Tokenisation APIs
List of APIs to tokenise customer cards.
According to recent Payment Acquirer (PA)/ Payment Gateway (PG) guidelines from RBI, businesses cannot save their customers' card numbers and other card data on their servers. Razorpay TokenHQ is a RBI-compliant solution that allows you to save customer credentials with card networks and card-issuing banks. You can use Razorpay Optimizer to route payments through the PA/PG of your choice.
Given below is the list of APIs:
- Token APIs
You can save customer card details in the form of tokens and then use these tokens to accept payments from customers.
Given on the right is a sample entity.
id
string
The unique identifier of the Razorpay token.
entity
string
The name of the entity. Here, it is token
.
customer_id
string
This is the Razorpay customer id. You can create token for a specific customer using their customer id. Use the
method
string
The type of object that was tokenised. Currently, it only supports card
.
card
object
The customer card details.
last4
string
The last 4 digits of the tokenised card.
network
string
The card network. Possible values:
Visa
RuPay
- MasterCard`
American Express
Diners Club
Bajaj Finserv
Maestro
JCB
Union Pay
issuer
string
The 4-character issuer code unique to each issuing bank in India. For example, HDFC
, SBIN
and so on.
type
string
The type of card. Possible values:
credit
debit
prepaid
international
boolean
Indicates whether the card is international (issued outside India) or domestic. Possible values:
true
: The card is international.false
: The card is domestic.
emi
boolean
Indicates whether the card is eligible for EMI payments or not. Possible values:
true
: The card is eligible for EMI payments.false
: The card is not eligible for EMI payments.
sub_type
string
The card sub_type for the given IIN. Pricing of card payment may change on the basis of card type. Possible values:
consumer
business
unknown
token_iin
string
The token IIN provided by the card network. When a token is created with card networks such as Visa or MasterCard, this field will have the token IIN. This will be useful to fetch all the token properties so that you can apply your existing IIN validations and processing. This field will be absent when the token is created by a token service provider other than the card network.
compliant_with_tokenisation_guidelines
boolean
Indicates whether the token is compliant with the RBI guidelines. Possible values:
true
: The token is compliant with RBI guidelines.false
: The token is not compliant with RBI guidelines.
service_provider_tokens
array
Every Razorpay token will have one or more token service providers(card networks, issuing banks or Razorpay). For each service provider, Razorpay will return a service provider token. This service provider token is the raw token returned by the token service provider (card network or issuer). Currently, we will have only card networks as token service providers. In future, a token may be created with more than one service provider. A token can be created with one or more of the following service providers:
Handy Tips
The service_provider_tokens
object is an on-demand feature, made available only to PCI DSS compliant businesses.
id
string
The unique identifier of the token.
entity
string
The name of the entity. Here, it is service_provider_token
.
provider_type
string
The type of provider through which the token was created. Possible values:
network
issuer
aggregator
(When the token provider is Razorpay.)
provider_name
string
The name of the provider through which the token was created. Possible values:
Visa
MasterCard
HDFC
razorpay
interoperable
boolean
This field suggests if the token provided is interoperable across different acquirers. Possible values:
true
: The token is interoperable.false
: The token is not interoperable.
status
string
The current status for the token as provided by the token service provider. Possible values:
active
suspended
deactivated
failed
Know about the complete list of .
status_reason
string
When the token status is deactivated, this field will provide the reason for deactivation. Possible values:
expired
deactivated_by_bank
provider_data
object
Service provider data.
token_reference_number
string
The token reference number provider by the token provider.
payment_account_reference
string
The unique card identifier provided by the token provider. If the service_provider
is network
, this identifier will be consistent for a given card across the card network ecosystem.
token_iin
string
The IIN of the token thus created. The IIN will be helpful to fetch all the properties of the token and apply your existing IIN validations and processes.
token_expiry_month
string
The expiry date for the token. The format used is mm
.
token_expiry_year
string
The expiry year for the token. The format used is yyyy
.
error
object
Details of error.
code
string
Type of the error.
description
string
Description of the error.
field
string
Name of the parameter that caused the error.
source
string
The point of failure in token creation.
step
string
The stage where the failure occurred.
reason
string
The exact error reason.
metadata
object
Contains additional information about the request.
expired_at
string
The expiry timestamp for the token.
status
string
The overall status for the token. Possible values:
initiated
: The token attains this state after Razorpay has received the tokenisation request and is working with token service providers for creating the token.active
: The token attains this state if the token is activated for at least one of the token service providers.suspended
: The token attains this state if:- The token is not activated for any one of the token service providers.
- The token is suspended for at least one of the token service providers.
deactivated
: The token attains this state if the token is notactive
/suspended
for any one of the token service providers and is deactivated for at least one token service provider.
Know about the complete list of .
status_reason
string
When the token reaches the deactivated
state, this field will provide the reason for deactivation. Possible values:
expired
deactivated_by_bank
notes
optional
object
Key-value pair that can be used to store additional information about the entity. Maximum 15 key-value pairs, 256 characters (maximum) each. For example, "note_key": "Beam me up Scottyā€¯
.
Use this API to retrieve card details such as network, issuer and so on for a given token.
id
mandatory
string
The unique identifier of the token.
Use the following API to delete a token already saved with Razorpay.
id
mandatory
string
The unique identifier of the token to be deleted.
Handy Tips
This API is available for testing.
You can create the token when your customer opts to save their card on your checkout during the first payment. As per RBI guidelines, you must collect customer consent to save their card.
- Use the following API to save the customer card details and create a token.
- Pass an additional field
save=true
to save and tokenise the card. - Use Razorpay Optimizer to route this payment to a PA/PG of your preference.
amount
mandatory
integer
The payment amount you want to collect from the customer.
currency
mandatory
string
The 3-character ISO code of the currency. Here, it is INR
.
order_id
mandatory
string
The unique identifier of the order created for this payment. Create an order using the
customer_id
optional
string
Unique identifier of customer.
mandatory
string
The customer's email address.
contact
mandatory
string
The customer's phone number.
method
mandatory
string
The payment method. Here, it is card
.
card
mandatory
object
The details of the card.
name
string
The cardholder's name.
number
string
The card number.
expiry_month
string
The expiry month of the card in mm
format.
expiry_year
string
The expiry year of the card in yy
format.
cvv
mandatory
string
The card's cvv.
save
mandatory
boolean
Pass this parameter to save the card details. Possible values:
true
: Saves the card details.false
: Does not save the card details.
notes
optional
object
Key-value pair that can be used to store additional information about the entity. Maximum 15 key-value pairs, 256 characters each. For example, "note_key": "Beam me up Scottyā€¯
.
Redirect the customer to the above URL to complete the authentication.
The token is created only if the cardholder successfully completes 3DS authentication.
Use the Fetch Payment API to fetch the token.
\{id\}
?expand[]=tokenWhen a customer initiates a subsequent payment using the saved card, use this API to make the payment.
- Pass the token ID from the previous API request to initiate a payment using the token.
- Use Razorpay Optimizer to route this payment to a PA/PG of your preference.
amount
mandatory
integer
The payment amount you want to collect from the customer.
currency
mandatory
string
The 3-character ISO code of the currency. Here, it is INR
.
order_id
mandatory
string
The unique identifier of the order created for this payment. Create an order using the
mandatory
string
The customer's email address.
contact
mandatory
string
The customer's phone number.
method
mandatory
string
The payment method. Here, it is card
.
token
mandatory
string
The unique identifier of the token.
card
mandatory
object
The details of the card.
cvv
optional
string
The card's cvv.
notes
optional
object
Key-value pair that can be used to store additional information about the entity. Maximum 15 key-value pairs, 256 characters (maximum) each. For example, "note_key": "Beam me up Scottyā€¯
.
Handy Tips
Know more about the
.To process a payment on the tokenised card on another PA/PG, you will need the token and relevant additional data for each token.
- The data required may vary for different networks.
- Use the API given below to obtain the token and the relevant data.
- You can pass this data to any PA/PG to process the payment.
id
mandatory
string
The unique identifier of the token.
token_number
string
The unique reference number generated for the token. For example, 4016981500100002
.
cryptogram_value
string
The token cryptogram value.
token_expiry_month
integer
The token expiry month in mm
format.
token_expiry_year
integer
The token expiry year in yyyy
format.
cvv
amex only
integer
A dynamic 4-digit number printed on the front of the Amex
card. This cvv should be passed in the CVV field to your PA/PG for processing the payment.
Was this page helpful?