Manage network tokens

Learn how to manage network tokens for cards added to digital wallets.

When your cardholder adds their Adyen-issued card to the digital wallet, the card scheme (Visa or Mastercard) creates a network token for it. A network token is a 16-digit Primary Account Number (PAN) alternative that is unique for each card-device-wallet pairing.

The benefits of using network tokens are:

Reduced user friction and declined payments because network tokens are maintained by card schemes.
Higher authorisation rates compared to payments made without network tokens.
Better payment security because each transaction is protected with a one-time use cryptogram.

With Adyen Issuing, you can manage network tokens separately from the cards. For example, you might want to temporarily suspend a network token or deactivate a network token, if the card has been lost or stolen.

Requirements

Before you begin, make sure that you fulfill the following requirements:

Requirement	Description
Integration type	You must have an integration that supports Issuing.
API credentials	You need an API credential for the Configuration API that has the following role: Gives the user permissions to read and patch the NetworkTokens that are linked to the accounts they are able to access

Get all network tokens

To get all network tokens that are linked to the Adyen-issued card:

Make a GET /paymentInstruments/{id}/networkTokens request and specify the following parameter in the path:

Path parameter Description

id The identifier of the payment instrument created when issuing a card.

Verify that you receive an HTTP 200 — OK response that returns all network tokens associated with the payment instrument, regardless of the network token status. For each network token, note the parameters in the following table:

Parameter	Description	Possible values
`type`	The type of wallet the network token is associated with.	applePay, googlePay
`id`	The unique identifier of the network token.	NWTK00000000000000000000000001
`paymentInstrumentId`	The unique identifier of the payment instrument.	PI3227C223222B5BPCMFXD2XG
`creationDate`	Date and time when the network token was created.	2021-01-01T01:00:00+01:00
`status`	The status of the network token.	active, inactive, suspended, closed.
`brandVariant`	The card brand variant of the payment instrument associated with the network token.	mcmaestro, mc_prepaid_mrw, etc.
`tokenLastFour`	The last four digits of the network token `id`.	0001
`device.osName`	The operating system of the device the network token is stored on.	android, ios, other.
`device.formFactor`	The form factor of the device the network token is stored on.	phone, watch, tablet, other.

Get a single network token

To get the details of a single network token that is linked to the Adyen-issued card:

Make a GET /networkTokens/{networkTokenId} request and specify the following parameter in the path:

Path parameter Description

networkTokenId The identifier of the network token associated with the card.

Verify that you receive an HTTP 200 — OK response that contains the details for the network token associated with the payment instrument. Note the parameters in the following table:

Parameter	Description	Possible values
`type`	The type of wallet the network token is associated with.	wallet, cof
`id`	The unique identifier of the network token.	An alphanumeric string.
`paymentInstrumentId`	The unique identifier of the payment instrument.	An alphanumeric string.
`creationDate`	The date and time when the network token was created.	Date in ISO-8601 format.
`status`	The status of the network token.	active, inactive, suspended, closed
`brandVariant`	The card brand variant of the payment instrument associated with the network token.	mcmaestro, mc_prepaid_mrw
`tokenLastFour`	The last four digits of the network token `id`.	A string of four numbers.
`tokenRequestor.id`	The unique identifier of the entity that requested the network token.	A string of numbers.
`tokenRequestor.name`	The name of the entity that requested the network token.	googlePay, applePay
`device.osName`	The operating system of the device the network token is stored on.	android, ios, or other
`device.formFactor`	The type of device used to provision the network token.	phone, watch, tablet, or other

Update the status of a network token

You can update the status of a network token to:

Manually activate a network token after completing phone call authentication: You change the status from inactive to active.
Temporarily suspend a network token: You change the status from active to suspended.
Reactivate a suspended token: You change the status from suspended to active.
Permanently close a network token: You change the status from active or suspended to closed.

To update the status of a network token:

Make a PATCH /networkTokens/{networkTokenId} request and specify the following parameter in the path:

Path parameter Description

networkTokenId The identifier of the network token associated with the card.

Provide the following parameters in the request body:

Parameter Required Description

status The status of the network token. Possible values: active, suspended, closed. The closed status is final and cannot be changed.

Here's an example of how to change the status of the network token to suspended.
Verify that you receive an HTTP 202 — Accepted response with no content. This response means that the request has been accepted, but will be processed asynchronously.
Listen to webhooks to receive the final result of this request.

Limit the usage of a network token

In some cases, you might need to limit the number of network tokens per card or set limits for transactions that use network tokens. You can do so by using the /transactionRules endpoint.

Limit the number of active network tokens

To limit the number of active network tokens allowed for a single card:

Send a POST /transactionRules request and specify the following parameters:

Parameter	Required	Description
description		Your description for the rule. Maximum length: 300 characters. This description is shown in the Customer Area.
entityKey		Contains the ID and type of resource to which the rule is applied.
interval		The time period or duration when the rule applies.
reference		Your reference for the rule. Maximum length: 150 characters.
type		Set to blockList, maxUsage, or velocity.
ruleRestrictions		Object that contains key-value objects with the key as the condition and the value containing values and operations.
status		Set to active if you want to start evaluating the rule. When you set the status to active, we automatically set the `startDate` to the current time.

The following example shows how to limit the number of active network tokens to only one per card.

Verify that you receive an HTTP 200 — OK response that returns the id of the transaction rule that can be used to further update or delete this rule.

Limit transactions using network tokens

To limit the transactions using network tokens for a card:

Make a POST /transactionRules request and specify the following parameters:

Parameter	Required	Description
description		Your description for the rule. Maximum length: 300 characters. This description is shown in the Customer Area.
entityKey		Contains the ID and type of resource to which the rule is applied.
interval		The time period or duration when the rule applies.
reference		Your reference for the rule. Maximum length: 150 characters.
type		Set to blockList, maxUsage, or velocity.
ruleRestrictions		Object that contains key-value objects with the key as the condition and the value containing values and operations.
status		Set to active if you want to start evaluating the rule. When you set the status to active, we automatically set the `startDate` to the current time.

The following example shows how to block transactions that are greater than EUR 50 and use network tokens.

Verify that you receive an HTTP 200 — OK response that returns the id of the transaction rule that can be used to further update or delete this rule.