Authentication

X-pay Token

Some Visa Developer APIs require an API Key-Shared Secret Authentication, which Visa refers to as x-pay-token. To invoke an API using x-pay-token, you will need an API Key and a Shared Secret, which is provided via the link below.

Visit the X-pay Token Guide to learn more.

Encryption

Visa In-App Provisioning APIs require inbound and outbound encryption of certain sensitive data such as PAN and address. Field Level Encryption (FLE) is used for this purpose both on the incoming messages from the client to Visa and outgoing messages from Visa to the client. All the data elements in the request and response payloads that have the prefix "enc" are encyrpted, for e.g. 'encCard'. JSON Web Encryption (JWE) is used and all necessary fields should be encrypted before sending it in the API request and decrypted from the API response before consuming using the JWE utility. Both asymmetric and symmetric keys are supported on JWE. The corresponding key ID and shared secret are assigned to the client during onboarding. 

For asymmetric keys, during onboarding both Visa and the client would share their public keys. Client will encrypt all necessary fields in the request payload using Visa's public key and Visa will decrypt these fields using its corresponding private key. Similarly Visa will encrypt all necessary fields in the response payload using the client's public key and client will decrypt these fields using their private key. 

For symmetric keys, the shared secret will be generated and provided by Visa during onboarding. Client and Visa will encrypt/decrypt all necessary fields in the request/response payload using this.

Clients need to follow these steps in order to encrypt/decrypt these fields:

  • Get the necessary software library that supports AES GCM mode encryption in client preferred programming languages (e.g. Java, PHP, C#, etc.) for software development. 
  • When the request payload data to Visa is to be sent,
    • Identify the data fields that requires encryption, i.e field names that start with prefix "enc"
    • Add the "Key ID" to the header
    • Encrypt the value in the fields using “Key ID” and "shared secret"
  • When the response payload data from Visa is received,
    • Identify the data fields that requires decryption, i.e field names that start with prefix "enc"
    • Parse the encrypted value using the software library and extract “Key ID” from the header
    • Use “Key ID” to fetch the corresponding shared secret required for decryption. Note: client may have more than one “Key ID” and “shared secret” from Visa stored in their system due to key management
    • Decrypt the encrypted data field using the shared secret to get the field value.