Merchant-Managed Apple Pay Decryption

Overview

By default, Coinflow handles the decryption of Apple Pay payment tokens on your behalf using certificates you provide. However, some merchants prefer to manage their own Apple Pay token decryption, for example, when they need to inspect or validate the token data before submitting it for payment processing.

With Merchant-Managed Decryption, you decrypt the Apple Pay token on your own server and pass the decrypted token data directly to Coinflow’s checkout API. Coinflow skips its own decryption step and processes the payment using the data you provide.

When to Use This

Use merchant-managed decryption when:

You already decrypt Apple Pay tokens on your own server for other purposes (e.g., fraud analysis, logging, multi-processor routing)
You need full control over the decryption process and key management
Your infrastructure requires inspecting the decrypted token before submitting it for processing

If you do not need to manage your own decryption, you can use Coinflow’s default decryption by providing your certificates to the Coinflow team. See How to Generate Apple Pay Certificates for details.

Prerequisites

Before integrating merchant-managed decryption, ensure you have:

An active Apple Pay integration with Coinflow
Your own Apple Pay Payment Processing Certificate and private key for decrypting tokens (see How to Generate Apple Pay Certificates)
The Merchant-Managed Decryption feature enabled on your Coinflow account

You must have the merchant-managed decryption feature enabled on your account before passing pre-decrypted tokens. If you submit a decrypted token without this feature enabled, the API will return a 403 Forbidden error. Contact your Coinflow integrations specialist to enable this feature.

Integration

Decrypt the Apple Pay token on your server

After receiving the Apple Pay payment token from the Apple Pay SDK, decrypt it on your server using your Payment Processing Certificate and private key. The decrypted token contains the payment credentials needed for processing.

For details on Apple’s token structure, refer to Apple’s Payment Token Format Reference.

Include the decrypted token in the checkout request

When calling the Coinflow checkout API, include the decrypted field on the applePayPayment object alongside the standard Apple Pay payment data.

The decrypted field must conform to the following structure:

Field	Type	Description
`applicationPrimaryAccountNumber`	`string`	The device-specific account number (DPAN)
`applicationExpirationDate`	`string`	The DPAN expiration date (format: `YYMMDD`)
`currencyCode`	`string`	The ISO 4217 currency code (e.g., `"840"` for USD)
`transactionAmount`	`number`	The transaction amount
`deviceManufacturerIdentifier`	`string`	The device manufacturer identifier
`paymentDataType`	`string`	The payment data type (e.g., `"3DSecure"`)
`paymentData.onlinePaymentCryptogram`	`string`	The payment cryptogram
`paymentData.eciIndicator`	`string` (optional)	The ECI indicator for the transaction

Submit the checkout request

Submit the checkout request as you normally would. Coinflow will use the decrypted token data you provided instead of performing its own decryption.

1 // Example: Apple Pay checkout request with a pre-decrypted token
2 // NOTE: The values below are EXAMPLES only and do not reflect real production values.
3 const checkoutRequest = {
4   subtotal: { cents: 1000, currency: "USD" },
5   applePayPayment: {
6     // Standard Apple Pay payment data from the Apple Pay SDK
7     token: {
8       paymentData: { /* ... encrypted payment data ... */ },
9       paymentMethod: {
10         displayName: "Visa 1234",
11         network: "Visa",
12         type: "debit"
13       },
14       transactionIdentifier: "ABC123..."
15     },
16     billingContact: {
17       givenName: "Jane",
18       familyName: "Doe",
19       addressLines: ["123 Main St"],
20       locality: "San Francisco",
21       // ... other billing contact fields
22     },
23     // Pre-decrypted token from your own decryption
24     decrypted: {
25       applicationPrimaryAccountNumber: "4761120010000492",
26       applicationExpirationDate: "271231",
27       currencyCode: "840",
28       transactionAmount: 1000,
29       deviceManufacturerIdentifier: "050110030273",
30       paymentDataType: "3DSecure",
31       paymentData: {
32         onlinePaymentCryptogram: "AOkAAAAI4IEBggABNkRpBg==",
33         eciIndicator: "07"
34       }
35     }
36   }
37 };

The values in the code example above (such as applicationPrimaryAccountNumber, onlinePaymentCryptogram, etc.) are examples only and are not reflective of real production values. These values come from the decrypted Apple Pay token on your server.

Error Handling

HTTP Status	Error Message	Cause
`403`	`Merchant is not authorized for Apple Pay merchant decryption`	The `decrypted` field was included in the request, but merchant-managed decryption is not enabled on your account. Contact your Coinflow integrations specialist to enable this feature.

FAQ

Do I still need to send the encrypted token data?

Yes. You must still include the standard token field with the encrypted Apple Pay payment data (as received from the Apple Pay SDK) alongside the decrypted field. This ensures Coinflow has the full payment context, including payment method details and the transaction identifier.

How do I enable merchant-managed decryption on my account?

Contact your Coinflow integrations specialist to enable the applePayMerchantDecryption setting on your account. Once enabled, you can begin passing pre-decrypted tokens immediately.

What happens if I send a decrypted token without the feature enabled?

The API will return a 403 Forbidden error with the message: “Merchant is not authorized for Apple Pay merchant decryption”. Your request will not be processed.

Can I switch between merchant-managed and Coinflow-managed decryption?

Yes. The decrypted field is optional. If you omit it from the applePayPayment object, Coinflow will decrypt the token using the certificates on file, as it does by default. You can use either approach on a per-request basis.