Some Visa Developer APIs require an API Key-Shared Secret Authentication, which Visa refers to as x-pay-token. To invoke an API using x-pay-token, you will need an API Key and a Shared Secret, which is provided via the link below.
Visit the X-pay Token Guide to learn more.
Visa In-App Provisioning APIs require inbound and outbound encryption of certain sensitive data such as PAN and address. Field Level Encryption (FLE) is used for this purpose both on the incoming messages from the client to Visa and outgoing messages from Visa to the client. All the data elements in the request and response payloads that have the prefix "enc" are encyrpted, for e.g. 'encCard'. JSON Web Encryption (JWE) is used and all necessary fields should be encrypted before sending it in the API request and decrypted from the API response before consuming using the JWE utility. Both asymmetric and symmetric keys are supported on JWE. The corresponding key ID and shared secret are assigned to the client during onboarding.
For asymmetric keys, during onboarding both Visa and the client would share their public keys. Client will encrypt all necessary fields in the request payload using Visa's public key and Visa will decrypt these fields using its corresponding private key. Similarly Visa will encrypt all necessary fields in the response payload using the client's public key and client will decrypt these fields using their private key.
For symmetric keys, the shared secret will be generated and provided by Visa during onboarding. Client and Visa will encrypt/decrypt all necessary fields in the request/response payload using this.
Clients need to follow these steps in order to encrypt/decrypt these fields: