Payment-method icon

Decrypt Apple Pay tokens

Learn how to decrypt Apple Pay tokens.

An Apple Pay token contains encrypted data of a transaction performed with Apple Pay. Apple Pay tokens enable you to securely pass the data of your shoppers to a payment service provider, like Adyen.

Choose a decryption method

If you are PCI-compliant you have a choice of letting Adyen handle the token decryption, or handling it on your own.

Only handle the token decryption on your own in advanced setup scenarios, like when you have to submit Merchant Plug-In (MPI) data in an Apple Pay request.

A benefit of handling the decryption on your own is that the auditing of transactions becomes easier with the availability of transaction data like shopper names.

If you are not PCI-compliant you must let Adyen handle the decryption.

Let Adyen handle the decryption

On web

After initiating the Apple Pay payment on your website, you receive a callback that includes a PKPayment. This includes paymentData, a stringified version of the payment token. You need to submit this data in your payment request to Adyen.

  1. Stringify the paymentData from the token

    When the request is completed, you receive a PKPayment which contains paymentData. Apple Pay returns more data than we need for authorization, for example a shipping address, but only the paymentData is necessary for authorization.

    Convert the paymentData to a String:

    func paymentAuthorizationViewController(_ controller: PKPaymentAuthorizationViewController, didAuthorizePayment payment: PKPayment, completion: @escaping (PKPaymentAuthorizationStatus) -> Void) {
let token = String(data: payment.token.paymentData, encoding: .utf8)
}

  2. Submit the API request

    Include the encoded token from step 1 as the value of applePayToken in the paymentMethod object of your /payments request:

In-app

After initiating the Apple Pay payment on your mobile application you should receive a token in the onPaymentAuthorized event.

Retrieve the paymentData from the token and convert it to a string. Pass this to your server, and then submit it in a /payments request to Adyen.

  1. Stringify the paymentData from the token

    Apple Pay returns more data than we need for authorization, for example a shipping address, but only the PaymentData is necessary for authorization. Take this data from the token and convert the JSON to a String and base64-encoded:

    session.onpaymentauthorized = function(event) {
var token = btoa(JSON.stringify(event.payment.token.paymentData));
};

  2. Submit the API request

    Include the encoded token from step 1 as the value of applePayToken in the paymentMethod object of your /payments request:

Handle the decryption on your own

Before you begin

To decrypt Apple Pay tokens on your own, you must:

Decryption process

Verify the Apple Pay certificate before proceeding to token decryption.

To decrypt Apple Pay tokens, follow the detailed steps as outlined on the Apple developer portal.

Overview:

  1. Use the value of publicKeyHash to determine which merchant public key Apple used, and then retrieve the corresponding merchant public key certificate and private key.
  2. Restore the symmetric key.
  3. Use the symmetric key to decrypt the value of the data key.
  4. Confirm that you have not already credited this payment by verifying that no payment with the same transactionId shows as processed.
  5. Verify the original transaction details of the Apple Pay payment request.
  6. Use the decrypted payment data to process the payment. See the API reference section below for details.

API reference

The parameters listed in this section are specific to using decrypted Apple Pay tokens. For descriptions of other parameters go to /payments.

There are two types of transactions, namely customer initiated and merchant initiated transactions, each with a specific set of parameters.

Parameter name Required Description
paymentMethod.number -white_check_mark- Use the applicationPrimaryAccountNumber value, contained in the Apple Pay token.
paymentMethod.holderName -white_check_mark- Use the cardholderName value, contained in the Apple Pay token.
paymentMethod.expiryMonth -white_check_mark- Use the applicationExpirationDate value, contained in the Apple Pay token.
paymentMethod.expiryYear -white_check_mark- Use the applicationExpirationDate value, contained in the Apple Pay token.
mpiData.cavv -white_check_mark- Use the onlinePaymentCryptogram value, contained in the Apple Pay token.
mpiData.eci -white_check_mark- Use the eciIndicator value, contained in the Apple Pay token. If you do not receive the eciIndicator variable in the Apple Pay token, you can omit this parameter from the request.
mpiData.directoryResponse -white_check_mark- Set to "Y".
mpiData.authenticationResponse -white_check_mark- Set to "Y". 
curl https://checkout-test.adyen.com/v71/payments \
-H "x-API-key: YOUR_X_API_KEY" \
-H "content-type: application/json" \
-d '{
    "amount": {
            "currency": "USD",
            "value": 1000
        },
    "reference": "Your order number",
    "paymentMethod": {
            "type": "scheme",
            "brand": "applepay",
            "number": "************1234",
            "expiryMonth": "12",
            "expiryYear": "24",
            "holderName": "ApplePay"
        },
    "mpiData": {
            "directoryResponse": "Y",
            "authenticationResponse": "Y",
            "cavv": "II67QpgqW/llYxZSBACWojEBhgA=",
            "eci": "07"
        },
    "returnUrl": "https://your-company.com/...",
    "merchantAccount": "YOUR_MERCHANT_ACCOUNT"
}'