Visa Developer Community

Highlighted
Newbie

X-Pay-Token - Token Validation Failed: Code 9101

Greetings Visa community,

 

I am developing a piece of software that interfaces with the Cybersource Payments using the X-Pay-Token authentication scheme, to the best of my knowledge I am formatting the headers and request body correctly but I consistantly get 401 Unauthorized on both the Cybersource payments and with the Hello World test app. Thinking it was an issue with my software I followed the Visa Developer instructions of using SOAPUI to connect to the Hello World app and received the same error code: 9101 with a 401 unauthorized. As of right now when my software attempts to POST a Cybersource payment authorization request it remits the same error as the helloworld test.

 

Currently, I have:

Recreated my shared secret/API key

Re-tested both my server software and the SOAPUI helloworld test.

 

Strangely enough, on my server the helloworld request is currently timing out instead of spitting out an error, attempting to POST to the helloworld URI immediatly spits out an error relating to a method not being allowed, which I expceted, however my SOAPUI tests promptly spits out that my Token Validation has failed.

 

Here is the RAW output of SOAPUI

HTTP/1.1 401 Unauthorized
X-SERVED-BY: l55c010
X-CORRELATION-ID: 1494181307_183_78_l55c010_VDP_ARM
X-APP-STATUS: 401
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000;includeSubdomains
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Security-Policy-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
X-Content-Security-Policy-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
X-WebKit-CSP-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
Content-Type: application/json;charset=UTF-8
Content-Length: 112
Date: Sun, 07 May 2017 18:21:47 GMT
Connection: keep-alive

{"responseStatus":{"code":"9101","severity":"ERROR","info":"","status":401,"message":"Token validation failed"}}
4 REPLIES 4
Highlighted
Frequent Helper

Re: X-Pay-Token - Token Validation Failed: Code 9101

Hello,

 

We have open internal TKT to get help and will respond back to you ASAP.

 

Thanks

Sanobar

Tags (1)
Highlighted
Regular Visitor

Re: X-Pay-Token - Token Validation Failed: Code 9101

Got the same issue using SOAPUI

 

GET /vdp/helloworld?apikey=${_my_api_key_} HTTP/1.1
Accept-Encoding: gzip,deflate
x-pay-token: xv2:1494844715:63d9ef6a4bd4fc543cdb821c6570b1bf85c8721e4ce19278cdfa0f14bba63ea7
Host: sandbox.api.visa.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Response

 

 

HTTP/1.1 401 Unauthorized
X-SERVED-BY: l73c036
X-CORRELATION-ID: 1494845341_194_1599_l73c036_VDP_ARM
X-APP-STATUS: 401
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000;includeSubdomains
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Security-Policy-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
X-Content-Security-Policy-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
X-WebKit-CSP-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
Content-Type: application/json;charset=UTF-8
Content-Length: 112
Date: Mon, 15 May 2017 10:49:01 GMT
Connection: keep-alive

{"responseStatus":{"code":"9101","severity":"ERROR","message":"Token Validation Failed","info":"","status":401}}

 

 

However I get no errors using java

13:10:03.042 [main] DEBUG httpclient.wire.header - >> "GET /vdp/helloworld?apikey=${my api key is here} HTTP/1.1[\r][\n]"
13:10:03.057 [main] DEBUG httpclient.wire.header - >> "Accept: application/json, application/*+json[\r][\n]"
13:10:03.057 [main] DEBUG httpclient.wire.header - >> "x-pay-token: xv2:1494846602:23f5489362908ff24abd346e32fe0f4973157d007a45e92cb56a96eecbb43bc7[\r][\n]"
13:10:03.057 [main] DEBUG httpclient.wire.header - >> "Content-Type: text/plain;charset=ISO-8859-1[\r][\n]"
13:10:03.057 [main] DEBUG httpclient.wire.header - >> "Content-Length: 0[\r][\n]"
13:10:03.058 [main] DEBUG httpclient.wire.header - >> "Accept-Charset: big5, big5-hkscs, cesu-8, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm290, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm300, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp[\r][\n]"
13:10:03.117 [main] DEBUG httpclient.wire.header - >> "User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n]"
13:10:03.117 [main] DEBUG httpclient.wire.header - >> "Host: sandbox.api.visa.com[\r][\n]"
13:10:03.117 [main] DEBUG httpclient.wire.header - >> "[\r][\n]"
13:10:03.336 [main] DEBUG httpclient.wire.header - << "HTTP/1.1 200 OK[\r][\n]"
13:10:03.337 [main] DEBUG httpclient.wire.header - << "HTTP/1.1 200 OK[\r][\n]"
13:10:03.338 [main] DEBUG httpclient.wire.header - << "X-SERVED-BY: l73c028[\r][\n]"
13:10:03.338 [main] DEBUG httpclient.wire.header - << "X-CORRELATION-ID: 1494846603_235_1595_l73c028_VDP_ARM[\r][\n]"
13:10:03.338 [main] DEBUG httpclient.wire.header - << "Cache-Control: private ,no-cache, no-store, must-revalidate[\r][\n]"
13:10:03.338 [main] DEBUG httpclient.wire.header - << "Expires: Thu, 01 Jan 1970 00:00:00 GMT[\r][\n]"
13:10:03.339 [main] DEBUG httpclient.wire.header - << "X-APP-STATUS: 200[\r][\n]"
13:10:03.340 [main] DEBUG httpclient.wire.header - << "X-Frame-Options: SAMEORIGIN[\r][\n]"
13:10:03.340 [main] DEBUG httpclient.wire.header - << "X-XSS-Protection: 1; mode=block[\r][\n]"
13:10:03.340 [main] DEBUG httpclient.wire.header - << "X-Content-Type-Options: nosniff[\r][\n]"
13:10:03.341 [main] DEBUG httpclient.wire.header - << "Strict-Transport-Security: max-age=2592000;includeSubdomains[\r][\n]"
13:10:03.341 [main] DEBUG httpclient.wire.header - << "Pragma: no-cache[\r][\n]"
13:10:03.341 [main] DEBUG httpclient.wire.header - << "Content-Security-Policy-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;[\r][\n]"
13:10:03.341 [main] DEBUG httpclient.wire.header - << "X-Content-Security-Policy-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;[\r][\n]"
13:10:03.342 [main] DEBUG httpclient.wire.header - << "X-WebKit-CSP-Report-Only: default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'  https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src  https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;[\r][\n]"
13:10:03.342 [main] DEBUG httpclient.wire.header - << "Content-Type: application/json;charset=UTF-8[\r][\n]"
13:10:03.342 [main] DEBUG httpclient.wire.header - << "Content-Language: en-US[\r][\n]"
13:10:03.342 [main] DEBUG httpclient.wire.header - << "Content-Length: 58[\r][\n]"
13:10:03.343 [main] DEBUG httpclient.wire.header - << "Date: Mon, 15 May 2017 11:10:03 GMT[\r][\n]"
13:10:03.343 [main] DEBUG httpclient.wire.header - << "Connection: keep-alive[\r][\n]"
13:10:03.343 [main] DEBUG httpclient.wire.header - << "[\r][\n]"
13:10:03.349 [main] DEBUG httpclient.wire.content - << "{"timestamp":"2017-05-15T11:10:03","message":"helloworld"}"

 

 

Highlighted
Regular Visitor

Re: X-Pay-Token - Token Validation Failed: Code 9101

Actually for my Content-Length: 0 and Content-Type: text/plain;charset=ISO-8859-1 headers solved the issue
Highlighted
Frequent Helper

Re: X-Pay-Token - Token Validation Failed: Code 9101

Hello,

Great to know that you sort it out. Let us know if you have any question.