Search Tokens

Request to find token records that match the query. If the token records span across pages, you can limit the results returned per page and retrieve the next set of results using subsequent requests.

GET https://na.gateway.mastercard.com/api/rest/version/35 / merchant / {merchantId} / tokenSearch

Authentication Copied to clipboard

This operation requires authentication via one of the following methods:


  • Certificate authentication.
  • Basic HTTP authentication as described at w3.org. Provide 'merchant.<your gateway merchant ID>' in the userid portion and your Reporting API password in the password portion.

Request Copied to clipboard

URL Parameters Copied to clipboard

{merchantId} Copied to clipboard Alphanumeric + additional characters REQUIRED

The unique identifier issued to you by your payment provider.


Data may consist of the characters 0-9, a-z, A-Z, '-', '_'

Min length: 1 Max length: 40

Fields Copied to clipboard

To view the optional fields, please toggle on the "Show optional" setting.

correlationId Copied to clipboard String

A transient identifier for the request, that can be used to match the response to the request.

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.

Data can consist of any characters

Min length: 1 Max length: 100
limit Copied to clipboard Integer

The maximum number of records that you want returned in one page.

If you omit this value, the gateway will limit the page to a reasonable size.

JSON number data type, restricted to being positive or zero. In addition, the represented number may have no fractional part.

Min value: 1 Max value: 1000
nextPage Copied to clipboard String

Provide this field on subsequent search requests, i.e. if the query matches many records and the search results span across pages.

When initiating the query, you must omit this field (or set it to an empty string), and specify only the query field. To get any subsequent pages, set this field to the value of the nextPage field returned in the previous search response.

Data can consist of any characters

Min length: 1 Max length: 4000
query Copied to clipboard String

A JSON formatted query request that must be provided on an initial search request.

The field is ignored when included in subsequent requests to retrieve the next set of results.

The syntax for token queries supports:

  • Operators: EQ
  • Fields: sourceOfFunds.provided.card.number, sourceOfFunds.provided.giftCard.number, sourceOfFunds.provided.ach.accountIdentifier, token, sourceOfFunds.provided.card.expiry
  • Operators: GT
  • Fields: usage.lastUpdated
  • Operators: LE
  • Fields: sourceOfFunds.provided.card.expiry

Examples:

  • Search for token:

    {"EQ":["token","GD1209-0160 0149 0098 6248"]}

  • Search for card:

    {"EQ":["sourceOfFunds.provided.card.number","4111111111111111"]}

  • Search for gift card:

    {"EQ":["sourceOfFunds.provided.giftCard.number","4111111111111111"]}

  • Search for ACH payment details:

    {"EQ":["sourceOfFunds.provided.ach.accountIdentifier","123123123/1234567890123456"]}

  • Search for card expiry(MMYY):

    {"EQ":["sourceOfFunds.provided.card.expiry","0517"]}

    {"LE":["sourceOfFunds.provided.card.expiry","0517"]}

  • Search for updated tokens:

    {"GT":["usage.lastUpdated","2014-10-31T03:11:53Z"]}

Data can consist of any characters

Min length: 1 Max length: 4000

Response Copied to clipboard

Fields Copied to clipboard

correlationId Copied to clipboard String

A transient identifier for the request, that can be used to match the response to the request.

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.

Data can consist of any characters

Min length: 1 Max length: 100
nextPage Copied to clipboard String

If this field is present, it indicates that the gateway may have more results to return.

Provide the value in this field in the nextPage field on the request to get more results.

This field will be absent if the gateway has no more results to return.

Data can consist of any characters

Min length: 1 Max length: 4000
page Copied to clipboard

Subset of the tokens that matched the search query.

Provide the value in the returned nextPage field in subsequent requests to get the next set of tokens.

page.token[n] Copied to clipboard

Subset of the tokens that matched the search query.

Use returned iterator value in subsequent requests to get more results.

page.token[n].repositoryId Copied to clipboard ASCII Text

Unique identifier of the token repository.

Token repositories can be shared across merchants; however, a single merchant can be associated with only one token repository at a given time. Every token repository has a corresponding test token repository, which only the merchants with the corresponding test profiles can access. For example, if the repository ID is ABC, the test repository ID will be TestABC. Hence, the system displays an error if you specify a repository ID that starts with 'Test'

Data consists of ASCII characters

Min length: 1 Max length: 16
page.token[n].sourceOfFunds Copied to clipboard

Details about the source of the funds for this payment.

page.token[n].sourceOfFunds.provided Copied to clipboard

The details of the source of funds when they are directly provided as opposed to via a token or session.

page.token[n].sourceOfFunds.provided.ach Copied to clipboard

ACH account details.

page.token[n].sourceOfFunds.provided.ach.accountIdentifier Copied to clipboard String

The unique identifier of the routing number and bank account at the receiving financial institution.

Retrieve this information from the payer.

Data can consist of any characters

Min length: 19 Max length: 27
page.token[n].sourceOfFunds.provided.ach.accountType Copied to clipboard Enumeration

An indicator identifying the type of bank account.

  • Consumer (checking or savings), or
  • Business

For pre-arranged payments (sourceOfFunds.provided.ach.secCode=PPD) retrieve this information from the payer.

If payments were telephone-initiated (sourceOfFunds.provided.ach.secCode=TEL) or internet-initiated (sourceOfFunds.provided.ach.secCode=WEB) you may choose to limit the payer's options (e.g. only support consumer checking accounts), depending on your type of business (e.g. B2C online webshop).

Value must be a member of the following list. The values are case sensitive.

CONSUMER_CHECKING

Consumer Checking Account

CONSUMER_SAVINGS

Consumer Savings Account

CORPORATE_CHECKING

Business Checking Account

page.token[n].sourceOfFunds.provided.ach.bankAccountHolder Copied to clipboard String

The name of the bank account holder, as it appears on the account at the receiving financial institution.

Retrieve this information from the payer.

Data can consist of any characters

Min length: 1 Max length: 28
page.token[n].sourceOfFunds.provided.ach.bankAccountNumber Copied to clipboard Digits

The identifier of the bank account at the receiving financial institution.

Retrieve this information from the payer.

Data is a string that consists of the characters 0-9.

Min length: 9 Max length: 17
page.token[n].sourceOfFunds.provided.ach.routingNumber Copied to clipboard Digits

The identifier of the receiving financial institution.

Also known as:

  • Routing number,
  • Transit number, or
  • ABA number

Retrieve this information from the payer.

See also http://en.wikipedia.org/wiki/Routing_transit_number.

Data is a string that consists of the characters 0-9.

Min length: 9 Max length: 9
page.token[n].sourceOfFunds.provided.ach.secCode Copied to clipboard Enumeration

Identifies the Standard Entry Class (SEC) code to be sent to the issuer.

The SEC is defined by NACHA and describes the origin and intent of the payment. For details please refer to https://www.nacha.org/.

Value must be a member of the following list. The values are case sensitive.

PPD

An ACH debit or credit payment (B2C) that has been authorized by an authenticated customer in written form (signed or similarly authenticated). PPD is used for pre-arranged payments (e.g. employee payroll, mortgage payments, expense reimbursement).

TEL

An ACH debit payment (B2C) that has been authorized by an authenticated customer via phone. TEL may only be used if a relationship already exists between you and the consumer, or, the consumer initiates the contact with you.

WEB

An ACH debit payment (B2C) that has been authorized by an authenticated customer via the internet or a wireless network.

page.token[n].sourceOfFunds.provided.card Copied to clipboard

Details as shown on the card.

page.token[n].sourceOfFunds.provided.card.brand Copied to clipboard Enumeration ALWAYS PROVIDED

The brand name used to describe the card that is recognized and accepted globally.

For many major card types this will match the scheme name. In some markets, a card may also be co-branded with a local brand that is recognized and accepted within its country/region of origin (see card.localBrand).
You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.

Value must be a member of the following list. The values are case sensitive.

AMEX

American Express

CHINA_UNIONPAY

China UnionPay

DINERS_CLUB

Diners Club

DISCOVER

Discover

JCB

JCB (Japan Credit Bureau)

LOCAL_BRAND_ONLY

The card does not have a global brand.

MAESTRO

Maestro

MASTERCARD

MasterCard

RUPAY

RuPay

UATP

UATP (Universal Air Travel Plan)

UNKNOWN

The brand of the card used in the transaction could not be identified

VISA

Visa

page.token[n].sourceOfFunds.provided.card.expiry Copied to clipboard Digits ALWAYS PROVIDED

Expiry date as shown on the card in the format MMYY where months are numbered, so that for January MM=01, through to December MM=12 and the Common Era year is 2000 plus the value YY

Data is a string that consists of the characters 0-9.

Min length: 4 Max length: 4
page.token[n].sourceOfFunds.provided.card.fundingMethod Copied to clipboard Enumeration ALWAYS PROVIDED

The method used by the payer to provide the funds for the payment.

You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.

Value must be a member of the following list. The values are case sensitive.

CHARGE

The payer has a line of credit with the issuer which must be paid off monthly.

CREDIT

The payer has a revolving line of credit with the issuer.

DEBIT

Funds are immediately debited from the payer's account with the issuer.

UNKNOWN

The account funding method could not be determined.

page.token[n].sourceOfFunds.provided.card.localBrand Copied to clipboard String

The brand name used to describe a card that is recognized and accepted within its country/region of origin.

The card may also be co-branded with a brand name that is recognized and accepted globally (see card.brand).
You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.

Data can consist of any characters

Min length: 3 Max length: 50
page.token[n].sourceOfFunds.provided.card.number Copied to clipboard Masked digits

The account number embossed onto the card.

The number will be masked according to your masking settings and how you authenticated your call to the API.

If you authenticated using certificate authentication, then your masking settings will be used. This allows you to return unmasked card numbers if you have chosen not to apply masking.

If you authenticated to the API by a means other than certificate authentication, then the card number will be returned with your masking settings or 6.4; whichever is more restrictive for example, 000000xxxxxx0000.

Data is a string that consists of the characters 0-9, plus 'x' for masking

Min length: 9 Max length: 19
page.token[n].sourceOfFunds.provided.card.scheme Copied to clipboard Enumeration

The organization that owns a card brand and defines operating regulations for its use.

The card scheme also controls authorization and settlement of card transactions among issuers and acquirers.

Value must be a member of the following list. The values are case sensitive.

AMEX

American Express

CHINA_UNIONPAY

China UnionPay

DINERS_CLUB

Diners Club

DISCOVER

Discover

JCB

JCB (Japan Credit Bureau)

MASTERCARD

MasterCard

OTHER

The scheme of the card used in the transaction could not be identified.

RUPAY

RuPay

UATP

UATP (Universal Air Travel Plan)

VISA

Visa

page.token[n].sourceOfFunds.provided.giftCard Copied to clipboard

Details as shown on the card.

page.token[n].sourceOfFunds.provided.giftCard.brand Copied to clipboard Enumeration ALWAYS PROVIDED

The brand name used to describe the card that is recognized and accepted globally.

For many major card types this will match the scheme name. In some markets, a card may also be co-branded with a local brand that is recognized and accepted within its country/region of origin (see card.localBrand).
You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.

Value must be a member of the following list. The values are case sensitive.

LOCAL_BRAND_ONLY

The card does not have a global brand.

page.token[n].sourceOfFunds.provided.giftCard.localBrand Copied to clipboard String

The brand name used to describe a card that is recognized and accepted within its country/region of origin.

The card may also be co-branded with a brand name that is recognized and accepted globally (see card.brand).
You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.

Data can consist of any characters

Min length: 1 Max length: 50
page.token[n].sourceOfFunds.provided.giftCard.number Copied to clipboard Masked digits

The account number embossed onto the card.

By default, the card number will be returned in 6.4 masking format, for example, 000000xxxxxx0000.If you wish to return unmasked card numbers, you must have the requisite permission, set responseControls.sensitiveData field to UNMASK, and authenticate your call to the API using certificate authentication.

Data is a string that consists of the characters 0-9, plus 'x' for masking

Min length: 9 Max length: 19
page.token[n].sourceOfFunds.provided.giftCard.pin Copied to clipboard Masked digits

PIN number for the gift card.

Data is a string that consists of the characters 0-9, plus 'x' for masking

Min length: 4 Max length: 8
page.token[n].sourceOfFunds.provided.giftCard.scheme Copied to clipboard Enumeration

The organization that owns a card brand and defines operating regulations for its use.

The card scheme also controls authorization and settlement of card transactions among issuers and acquirers.

Value must be a member of the following list. The values are case sensitive.

OTHER

The scheme of the card used in the transaction could not be identified.

page.token[n].sourceOfFunds.type Copied to clipboard Enumeration

The payment method your payer has chosen for this payment.

Value must be a member of the following list. The values are case sensitive.

ACH

The payer chose to pay using an electronic fund transfer, to be processed via the Automated Clearing House (ACH) Network. You must provide the payer's bank account details and information about the type of ACH payment under the sourceOfFunds.provided.ach parameter group.

CARD

The payer selected to pay using a credit or debit card. The payer's card details must be provided.

GIFT_CARD

The payer chose to pay using gift card. The payer's gift card details must be provided under the sourceOfFunds.provided.giftCard parameter group.

page.token[n].status Copied to clipboard Enumeration ALWAYS PROVIDED

A token is marked as invalid, if an Account Updater response indicates, that the card details stored against the token are invalid.

Transaction requests using an invalid token are rejected by the gateway.

You can clear an invalid status by updating the card details stored against the token.

To use the Account Updater functionality you must sign up for this feature with your acquirer and ask your payment service provider to enable Account Updater on our merchant acquirer link(s).

Value must be a member of the following list. The values are case sensitive.

INVALID

The payment details stored against the token have been identified as invalid. The gateway will reject operation payment requests using this token.

VALID

The payment details stored against the token are considered to be valid. The gateway will attempt to process operation requests using this token.

page.token[n].token Copied to clipboard Alphanumeric

Uniquely identifies a card and associated details.

The format of this token id depends on the Tokenization Strategy configured for the merchant:

  • RANDOM_WITH_LUHN: Token is 16 digits long, starts with 9, and is in the format of 9nnnnnnnnnnnnnnC, where n represents any number, and C represents a check digit such that the token will conform to the Luhn algorithm.
  • PRESERVE_6_4: The first 6 and last 4 digits of the token are the same as the first 6 and last 4 digits of the provided card number, middle digits are randomized, the token id does NOT conform to Luhn algorithm.
  • MERCHANT_PROVIDED: The merchant must supply the token id in the Save request

Data may consist of the characters 0-9, a-z, A-Z

Min length: 1 Max length: 40
page.token[n].usage Copied to clipboard ALWAYS PROVIDED

Details about the token.

page.token[n].usage.lastUpdated Copied to clipboard DateTime

The timestamp indicating the time the token was last updated.

An instant in time expressed in ISO8601 date + time format - "YYYY-MM-DDThh:mm:ss.SSSZ"

page.token[n].usage.lastUpdatedBy Copied to clipboard Alphanumeric + additional characters

If the token was last updated by a merchant, the identifier of the merchant is provided.

If the token was last updated by the Token Maintenance Service, the field will not be provided in the response.

Data may consist of the characters 0-9, a-z, A-Z, '-', '_', ' ', '&', '+', '!', '$', '%', '.'

Min length: 1 Max length: 40
page.token[n].usage.lastUsed Copied to clipboard DateTime

The timestamp indicating the time the gateway considers the token to have been last used for an order.

An instant in time expressed in ISO8601 date + time format - "YYYY-MM-DDThh:mm:ss.SSSZ"

page.token[n].verificationStrategy Copied to clipboard Enumeration

The strategy used to verify the card details before they are stored.

If not provided, the verification strategy set on your merchant profile by your payment provider will be used.

Value must be a member of the following list. The values are case sensitive.

ACQUIRER

The gateway verifies the card details by performing an authorization for a nominal amount (for example, $1.00). The card details are sent to the acquirer for verification. This method requires your merchant profile to be configured with ""Auth Then Capture"" transaction mode.

BASIC

The gateway validates the card number format and checks if the card number falls within a valid BIN range.

NONE

The gateway does not perform card verification.

result Copied to clipboard Enumeration ALWAYS PROVIDED

A system-generated high level overall result of the operation.

Value must be a member of the following list. The values are case sensitive.

FAILURE

The operation was declined or rejected by the gateway, acquirer or issuer

PENDING

The operation is currently in progress or pending processing

SUCCESS

The operation was successfully processed

UNKNOWN

The result of the operation is unknown

Errors Copied to clipboard

error Copied to clipboard

Information on possible error conditions that may occur while processing an operation using the API.

error.cause Copied to clipboard Enumeration

Broadly categorizes the cause of the error.

For example, errors may occur due to invalid requests or internal system failures.

Value must be a member of the following list. The values are case sensitive.

INVALID_REQUEST

The request was rejected because it did not conform to the API protocol.

REQUEST_REJECTED

The request was rejected due to security reasons such as firewall rules, expired certificate, etc.

SERVER_BUSY

The server did not have enough resources to process the request at the moment.

SERVER_FAILED

There was an internal system failure.

error.explanation Copied to clipboard String

Textual description of the error based on the cause.

This field is returned only if the cause is INVALID_REQUEST or SERVER_BUSY.

Data can consist of any characters

Min length: 1 Max length: 1000
error.field Copied to clipboard String

Indicates the name of the field that failed validation.

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.

Data can consist of any characters

Min length: 1 Max length: 100
error.supportCode Copied to clipboard String

Indicates the code that helps the support team to quickly identify the exact cause of the error.

This field is returned only if the cause is SERVER_FAILED or REQUEST_REJECTED.

Data can consist of any characters

Min length: 1 Max length: 100
error.validationType Copied to clipboard Enumeration

Indicates the type of field validation error.

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.

Value must be a member of the following list. The values are case sensitive.

INVALID

The request contained a field with a value that did not pass validation.

MISSING

The request was missing a mandatory field.

UNSUPPORTED

The request contained a field that is unsupported.

result Copied to clipboard Enumeration

A system-generated high level overall result of the operation.

Value must be a member of the following list. The values are case sensitive.

ERROR

The operation resulted in an error and hence cannot be processed.