{"title":"Card encryption with JWE","category":"default","creationDate":1739285820,"content":"<p>You can use JSON Web Encryption (JWE) to encrypt your shopper's card details when implementing your own UI. With JWE, you use a third-party JWT library and an Adyen-provided encryption key to encrypt card details from your shopper's device.<\/p>\n<h2>Requirements<\/h2>\n<p>Before you begin, take into account the following requirements, limitations, and preparations.<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Requirement<\/th>\n<th style=\"text-align: left;\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><strong>Integration type<\/strong><\/td>\n<td style=\"text-align: left;\">Make sure you have an <a href=\"\/pt\/online-payments\/build-your-integration\/advanced-flow\/?platform=Web&amp;integration=API%20only\">API only integration<\/a> for Web.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><strong><a href=\"\/pt\/development-resources\/api-credentials\/roles\/\">API credential roles<\/a><\/strong><\/td>\n<td style=\"text-align: left;\">Make sure that you have the following role: <ul><li markdown=\"1\"><strong>Checkout webservice role<\/strong> (assigned by default)<\/li> <\/ul><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><strong><a href=\"\/pt\/account\/user-roles\">Customer Area roles<\/a><\/strong><\/td>\n<td style=\"text-align: left;\">Make sure that you have the <strong>Manage API credentials<\/strong> role.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><strong>Limitations<\/strong><\/td>\n<td style=\"text-align: left;\">Make sure to check your PCI DSS requirements in the <a href=\"\/pt\/development-resources\/pci-dss-compliance-guide\">PCI DSS compliance guide<\/a>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><strong>Setup steps<\/strong><\/td>\n<td style=\"text-align: left;\">Before you begin: <ul><li markdown=\"1\">Make sure <a href=\"\/pt\/online-payments\/build-your-integration\/advanced-flow\/?platform=Web&amp;integration=API%20only#make-a-payment\">your backend can make a payment<\/a>.<\/li><li markdown=\"1\">Download CSE public key as X.509 certificate.<\/li><\/ul><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>JSON Web Encryption (JWE)<\/h2>\n<p>We offer multiple ways for you to accept <a href=\"\/pt\/payment-methods\/cards\">card payments<\/a> for different use cases and different PCI compliance levels. Card detail encryption with JWE is for when you want to have access to the unencrypted card details from your frontend, for example when:<\/p>\n<ul>\n<li>Offering card payments with Adyen in a multiple-payment-service-provider setup.<\/li>\n<li>Running payments through your own <a href=\"\/pt\/risk-management\/#risk-engine\">risk engine<\/a>.<\/li>\n<\/ul>\n<p>In a JWE setup, you use a <a href=\"https:\/\/jwt.io\/libraries?language=JavaScript\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">third-party JWT library<\/a> to encrypt card details as a JSON Web Token. The encrypted details can be safely passed to your server, where you can use them for a  <a href=\"https:\/\/docs.adyen.com\/api-explorer\/Checkout\/latest\/post\/payments\" class=\"codeLabel  external-link no-image\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">\/payments<\/a> request. We never share decryption keys, so once you encrypt card details only Adyen can decrypt them to process your payment.<\/p>\n<p>JWE supports multiple algorithms for encryption (<code>enc<\/code>) and securing the JSON Web Signature (<code>alg<\/code>). In our integration guide, we advise you use specific algorithms that meet our security standards.<\/p>\n<h2>How it works<\/h2>\n<p>Encrypting card details using JWE involves the following:<\/p>\n<ol>\n<li>You download your merchant account-specific X.509 certificate from the <a href=\"https:\/\/ca-test.adyen.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Customer Area<\/a>.<\/li>\n<li>You compute your JSON Web Key (JWK) from your X.509 certificate.<\/li>\n<li>Your shopper enters their card details in your checkout.<\/li>\n<li>You encrypt the card details on the client side using your JWK key.<\/li>\n<li>You pass the encrypted card details to your server.<\/li>\n<li>You make a  <a href=\"https:\/\/docs.adyen.com\/api-explorer\/Checkout\/latest\/post\/payments\" class=\"codeLabel  external-link no-image\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">\/payments<\/a> request using the encrypted card details.<\/li>\n<\/ol>\n<h2>Get your X.509 certificate<\/h2>\n<p>Before you encrypt card details with JWE, get your X.509 Certificate:<\/p>\n<ol>\n<li>In your <a href=\"https:\/\/ca-test.adyen.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Customer Area<\/a>, go to <strong>Developers<\/strong> &gt; <strong>API credentials<\/strong>.<\/li>\n<li>Select the relevant API credential.<\/li>\n<li>From the <strong>Client side encryption<\/strong> section, under <strong>X509 Certificate<\/strong>, select <strong>Download<\/strong>.<\/li>\n<\/ol>\n<h2>Compute your JWK<\/h2>\n<p>Then, use your X509 Certificate to compute your JWK.<\/p>\n<ol>\n<li>\n<p>Install and import a third-party Javascript <a href=\"https:\/\/jwt.io\/libraries?language=JavaScript\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">JWT library<\/a>, for example <a href=\"https:\/\/github.com\/panva\/jose\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">JavaScript Object Signing and Encryption (JOSE)<\/a>.<\/p>\n<div class=\"notices green\">\n<p>The following instructions use the JavaScript (JOSE) library.<\/p>\n<\/div>\n<\/li>\n<li>\n<p>Assign the content of the X.509 Certificate to a variable.<\/p>\n<div data-component-wrapper=\"code-sample\">\n<code-sample :title=\"'Assign the X509 Certificate to a variable'\" :id=\"''\" :code-data='[{\"language\":\"javascript\",\"tabTitle\":\"\",\"content\":\"const x509 = `-----BEGIN CERTIFICATE-----\\nMIIBXjCCAQSgAwIBAgIGAXvykuMKMAoGCCqGSM49BAMCMDYxNDAyBgNVBAMMK3Np\\nQXBNOXpBdk1VaXhXVWVGaGtjZXg1NjJRRzFyQUhXaV96UlFQTVpQaG8wHhcNMjEw\\nOTE3MDcwNTE3WhcNMjIwNzE0MDcwNTE3WjA2MTQwMgYDVQQDDCtzaUFwTTl6QXZN\\nVWl4V1VlRmhrY2V4NTYyUUcxckFIV2lfelJRUE1aUGhvMFkwEwYHKoZIzj0CAQYI\\nKoZIzj0DAQcDQgAE8PbPvCv5D5xBFHEZlBp\\\/q5OEUymq7RIgWIi7tkl9aGSpYE35\\nUH+kBKDnphJO3odpPZ5gvgKs2nwRWcrDnUjYLDAKBggqhkjOPQQDAgNIADBFAiEA\\n1yyMTRe66MhEXID9+uVub7woMkNYd0LhSHwKSPMUUTkCIFQGsfm1ecXOpeGOufAh\\nv+A1QWZMuTWqYt+uh\\\/YSRNDn\\n-----END CERTIFICATE-----`\"}]' :enable-copy-link-to-code-block=\"true\" :code-sample-card-size=\"'fullsize'\"><\/code-sample>\n<\/div>\n<\/li>\n<li>\n<p>Create a public key from your X.509 certificate.<\/p>\n<div data-component-wrapper=\"code-sample\">\n<code-sample :title=\"'Create a public encryption key'\" :id=\"''\" :code-data=\"[{&quot;language&quot;:&quot;javascript&quot;,&quot;tabTitle&quot;:&quot;&quot;,&quot;content&quot;:&quot;const rsaPublicKey = await jose.importX509(x509, 'RSA-OAEP-256')&quot;}]\" :enable-copy-link-to-code-block=\"true\" :code-sample-card-size=\"'fullsize'\"><\/code-sample>\n<\/div>\n<\/li>\n<\/ol>\n<h2>Encrypt card details<\/h2>\n<p>When making a payment, use the encryption key to encrypt card details.<\/p>\n<ol>\n<li>\n<p>Create an object to encrypt.<\/p>\n<div data-component-wrapper=\"code-sample\">\n<code-sample :title=\"'Create object to encrypt'\" :id=\"''\" :code-data='[{\"language\":\"javascript\",\"tabTitle\":\"\",\"content\":\"const dateTimeString = new Date().toISOString();\\nconst objectToEncrypt = JSON.stringify({\\n    \\\"cvc\\\": \\\"737\\\",\\n    \\\"number\\\": \\\"4111111111111111\\\",\\n    \\\"expiryMonth\\\": \\\"03\\\",\\n    \\\"expiryYear\\\": \\\"2030\\\",\\n    \\\"generationtime\\\": dateTimeString\\n});\"}]' :enable-copy-link-to-code-block=\"true\" :code-sample-card-size=\"'fullsize'\"><\/code-sample>\n<\/div>\n<div class=\"notices green\">\n<ul>\n<li>Card details to encrypt go by keys <code>cvc<\/code>, <code>number<\/code>, <code>expiryMonth<\/code>, and <code>expiryYear<\/code>. Go to  <a href=\"https:\/\/docs.adyen.com\/api-explorer\/Checkout\/latest\/post\/payments#request-paymentMethod\" class=\"codeLabel  external-link no-image\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">paymentMethod<\/a> and select <strong>CardDetails<\/strong> to learn about the card detail parameters.<\/li>\n<li><code>generationtime<\/code> is a string representing the JavaScript date object, based on <a href=\"https:\/\/en.wikipedia.org\/wiki\/ISO_8601\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">ISO 8601<\/a>.<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>\n<p>Encrypt the card detail object.<\/p>\n<div data-component-wrapper=\"code-sample\">\n<code-sample :title=\"'Encrypt card details'\" :id=\"''\" :code-data=\"[{&quot;language&quot;:&quot;javascript&quot;,&quot;tabTitle&quot;:&quot;&quot;,&quot;content&quot;:&quot;const jwe = await new jose.CompactEncrypt(new TextEncoder()\\n  .encode(objectToEncrypt))\\n  .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM', version: '1' })\\n  .encrypt(rsaPublicKey);&quot;}]\" :enable-copy-link-to-code-block=\"true\" :code-sample-card-size=\"'fullsize'\"><\/code-sample>\n<\/div>\n<\/li>\n<li>\n<p>Pass the encrypted object (<code>jwe<\/code>) to your server. Include the <code>jwe<\/code> object when you make a  <a href=\"https:\/\/docs.adyen.com\/api-explorer\/Checkout\/latest\/post\/payments\" class=\"codeLabel  external-link no-image\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">\/payments<\/a> request.<\/p>\n<div data-component-wrapper=\"code-sample\">\n<code-sample :title=\"'Payments request with JWE-encrypted card details'\" :id=\"''\" :code-data='[{\"language\":\"json\",\"tabTitle\":\"\",\"content\":\"{\\n   ...\\n   \\\"paymentMethod\\\": {\\n     \\\"type\\\": \\\"scheme\\\",\\n     \\\"encryptedCard\\\": jwe\\n   }\\n   ...\\n}\"}]' :enable-copy-link-to-code-block=\"true\" :code-sample-card-size=\"'fullsize'\"><\/code-sample>\n<\/div>\n<\/li>\n<\/ol>\n<h2>See also<\/h2>\n<div class=\"see-also-links output-inline\" id=\"see-also\">\n<ul><li><a href=\"\/development-resources\/pci-dss-compliance-guide\"\n                        target=\"_self\"\n                        >\n                    PCI DSS compliance guide\n                <\/a><\/li><li><a href=\"\/payment-methods\/cards\/web-component\"\n                        target=\"_self\"\n                        >\n                    Card Component\n                <\/a><\/li><li><a href=\"\/payment-methods\/cards\/custom-card-integration\"\n                        target=\"_self\"\n                        >\n                    API only with encrypted card data\n                <\/a><\/li><\/ul><\/div>\n","url":"https:\/\/docs.adyen.com\/pt\/online-payments\/card-encryption-with-jwe","articleFields":{"description":"Use JWE to encrypt card details for your custom card integration.","feedback_component":true,"filters_component":false,"decision_tree":"[]","page_id":"7fe7870e-35b2-4e7a-8575-e10154d9d055","last_edit_on":"09-07-2025 09:28"},"algolia":{"url":"https:\/\/docs.adyen.com\/pt\/online-payments\/card-encryption-with-jwe","title":"Card encryption with JWE","content":"You can use JSON Web Encryption (JWE) to encrypt your shopper's card details when implementing your own UI. With JWE, you use a third-party JWT library and an Adyen-provided encryption key to encrypt card details from your shopper's device.\nRequirements\nBefore you begin, take into account the following requirements, limitations, and preparations.\n\n\n\nRequirement\nDescription\n\n\n\n\nIntegration type\nMake sure you have an API only integration for Web.\n\n\nAPI credential roles\nMake sure that you have the following role: Checkout webservice role (assigned by default) \n\n\nCustomer Area roles\nMake sure that you have the Manage API credentials role.\n\n\nLimitations\nMake sure to check your PCI DSS requirements in the PCI DSS compliance guide.\n\n\nSetup steps\nBefore you begin: Make sure your backend can make a payment.Download CSE public key as X.509 certificate.\n\n\n\nJSON Web Encryption (JWE)\nWe offer multiple ways for you to accept card payments for different use cases and different PCI compliance levels. Card detail encryption with JWE is for when you want to have access to the unencrypted card details from your frontend, for example when:\n\nOffering card payments with Adyen in a multiple-payment-service-provider setup.\nRunning payments through your own risk engine.\n\nIn a JWE setup, you use a third-party JWT library to encrypt card details as a JSON Web Token. The encrypted details can be safely passed to your server, where you can use them for a  \/payments request. We never share decryption keys, so once you encrypt card details only Adyen can decrypt them to process your payment.\nJWE supports multiple algorithms for encryption (enc) and securing the JSON Web Signature (alg). In our integration guide, we advise you use specific algorithms that meet our security standards.\nHow it works\nEncrypting card details using JWE involves the following:\n\nYou download your merchant account-specific X.509 certificate from the Customer Area.\nYou compute your JSON Web Key (JWK) from your X.509 certificate.\nYour shopper enters their card details in your checkout.\nYou encrypt the card details on the client side using your JWK key.\nYou pass the encrypted card details to your server.\nYou make a  \/payments request using the encrypted card details.\n\nGet your X.509 certificate\nBefore you encrypt card details with JWE, get your X.509 Certificate:\n\nIn your Customer Area, go to Developers &gt; API credentials.\nSelect the relevant API credential.\nFrom the Client side encryption section, under X509 Certificate, select Download.\n\nCompute your JWK\nThen, use your X509 Certificate to compute your JWK.\n\n\nInstall and import a third-party Javascript JWT library, for example JavaScript Object Signing and Encryption (JOSE).\n\nThe following instructions use the JavaScript (JOSE) library.\n\n\n\nAssign the content of the X.509 Certificate to a variable.\n\n\n\n\n\nCreate a public key from your X.509 certificate.\n\n\n\n\n\nEncrypt card details\nWhen making a payment, use the encryption key to encrypt card details.\n\n\nCreate an object to encrypt.\n\n\n\n\n\nCard details to encrypt go by keys cvc, number, expiryMonth, and expiryYear. Go to  paymentMethod and select CardDetails to learn about the card detail parameters.\ngenerationtime is a string representing the JavaScript date object, based on ISO 8601.\n\n\n\n\nEncrypt the card detail object.\n\n\n\n\n\nPass the encrypted object (jwe) to your server. Include the jwe object when you make a  \/payments request.\n\n\n\n\n\nSee also\n\n\n                    PCI DSS compliance guide\n                \n                    Card Component\n                \n                    API only with encrypted card data\n                \n","type":"page","locale":"pt","boost":18,"hierarchy":{"lvl0":"Home","lvl1":"Online payments","lvl2":"Card encryption with JWE"},"hierarchy_url":{"lvl0":"https:\/\/docs.adyen.com\/pt","lvl1":"https:\/\/docs.adyen.com\/pt\/online-payments","lvl2":"\/pt\/online-payments\/card-encryption-with-jwe"},"levels":3,"category":"Online Payments","category_color":"green","tags":["encryption"]}}