Recipes

Card Tokenization for Mobile Apps (Checkout Only)

Get Config
$// Step2
>// Note: On production, change base url to https://api.coinflow.cash
>curl --location 'https://api-sandbox.coinflow.cash/api/checkout/mobile-tokenize-config' \
>--header 'Authorization: <YOUR API KEY>'
>
>// Response 
>{
>    "Timestamp": "20250129155641",
>    "TokenExID": "4582952996979143",
>    "TokenScheme": "sixANTOKENfour",
>    "AuthenticationKey": "jSDu3tkjf06AOy0cbScCvwgy5EpsnNJpBB1vNt4TOMk="
>}
Tokenize W/ CVV
$// Step3
>// Note: On production, change base url to https://api.coinflow.cash
>curl --request POST \
>     --url https://api-sandbox.coinflow.cash/api/tokenize/mobile/card-and-cvv \
>     --header 'accept: application/json' \
>     --header 'content-type: application/json' \
>     --data '
>{
>  "Data": "4111111111111111",
>  "CVV": "111",
>  "TokenExID": "4582952996979143",
>  "Timestamp": "20250129155641",
>  "AuthenticationKey": "jSDu3tkjf06AOy0cbScCvwgy5EpsnNJpBB1vNt4TOMk=",
>  "TokenScheme": "sixANTOKENfour"
>}
>'
>
>// Response 
>{
>    "Error": null,
>    "Success": true,
>    "ReferenceNumber": "25012910225818974042",
>    "Token": "411111YJM5TX1111",
>    "TokenHMAC": "OqOUSUOa49ISBji/iWZ7bycR85/9mAFKDesHS5Cqfw4=",
>    "FirstEight": null
>}
Card Checkout
$// Step4
>// Note: On production, change base url to https://api.coinflow.cash
>curl --request POST \
>     --url https://api-sandbox.coinflow.cash/api/checkout/card/testtest \
>     --header 'accept: application/json' \
>     --header 'content-type: application/json' \
>     --header 'x-coinflow-auth-session-key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21lcklkIjoidXNlcjEyMyIsIm1lcmNoYW50SWQiOiJ0ZXN0dGVzdCIsImlhdCI6MTczODE3NTYzNCwiZXhwIjoxNzM4MjYyMDM0fQ.bQqsW26qxRengZZpjusM_2z5KPICipepUMGkd8DEKGM' \
>     --data '
>{
>  "subtotal": {
>    "currency": "USD",
>    "cents": 100
>  },
>  "card": {
>    "cardToken": "411111YJM5TX1111", // Get this token from Step 2
>    "expYear": "30",
>    "expMonth": "10",
>    "email": "user@gmail.om",
>    "firstName": "Dwayne",
>    "lastName": "Johnson",
>    "address1": "201 E Randolph St",
>    "city": "Chicago",
>    "state": "IL",
>    "country": "US",
>    "zip": "60602"
>  }
>}
>'
>
>//Response
>{
>  "paymentId": "ee24d75c-1284-4096-a56b-4a0c9e8032f2"
>}
Link CVV to token
$//Step5
>
>// Note: On production, change base url to https://api.coinflow.cash
>// NOTE: When getting the mobile tokenization config (in step 2), pass the token which was previously generated into the `token` query parameter
>curl --location 'https://api-sandbox.coinflow.cash/api/checkout/mobile-tokenize-config?token=<TOKEN>' \
>--header 'Authorization: <YOUR API KEY>'
>
>// Response 
>{
>  "Timestamp": "20250129155641",
>  "TokenExID": "4582952996979143",
>  "TokenScheme": "sixANTOKENfour",
>  "AuthenticationKey": "jSDu3tkjf06AOy0cbScCvwgy5EpsnNJpBB1vNt4TOMk=",
>  "Token": "411111YJM5TX1111"
>}
>
>// Note: On production, change base url to https://api.coinflow.cash
>curl --request POST \
>     --url https://api-sandbox.coinflow.cash/api/tokenize/mobile/cvv-only \
>     --header 'accept: application/json' \
>     --header 'content-type: application/json' \
>     --data '
>{
>  "Token": "411111YJM5TX1111",
>  "CVV": "111",
>  "TokenExID": "4582952996979143",
>  "Timestamp": "20250129162338",
>  "AuthenticationKey": "Zw2Kwtxc3We4F6gKUZqXbwZfDgMUL7OL2Do/uXB37xA=",
>  "TokenScheme": "sixANTOKENfour"
>}
>'
>
>// Response
>{
>    "Error": null,
>    "Success": true,
>    "ReferenceNumber": "25012910231261742376",
>    "Token": "411111YJM5TX1111",
>    "TokenHMAC": "OqOUSUOa49ISBji/iWZ7bycR85/9mAFKDesHS5Cqfw4=",
>    "FirstEight": null
>}
Saved Card Checkout
$//Step6
>// Note: On production, change base url to https://api.coinflow.cash
>curl --request POST \
>     --url https://api-sandbox.coinflow.cash/api/checkout/token/testtest \
>     --header 'accept: application/json' \
>     --header 'content-type: application/json' \
>     --header 'x-coinflow-auth-session-key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21lcklkIjoidXNlcjEyMyIsIm1lcmNoYW50SWQiOiJ0ZXN0dGVzdCIsImlhdCI6MTczODE3NTYzNCwiZXhwIjoxNzM4MjYyMDM0fQ.bQqsW26qxRengZZpjusM_2z5KPICipepUMGkd8DEKGM' \
>     --data '
>{
>  "subtotal": {
>    "currency": "USD",
>    "cents": 100
>  },
>  "token": "411111YJM5TX1111"
>}
>'
>
>//Response
>{'paymentId': "0194b38c-969a-7773-bde0-e29913cf75fb"}

Introduction

Unlike websites, if a native mobile application is running on a mobile device owned by the end consumer, then the installed application that has native controls for ingesting card data is not in scope for the developer/company’s PCI assessment. In these cases, the sensitive data goes from the consumer owned device directly to Coinflow for tokenization, providing the application with PAN token that can be stored for future use and/or immediate transaction processing.  

The PCI SSC has a article that covers this: https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/how-do-pci-standards-apply-to-organizations-that-develop-software-that-runs-on-a-consumer-s-device-for-example-a-smartphone-tablet-or-laptop-and-is-used-to-accept-payment-card-data/

Get Mobile Tokenize Config

This endpoint will return the config which you will need to pass along with the card data to the mobile tokenization endpoint

Tokenize Card with CVV

Using the response you received in step 2, Timestamp, TokenExID, TokenScheme, AuthenticationKey, pass this into the TokenizeWithCVV endpoint along data and cvv. This will authorize you to tokenize the card number and the CVV.

Initiate Card Checkout

Copy the token from the response in Step 3. Then, pass it into the card checkout endpoint.

At this point, you’ve completed a new card checkout!

Link CVV to token

CVVs associations are only valid for a single use.

To use a saved card for a new purchase, the CVV must be re-linked to the token.

NOTE: When getting the mobile tokenization config (in step 2), pass the token which was previously generated into the token query parameter

Initiate Saved Card Checkout

Copy the token from the response in Step 5. Then, pass it into the saved card checkout endpoint.

At this point, you’ve re-tokenized the card number with the CVV, and completed a saved card checkout!