Get Config

$ //Step3
> // Note: On production, change base url to https://api.coinflow.cash
> curl --location 'https://api-sandbox.coinflow.cash/api/checkout/mobile-tokenize-config' \
> --header 'Authorization: <YOUR API KEY>'
> 
> //Response
> {
> 	"Timestamp":"20250129191315",
>   "TokenExID":"4582952996979143",
>   "TokenScheme":"sixANTOKENfour",
>   "AuthenticationKey":"qMxH2SOaOOMinp0BsSlXuVutt5UKNRpzBVjwnhS4T+g="
> }

Tokenize W/O CVV

$ //Step3
> // Note: On production, change base url to https://api.coinflow.cash
> curl --request POST \
>      --url https://api-sandbox.coinflow.cash/api/tokenize/mobile/card-only \
>      --header 'accept: application/json' \
>      --header 'content-type: application/json' \
>      --data '
> {
>   "Data": "4111111111111111",
>   "TokenExID": "4582952996979143",
>   "Timestamp": "20250129191315",
>   "AuthenticationKey": "qMxH2SOaOOMinp0BsSlXuVutt5UKNRpzBVjwnhS4T+g=",
>   "TokenScheme": "sixANTOKENfour"
> }
> '
> 
> //Response
> {
> 	"Error": null,
>   "Success":true,
>   "ReferenceNumber":"25012913154654906764",
>   "Token":"411111YJM5TX1111",
>   "TokenHMAC":"OqOUSUOa49ISBji/iWZ7bycR85/9mAFKDesHS5Cqfw4=",
>   "FirstEight":null
> }

Add Debit Card

$ //Step4
> // Note: On production, change base url to https://api.coinflow.cash
> curl --request POST \
>      --url https://api-sandbox.coinflow.cash/api/withdraw/debit-card \
>      --header 'accept: application/json' \
>      --header 'content-type: application/json' \
>      --header 'x-coinflow-auth-session-key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21lcklkIjoidXNlcjEyMyIsIm1lcmNoYW50SWQiOiJ0ZXN0dGVzdCIsImlhdCI6MTczODE3NTYzNCwiZXhwIjoxNzM4MjYyMDM0fQ.bQqsW26qxRengZZpjusM_2z5KPICipepUMGkd8DEKGM' \
>      --data '
> {
>   "address": {
>     "address1": "201 E Randolph St",
>     "city": "Chicago",
>     "state": "IL",
>     "zip": "201 E Randolph St"
>   },
>   "expYear": "30",
>   "expMonth": "10",
>   "cardToken": "411111YJM5TX1111"
> }
> '
> 
> //Response
> 411111YJM5TX1111

Introduction

Unlike websites, if a native mobile application is running on a mobile device owned by the end consumer, then the installed application that has native controls for ingesting card data is not in scope for the developer/company’s PCI assessment. In these cases, the sensitive data goes from the consumer owned device directly to Coinflow for tokenization, providing the application with PAN token that can be stored for future use and/or immediate transaction processing.

The PCI SSC has a article that covers this: https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/how-do-pci-standards-apply-to-organizations-that-develop-software-that-runs-on-a-consumer-s-device-for-example-a-smartphone-tablet-or-laptop-and-is-used-to-accept-payment-card-data/

Get mobile tokenization config

This endpoint will return the config which you will need to pass along with the card data to the mobile tokenization endpoint.

Tokenize W/O CVV

When utilizing Push to Debit Card Withdrawals, customers only need to enter their debit card number, not the CVV.

Get the config as in step 2, without passing the token query parameter.

Add Debit Card

Copy the token from Step 3 (Tokenize W/O CVV) and pass the token into the Add Debit card endpoint.

At this point, you’ve linked a user’s debit card for push to card withdrawals!