair

You must generate a public-private key pair to upload to the Unified Checkout system. The public key is uploaded to the Unified Checkout platform and is used to encrypt sensitive information in transit. The private key is used to decrypt the sensitive payment information on your server. Only the private key can properly decrypt the payment information.

IMPORTANT

You must secure your private decryption key. This key must never be exposed to any external systems or it will risk the integrity of the secure channel.

Unified Checkout accepts only keys that meet these requirements:

Only RSA keys are supported. Elliptical curves are not supported.

The minimum accepted RSA key size is 2048 bits.

RSA keys must be in JWK format. More information on JWK format is available here:

rfc7517.

The key ID must be a valid UUID.

Uploading Your Key Pair

When you have generated your encryption key pairs, you can upload your key to the Unified Checkout platform. Keys can be loaded at any hierarchy that is enabled for them and are used for all child entities that do not have keys loaded. You can upload a key at parent and child levels, but child keys override parent keys.

Follow these steps to upload your key pair:

Navigate to

Payment Configuration > Unified Checkout

. The Unified Checkout configuration page opens.

Click

Enabled

. You can upload your key in the appropriate section.

Upload the public encryption key in JWK format, and click

Save

.

Enable `Click to Pay`

To enable Click to Pay on Unified Checkout, you must first register Click to Pay. This process sends the appropriate information to the digital payment systems and registers your page with each system.

Enable Click to Pay for Unified Checkout in the Smartpay Fuse Portal. Click to Pay is listed as an available digital payment method offered by Unified Checkout.

Enabling `Click to Pay`

Click to Pay is a digital payment solution that allows customers to pay with their preferred card network and issuer without entering their card details on every website. Customers can use Visa, Mastercard, and American Express cards to streamline their purchase experience. Click to Pay provides a fast, secure, and consistent checkout experience across devices and browsers.

Follow these steps to enable in Click to Pay on Unified Checkout:

Navigate to

Payment Configuration > Unified Checkout

.

In the Click to Pay section, click Set Up
.

Enter your business name and website URL.

Click

Submit

.

Contact your implementation contact to request that you be enabled for tokenization within Click to Pay. Your implementation contact will confirm that you were configured successfully and that you can now accept digital payments with Click to Pay.

Manage Permissions

Administrators

can set permissions for new or existing Smartpay Fuse Portal user roles for Unified Checkout. Administrators retain full read and write permissions. They enable you to regulate access to specific pages and specify who can access, view, or amend digital products within Unified Checkout.

Administrators

must apply the appropriate user role permission for any existing or newly created Smartpay Fuse Portal user roles for Unified Checkout.

If you are a transacting merchant, you might find that your permissions are restricted. If your permissions are restricted, a message appears indicating that you do not have access, or buttons might appear gray. To make changes to your digital products within Unified Checkout that have restricted permissions, contact

your

Barclays

Customer Support representative

.

For more information, see Managing Permissions as an Administrator.

Test Your `Click to Pay` Configuration

This section contains information about testing your Click to Pay configuration.

Test Payment Details

Use these test card numbers to test your Click to Pay configuration.

Combine the BIN with the card number when sending to Click to Pay.

Visa `Click to Pay` Test Cards

These Visa test cards can be added to your Click to Pay wallet. Replace the X in the card number with 0.

You can manage your Visa Click to Pay test cards and account here:

Production:
https://secure.checkout.visa.com

Test:
https://sandbox.secure.checkout.visa.com

To manage Visa test cards for customer authentication, contact your implementation consultant or technical account manager.

IMPORTANT

These test cards are not valid for testing in production. To test in production, you must leverage production credentials.

Visa Test Card Numbers
Card Number	Expiration Date	CVV
46229431231X2700	12/2026	938
46229431231X2718	12/2026	605
46229431231X2726	12/2026	579
46229431231X2734	12/2026	141
46229431231X2742	12/2026	279
46229431231X2759	12/2026	669

Mastercard `Click to Pay` Test Cards

Mastercard test cards can be added to your Click to Pay wallet. You must retrieve Mastercard test cards from their Click to Pay test page: #test-cards

Mastercard has different test cards for retrieving tokenized and non-tokenized data. Barclays recommends that you use these test cards as follows:

Test cards to retrieve PAN data: Use these cards when the customer is completing checkout as a one-time guest and does not have a Click to Pay account or want to create one.

Test cards to retrieve token data: Use these cards for tokenized Click to Pay transactions.

You can manage your Mastercard Click to Pay test cards and account here:

Live:
enroll

SBX:
enroll

To manage Mastercard test cards for customer authentication, contact your implementation consultant or technical account manager.

Customer Authentication

When you enable customer authentication through

Click to Pay

, you give Barclays permission to send Visa the required authentication information for each transaction.

Click to Pay

authentication is only available for Visa branded cards that are tokenized with

Click to Pay

. If

Click to Pay

does not authenticate the transaction then you must authenticate it using another authentication method outside of

Click to Pay

, if required.

IMPORTANT

American Express or Mastercard card brands cannot be authenticated through

Click to Pay

. You must use another authentication method.

When the customer completes a transaction using a Visa card that is already stored in

Click to Pay

, authentication is managed with

Click to Pay

. When the customer checks out using manual card entry and does not save their card to

Click to Pay

, the transaction is not processed through

Click to Pay

and you must complete authentication based on your existing authentication method.

Visa Prerequisites

Before you can begin customer authentication using

Click to Pay

, you must meet these requirements:

The

allowPaymentTypes

field must include

CLICKTOPAY

in the capture context.

For more information, see Capture Context.

The transacting merchant ID that sends the transaction requests must be configured for tokenization with

Click to Pay

. You must contact your implementation consultant or technical account manager to configure tokenization with

Click to Pay

.

Set up Visa customer authentication in the Smartpay Fuse Portal. For more information, see Set Up Customer Authentication for Visa.

Authentication Flow

Set Up Customer Authentication for Visa

Follow these steps to use the Smartpay Fuse Portal to enable customer authentication through

Click to Pay

. Authentication methods differ in each region and are dependent on the issuer, the cardholder device, and the

Click to Pay

configuration. These authentication methods are available:

3-D Secure

FIDO

Card verification value (CVV)

One-time password (OTP)

IMPORTANT

After you complete these steps, Visa determines which authentication method to use. When Visa determines that they will authenticate, they authenticate each

Click to Pay

transaction through the appropriate method. This may be a frictionless authentication or the customer may need to provide more information when required by the issuer.

Log in to the Smartpay Fuse Portal:

Test URL:

https://admin.smartpayfuse-test.barclaycard/ebc2

Production URL:

https://admin.smartpayfuse.barclaycard/ebc2/

If you are unable to access this page, contact your sales representative.

In the Smartpay Fuse Portal, go to the left navigation panel and choose Payment Configuration
> Unified Checkout
.

You must have

Click to Pay

enabled as a digital payment method in order to use this method of authentication. Click Manage
to view the digital payment methods that you have enabled.

If

Click to Pay

is not enabled, click On
next to

Click to Pay

.

Click Set up
under Value Added Solutions. The Value Added Solutions page appears.

Click Set up
to set up 3-D Secure. The 3DS page appears.

Enter the required information in the Merchant Details section. You must enter the information that is provided to you by

Barclays

.

Step Result

This completes the authentication setup for the entered acquirer merchant ID and BIN. If you do not know what these values are, you must contact

Barclays

. Completing this information enables Barclays to send Visa the information that is required for authentication.

IMPORTANT

Charges for 3-D Secure may apply. You must speak with your acquirer for more information about the charges associated with 3-D Secure.

Authentication Methods

Barclays recommends that you review the response in the transient token and compare it with the information below in order to determine the authentication status.

For more information about transient tokens, see Transient Tokens.

This table describes the possible authentication results and the associated

processingInformation.commerceIndicator.value

field values in the transient token.

Responses for Visa `Click to Pay` Transactions for `Unified Checkout`
Authentication Result	`Unified Checkout` Commerce Indicator Value
Successful authentication	processingInformation.commerceIndicator.value field value set to VBV in the transient token.
No authentication	No commerce indicator in transient token.

For more information about the authentication methods that are supported for Visa, see this page: https://developer.visa.com/capabilities/visa-secure-remote-commerce/docs-use-cases

Authentication Test Cards

Use these test cards to test these authentication methods. Replace the X with a 0.

Authentication Test Cards
Authentication Method	Card Number	CVV	Expiration Date
`3-D Secure`/Passkey Challenge	43958XXX0449X11X	509	12/25
`3-D Secure`/Passkey Challenge	439584XXX282X11X	693	12/25
Frictionless	439584XX91X1XX11	676	12/25
Frictionless	439584XX9119XX11	789	12/25

`Click to Pay` Appendix

Client Version History

Below is a list of client versions and the features that are included in each version.

IMPORTANT

Barclays recommends that you use the most recent client version in your integration.

0.23: Accepts these card networks in the
allowedCardNetworks
field for manual card entry:
Carnet
Cartes Bancaires
China UnionPay with card verification value (CVV)
EFTPOS
ELO
JCrew PLCC
mada
Meeza; Ordering controls for the
allowedPaymentTypes
button.; De-coupling of PANENTRY from other payment types in the
allowedPaymentTypes
field.
0.24: Support for enabling combo cards in the capture context.; Support for eight-digit BINs.; Support for enabling card save in the capture context.
0.25: Addition of Skip Verification next time
in the Click to Pay payment flow.; Support for CPF in the capture context.
0.26: Support for auto-lookup in Click to Pay when an email is included in the capture context.; Inclusion of the
cardDetails
field object in the transient token response.; Support for the
authenticationStatus
field object in the transient token response.; Support for the complete mandate.
0.28: Complete mandate enhancement to support Payer Authentication for manual card entry for Visa, Mastercard, American Express, Discover, JCB, Cartes Bancaires, China UnionPay, and ELO card brands.; Support for PayPak as an
allowedCardNetwork
.; Auto-enrollment for Click to Pay in supported markets.; Removal of the confirm or continue screen for specific use cases.; Static button for Click to Pay flows.

JSON Web Tokens

JSON Web Tokens (JWTs) are digitally signed JSON objects based on the open standard RFC 7519. These tokens provide a compact, self-contained method for securely transmitting information between parties. These tokens are signed with an RSA-encoded public/private key pair. The signature is calculated using the header and body, which enables the receiver to validate that the content has not been tampered with. Token-based applications are best for applications that use browser and mobile clients.

A JWT takes the form of a string, consisting of three parts separated by dots:

Header

Payload

Signature

This example shows a JWT:

xxxxx.yyyyy.zzzzz

Reason Codes

A Unified Checkout request response returns one of the following reason codes:

Reason Codes
Reason Code	Description
200	Successful response.
201	Capture context created.
400	Bad request. Possible reason values: CAPTURE_CONTEXT_EXPIRED CAPTURE_CONTEXT_INVALID CREATE_TOKEN_TIMEOUT CREATE_TOKEN_XHR_ERROR INVALID_APIKEY SDK_XHR_ERROR SHOW_LOAD_CONTAINER_SELECTOR SHOW_LOAD_INVALID_CONTAINER SHOW_PAYMENT_TIMEOUT SHOW_TOKEN_TIMEOUT SHOW_TOKEN_XHR_ERROR UNIFIEDPAYMENT_PAYMENT_PARAMITERS UNIFIEDPAYMENTS_VALIDATION_FIELDS UNIFIEDPAYMENTS_VALIDATION_PARAMS
404	The specified resource not found in the system.
500	Unexpected server error.

Supported Countries for `Click to Pay`

Click to Pay is supported in these countries:

Argentina

Australia

Austria

Brazil

Bulgaria

Canada

China

Colombia

Costa Rica

Czech Republic

Denmark

Dominican Republic

Ecuador

El Salvador

Finland

France

Germany

Greece

Honduras

Hong Kong

Hungary

India

Indonesia

Ireland

Italy

Japan

Jordan

Kuwait

Malaysia

Mexico

Netherlands

New Zealand

Nicaragua

Norway

Panama

Paraguay

Peru

Poland

Qatar

Romania

Saudi Arabia

Singapore

Slovakia

Slovenia

South Africa

Spain

Sweden

Switzerland

Thailand

Ukraine

United Arab Emirates

United Kingdom

United States

Uruguay

Vietnam

Supported Locales

The locale field within the capture context request consists of an ISO 639 language code, an underscore (_), and an ISO 3166 region code. The locale controls the language in which the application is rendered. The following locales are supported:

ar_AE

bg_BG

ca_ES

cs_CZ

da_DK

de_AT

de_DE

el_GR

en_AU

en_CA

en_GB

en_IE

en_NZ

en_US

es_AR

es_CL

es_CO

es_ES

es_MX

es_PE

es_US

fi_FI

fr_CA

fr_FR

he_IL

hr_HR

hu_HU

id_ID

it_IT

ja_JP

km_KH

ko_KR

lo_LA

ms_MY

nb_NO

nl_NL

pl_PL

pt_BR

ro_RO

ru_RU

sk_SK

sl_SI

sv_SE

th_TH

tl_PH

tr_TR

vi_VN

zh_CN

zh_HK

zh_MO

zh_SG

zh_TW

Enrolling in Google Pay

Google Pay is a digital payment product offered by Google through Chrome browsers and Android devices.

Follow these steps to enroll in Google Pay on Unified Checkout:

Navigate to

Payment Configuration > Unified Checkout

.

In the Google Pay section, click Set Up
.

Enter your business name.

Click

Submit

.

You can now accept digital payments with Google Pay.

AFTER COMPLETING THE TASK

IMPORTANT

When you enable Google Pay on Unified Checkout, you can specify an optional parameter that defines the types of credentials that Google Pay sends you. See Managing Google Pay Authentication Types.

Capture Context API

The capture context request contains all of the merchant-specific parameters that tell the front-end JavaScript library what to do within your payment experience.

The capture context is a signed JSON Web Token (JWT) containing this information:

Merchant-specific parameters that dictate the customer payment experience for the current payment transaction.

A one-time public key that secures the information flow during the current payment transaction.

The capture context request includes these fields:

allowedCardNetworks

allowedPaymentTypes

clientVersion

targetOrigins

transientTokenResponseOptions.includeCardPrefix

completeMandate

For information on JSON Web Tokens, see JSON Web Tokens.

Target Origin: The target origin is defined by the scheme (protocol), hostname (domain), and port number (if used).

You must use the https:// protocol. Sub domains must also be included in the target origin.

Any valid top-level domains, such as .com, .co.uk, and .gov.br, are supported. Wildcards are not supported.

For example, if you are launching Unified Checkout on example.com, the target origin could be any of the following:

https://example.com
https://subdomain.example.com
https://example.com:8080

You can define the payment cards and digital payments that you want to accept in the capture context.
Allowed Card Networks: Use the
allowedCardNetworks
field to define the card types.

These card networks are available for card entry:
American Express
Cartes Bancaires
Carnet
China UnionPay
Diners Club
Discover
EFTPOS
ELO
JCB
JCrew
mada
Maestro
Mastercard
Meeza
PayPak
Visa

To support dual-branded or co-badged cards, you must list your supported card type values for the
allowedCardNetworks
field based on your preference for processing card numbers. For example, if a card is dual-branded as Visa and Cartes Bancaires, and Cartes Bancaires is listed first, the card type is set to Cartes Bancaires after the card number is entered in your Unified Checkout card collection form. For information on dual-branded or co-badged cards, see Dual-Branded Cards.

Allowed Payment Types: You can specify the type of Unified Checkout digital payment methods that you want to accept in the capture context.; Use the
allowedPaymentTypes
field to define the payment type:
APPLEPAY
CHECK
CLICKTOPAY
GOOGLEPAY
PANENTRY
PAZE
AFTERPAY
IDEAL
MULTIBANCO
IMPORTANT

Click to Pay accepts American Express, Mastercard, and Visa for saved cards. Visa and Mastercard tokenize payment credentials using network tokenization for all Click to Pay requests. Click to Pay uses Click to Pay Token Requester IDs (TRIDs) rather than your existing TRIDs to generate network tokens.
For more information on enabling and managing these digital payment methods, see these topics:
Enrolling in Apple Pay
Enabling Click to Pay
Enrolling in Google Pay
Complete Mandate: The complete mandate feature provides service orchestration within Unified Checkout and simplifies your integration. Service orchestration enables Unified Checkout to orchestrate services on your behalf. The complete mandate feature provides instructions to the
unifiedPayment.complete()
method in the JavaScript SDK. You must include the
completeMandate
field object in your capture context to enable Unified Checkout to initiate services on your behalf from the browser.

The complete mandate feature is defined by three fields:
completeMandate.type
: This field is used to indicate how a payment should be processed.
Possible values:
AUTH
: Authorize the payment and capture the funds at a later date.
CAPTURE
: Perform a sale.
PREFER_AUTH
: Perform an authorization if possible. If a payment method requires the funds to be captured immediately, then Unified Checkout captures the payment.
completeMandate.decisionManager
: This field determines whether Decision Manager should be used. To use this field, you must also include
complete.Mandate.type
in your request. When this field is set to
true
, both Decision Manager and device fingerprinting services are run. When Decision Manager runs, it uses the associated Decision Manager instance based on the merchant ID that is configured for the request. When this field is set to
false
or is not included in the request, Decision Manager and device fingerprinting services do not run.
completeMandate.consumerAuthentication
: This field determines whether Payer Authentication should be used. To use this field, you must also include
complete.Mandate.type
in your request. When this field set to
true
, Payer Authentication runs. When this field is set to
false
or is not included in the request, Payer Authentication does not run.
Consumer authentication is available for these card types:
American Express
Cartes Bancaires
China UnionPay
Discover
ELO
JCB
Mastercard
Visa
Include Card Prefix: You can control the length of the card number prefix to be received in the response to the capture context
/sessions
request:
Six digits
Eight digits
No prefix
To specify your preferred card number prefix length, include or exclude the
transientTokenResponseOptions.includeCardPrefix
field in the capture context
/sessions
request.; To receive a six-digit card number prefix in the response, follow this step:

Do not
include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context
/sessions
request.

This example shows how a six-digit card number prefix
411111
is returned in the transient token response:
"maskedValue" : "XXXXXXXXXXXX1111”, "bin" : "411111"; To receive an eight-digit card number prefix in the response, follow this step:

Include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context request, and set the value to
true
.
IMPORTANT

This PCI DSS requirement applies only to card numbers longer than 15 digits and only for Discover, JCB, Mastercard, UnionPay, and Visa brands.
If the card type entered is not part of these brands, a six-digit card number prefix is returned instead.
If the card type entered is not part of these brands but is co-branded
with these brands, an eight-digit card number prefix is returned.
This example shows how an eight-digit card prefix
41111102
is returned in the transient token response:
"maskedValue" : "XXXXXXXXXXXX1111”, "prefix" : "41111102"; To not receive a card number prefix in the response, follow this step:

Include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context request, and set the value to
false
.

This example shows how a card number is returned without a card number prefix in the transient token response:
"maskedValue" : "XXXXXXXXXXXX1111"; Best practice:
If your application does not require card number prefix information for routing or identification, Barclays recommends that you include the
transientTokenResponseOptions.includeCardPrefix
field in the capture context request and set its value to
false
. Doing so limits the exposure of payment data to only what is necessary for your processing needs.
For more information about PCI DSS, see
Frequently Asked Questions
on the PCI Security Standards Council site.

IMPORTANT

Barclays recommends that you dynamically parse the response for the fields that you are looking for when you integrate with Barclays APIs. Barclays may add additional fields in the future.

You must ensure that your integration can handle new fields that are returned in the response. Even though the underlying data structures do not change, you must also ensure that your integration can handle changes to the order in which the data is returned. Barclays uses semantic versioning practices, which enables you to retain backwards compatibility as new fields are introduced in minor version updates.

Client-Side Set Up

This section contains the information you need to set up the client side. You use the Unified Checkout JavaScript library to add the payment interface to your e-commerce site. It has two primary components:

The button widget, which lists the payment methods available to the customer.

The payment acceptance page, which captures payment information from the cardholder. You can set up the payment acceptance page to be embedded with your webpage or added as a sidebar.

Follow these steps to set up the client:

Load the JavaScript library.

Initialize the accept object, the capture context JWT. For information JSON Web Tokens, see JSON Web Tokens.

Initialize the unified payment object with optional parameters.

Show the button list or payment acceptance page or both.

Process the payment request using the instructions included within the capture mandate.

The response to these interactions is a transient token that you use to retrieve the payment information captured by the UI.

Server-Side Set Up

This section contains the information you need to set up your server. Initializing Unified Checkout within your webpage begins with a server-to-server call to the sessions API. This step authenticates your merchant credentials, and establishes how the Unified Checkout frontend components will function. The sessions API request contains parameters that define how Unified Checkout performs.

The server-side component provides this information:

A transaction-specific public key is used by the customer's browser to protect the transaction.

An authenticated context description package that manages the payment experience on the client side. It includes available payment options such as card networks, payment interface styling, and payment methods.

The functions are compiled in a JSON Web Token (JWT) object referred to as the capture context
. For information JSON Web Tokens, see JSON Web Tokens.

Managing Google Pay Authentication Types

Additional controls are available for Google Pay on Unified Checkout. When you enable Google Pay on Unified Checkout, you can specify optional parameters that define the types of card authentication you receive from Google Pay.

To manage the types of credentials that Google Pay sends, use this expanded payment type object within the

allowedPaymentTypes

section of the sessions request:

{
  "type": "GOOGLEPAY",
  "options": { "allowedAuthMethods": "<authentication type>"
  }
}

The expanded payment type object has these parameters:

type

: Defines the type of payment option.

options

: Contains specific payment types parameters.

For Google Pay, use the new data element

allowedAuthMethods

within the

options

section of the payment types object to specify the authentication type you will receive from Google Pay. Possible values:

PAN_ONLY

: Google returns primary account number (PAN) values

CRYPTOGRAM_3DS

: Google returns fully authenticated network token values.

By default, Google sends both authentication types.

REST Example: Specify Only PAN Authentication Accepted from Google

This sessions request example specifies that Google Pay is to send only PAN values.

"allowedPaymentTypes": [
  "PANENTRY" {
    "type": "GOOGLEPAY",
    "options": {
      "allowedAuthMethods": "PAN_ONLY"
    }
  },
  "CLICKTOPAY",
  "PAZE"
]

REST Example: Simple Google Pay Request

This sessions request example specifies that Google Pay can send all authentication types.

"allowedPaymentTypes": [
  "PANENTRY",
  "GOOGLEPAY",
  "CLICKTOPAY",
  "PAZE",
  "CHECK"
]

Preparing a Device for Testing Apple Pay on `Unified Checkout`

In order to run an end-to-end test of the Apple Pay service on Unified Checkout, you must prepare an Apple test device by loading Apple Pay test cards onto the device.

Follow these steps to prepare your Apple test device for end-to-end testing:

Make sure your Apple Developer account is configured for Apple Pay.

Register your Apple Pay test device with Apple.

Load Apple Pay test cards onto your Apple test device.

ADDITIONAL INFORMATION

The Apple Developer center provides the instructions in the Sandbox Testing page for Apple Pay:

Follow the steps described in

Create a Sandbox Tester Account

.

Follow the steps described in

Adding a Test Card Number

.

Capture Context

This section contains the information you need to set up your server. Initializing Unified Checkout within your webpage begins with a server-to-server call to the sessions API. This step authenticates your merchant credentials, and establishes how the frontend components will function. The sessions API request contains parameters that define how Unified Checkout performs.

The server-side component provides this information:

A transaction-specific public key is used by the customer's browser to protect the transaction.

An authenticated context description package that manages the payment experience on the client side. It includes available payment options such as card networks, payment interface styling, and payment methods.

The functions are compiled in a JSON Web Token (JWT) object referred to as the capture context
.

For information on JWTs see JSON Web Tokens.

The capture context request is a signed JSON Web Token (JWT) that includes all of the merchant-specific parameters. This request tells the frontend JavaScript library how to behave within your payment experience. The request provides authentication, one-time keys, the target origin to the Unified Checkout integration in addition to allowed card networks and payment types. The capture context request includes these elements:

allowedCardNetworks

allowedPaymentTypes

clientVersion

targetOrigin

completeMandate

Use the

targetOrigins

and the

allowedPaymentTypes

fields to define the target origin and the accepted digital payment methods in your capture context. Use the

comppleteMandate

to orchestrate follow-on services such as Payments, Decision Manager, and Payer Authentication. For example:

{
  "clientReferenceInformation": {
    "code": "TAGX001"
  },
  "targetOrigins": [
    "https://www.test.com"
  ],
  "clientVersion": "0.28",
  "allowedCardNetworks": [
    "VISA",
    "MASTERCARD",
    "AMEX"
  ],
  "allowedPaymentTypes": [
    "PANENTRY",
    "CLICKTOPAY",
    "GOOGLEPAY"
  ],
  "country": "US",
  "locale": "en_US",
  "captureMandate": {
    "billingType": "FULL",
    "requestEmail": true,
    "requestPhone": true,
    "requestShipping": true,
    "shipToCountries": [
      "US",
      "GB"
    ],
    "showAcceptedNetworkIcons": true
  },
  "orderInformation": {
    "amountDetails": {
      "totalAmount": "1.01",
      "currency": "USD"
    }
  },
  "completeMandate": {
    "type": "CAPTURE",
    "decisionManager": true,
    "consumerAuthentication": true
  }
}

This diagram shows how elements of the capture context request appear in the card entry form.

Image of the capture context request code and how it appears in the
entry form elements. — Anatomy of a Manual Card Entry Form

Enrolling in Apple Pay

Apple Pay is a digital payment service that enables users to make secure and convenient transactions using their Apple devices. Users can add their credit or debit cards to the Wallet app and use them to pay online or in apps in a safe and convenient consumer experience.

To enable Apple Pay you must first host a public certificate on your web page and then pass your merchant name and domain name to Apple. Apple crawls out to your web page to validate the presence of this certificate to ensure the web pages are properly vetted and registered with Apple.

Follow these steps to validate your domain and enroll in Apple Pay:

Navigate to

Payment Configuration > Unified Checkout

.

In the Apple Pay section, click Set Up
.

Follow the link to download the certificate.

Upload the apple-developer-merchantid-domain-association
certificate file to your web server at:

/.well-known/apple-developer-merchantid-domain-association

You must verify that the file is accessible through HTTPS. You can validate this by visiting

https://<your-domain>/.well-known/apple-developer-merchantid-domain-association

.

Click

Verify Domain

.

Enter the domain name where you are hosting Apple Pay. This must be the same domain to which you uploaded the public certificate.

Your domain is now verified for Apple Pay.

AFTER COMPLETING THE TASK

IMPORTANT

In order to run an end-to-end test of the Apple Pay service on Unified Checkout, you must perform additional setup steps. See Preparing a Device for Testing Apple Pay on Unified Checkout.

Managing Permissions as
an Administrator

Follow these steps to configure and manage user permissions in the Smartpay Fuse Portal for Unified Checkout as a portfolio administrator:

On the left navigation panel, navigate to

Account Management

.

Click

Roles

to see a list of your user roles.

Click the pencil icon next to the user role that you want to update.

Click

Payment Configuration Permission

.

Select the relevant permission for the specific user role you are editing. You can choose from these Unified Checkout permissions:

Unified Checkout View

Unified Checkout Manage

Unified Checkout Portfolio View (available for portfolio users only)

Unified Checkout Portfolio Manage (available for portfolio users only)

IMPORTANT

If all permissions are left unselected, the user has restricted permission. A no access
message appears when the user tries to access the Unified Checkout digital product enablement pages. The user is advised to contact a customer representative.

If a portfolio user has view permissions and does not have a management role, they can access the Unified Checkout pages, but they cannot modify toggles for different digital payments.

Click to Pay Developer Guide

Recent Revisions to This Document

25.08.01

Introduction to Click to Pay

Click to Pay Flow

Figure:

Enabling Unified Checkout in the Smartpay Fuse Portal

Server-Side Set Up

Capture Context

Client-Side Set Up

Loading the JavaScript Library and Invoking the Accept Function

JavaScript Example: Initializing the SDK

JavaScript Example: Displaying the Button List

Adding the Payment Application and Payment Acceptance

JavaScript Example: Setting Up with Full Sidebar

JavaScript Example: Setting Up with the Embedded Component

Transient Tokens

Transient Token Format

Token Verification

Dual-Branded Cards

Capture Context API

Features

Requesting the Capture Context

Endpoint

Required Fields for Requesting the Capture Context

Required Fields for Requesting the Capture Context

Required Fields for Enabling the Save Card Feature

REST Example: Requesting the Capture Context

Validating the Capture Context

Payment Details API

Endpoint

Required Field for Retrieving Transient Token Payment Details

REST Example: Retrieving Transient Token Payment Details

Payment Credentials API

Returned Credentials

Endpoint

Required Field for Retrieving Payment Credentials

REST Example: Retrieving Payment Credentials

Unified Checkout Configuration

Upload Your Encryption Key

Generate a Public Private Key Pair

Uploading Your Key Pair

Enable Click to Pay

Enabling Click to Pay

Manage Permissions

Test Your Click to Pay Configuration

Test Payment Details

Visa Click to Pay Test Cards

Mastercard Click to Pay Test Cards

Customer Authentication

Visa Prerequisites

Authentication Flow

Set Up Customer Authentication for Visa

Step Result

Authentication Methods

Authentication Test Cards

Click to Pay Appendix

Client Version History

JSON Web Tokens

Reason Codes

Supported Countries for Click to Pay

Supported Locales

Enrolling in Google Pay

AFTER COMPLETING THE TASK

Capture Context API

Client-Side Set Up

Server-Side Set Up

Managing Google Pay Authentication Types

Preparing a Device for Testing Apple Pay on Unified Checkout

ADDITIONAL INFORMATION

Capture Context

Figure:

Enrolling in Apple Pay

AFTER COMPLETING THE TASK

Managing Permissions as an Administrator

`Click to Pay` Developer Guide

Introduction to
`Click to Pay`

`Click to Pay` Flow

Enabling `Unified Checkout` in the `Smartpay Fuse Portal`

`Unified Checkout` Configuration

Enable `Click to Pay`

Enabling `Click to Pay`

Test Your `Click to Pay` Configuration

Visa `Click to Pay` Test Cards

Mastercard `Click to Pay` Test Cards

`Click to Pay` Appendix

Supported Countries for `Click to Pay`

Preparing a Device for Testing Apple Pay on `Unified Checkout`

Managing Permissions as
an Administrator