CardOnFile - Token validation failed - code 9207

Solved! Go to solution
New Contributor

CardOnFile - Token validation failed - code 9207

Hi, Please could you help me with cof and postman


My body request:

  "requestHeader": {
    "requestMessageId": "6da6b8b024532a2e0eacb1af58581",
    "messageDateTime": "2019-02-35 05:25:12.327"
  "requestData": {
    "pANs": [
    "group": "STANDARD"

My pre-request script in postman:

var resourcePath = 'cofds-web/v1/datainfo';
var queryParams = 'apiKey=*************************';
var sharedSecret = '*************************';
var postBody = pm.request.body.raw;

console.log("body = " + postBody)

var timestamp = Math.floor( / 1000);  
var preHashString = timestamp + resourcePath + queryParams + postBody;  
var hashString = CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA256(preHashString, sharedSecret));
var xPayToken = 'xv2:' + timestamp + ':' + hashString;

postman.setEnvironmentVariable('x-pay-token', xPayToken); 

My correlation id


request headers:

Captura de Pantalla 2023-05-25 a la(s) 11.02.55.png





I try with many scripts and always is the same error, please if you have any tip or information.

the error is:

    "responseStatus": {
        "status": 401,
        "code": "9207",
        "severity": "ERROR",
        "message": "Token validation failed",
        "info": ""


Community Moderator

Re: CardOnFile - Token validation failed - code 9207

Thank you for reaching out, @moises! An agent is looking into this and will get back to you as soon as possible. In the meantime, if any community members know a solution, feel free to reply here.

New Contributor

Re: CardOnFile - Token validation failed - code 9207

Any update ?

Visa Developer Support Specialist

Re: CardOnFile - Token validation failed - code 9207

Hi @moises


If you are attempting to call the Card on File Data Inquiry API, this product's authentication method is Two-Way SSL, not X-Pay Token. You can find more information on Two-Way SSL here:

Two-Way SSL (


The 9207 Token Validation Error you're seeing is usually due to an invalid JWE payload; please refer to the Visa Developer X-Pay Token guide for more information: 

Visa Developer | X-Pay Token