Hi Visa Developer Support,
I am experiencing an issue when testing the Visa In-App Provisioning API using SOAPUI. Despite following the official documentation, I consistently receive a 401 Token Validation Failed error.
Steps Followed
- Generated API Key and Shared Secret from Visa Developer Portal.
- Set up Shared Secret Encryption as per the documentation.
- Generated the X-Pay Token using HMAC-SHA256.
- Tested API via SOAPUI, but received 401 Token Validation Failed.
HTTP Request (RAW Output from SOAPUI)
POST https://sandbox.api.visa.com/inapp/provisioning/cardData/applePay?apiKey=8D2NG8AP36GFENNJPKOJ21Ni0pq... HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/json
x-pay-token: xv2:1738829799:4d52a6449a6b1cb326da89a37fba5e6e38eaae756a050674d0f6071860f3d66d
Content-Length: 1636
Host: sandbox.api.visa.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.5 (Java/17.0.12)
Request Body (JSON Payload)
{
"deviceCert": "MIID/TCCA6OgAwIBAgIIMq/qUa9Z2nMwCgYIKoZIzj0EAwIwgYAxNDAyBgNVBAMMK0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zIENBIC0gRzIxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xODA2MDEyMjAzMTBaFw0yMDA2MzAyMjAzMTBaMGwxNTAzBgNVBAMMLGVjYy1jcnlwdG8tc2VydmljZXMtZW5jaXBoZXJtZW50X1VDNi1TQU5EQk9YMREwDwYDVQQLDAhBcHBsZVBheTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATGiJjmEMmvOZBGj+tdj2ED7xnc9y1C0vNVaqZva7lvKkbgrfcWdo0/NdIJZ5wDcZ0eBtPuRJ+q/eSP9FLXQ19wo4ICGDCCAhQwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSEtoTMOoZichZZlOgao71I3zrfCzBHBggrBgEFBQcBAQQ7MDkwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGV3d2RyY2EyMDUwggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxld3dkcmNhMi5jcmwwHQYDVR0OBBYEFMNruSHk5gH1LauD+wBI/9sgl/VpMA4GA1UdDwEB/wQEAwIDKDASBgkqhkiG92NkBicBAf8EAgUAMAoGCCqGSM49BAMCA0gAMEUCIQDhL+sL9bcrvAVO3UvswA805EHujfL7iVDrbEuJfOSJoAIgBPKehtuILl9x/SJ5kxReiml1zkJqUB8nTy0UOfUNIIQ=",
"nonce": "kauVuA==",
"nonceSignature": "QHuLYArUCO2OZevP0rHc99g9RJp4O1dgsZuVpUdlA7zPWqCDhVQo9Mxr1uPS6GVyjZYo3YElIhHRV4Mv3wEJ3hGOaxK1gResup88QWDK1fL0",
"tokenServiceProvider": "V",
"vcardId": "v-123-f98b91af-77c9-4e78-a1fe-345268939401"
}
HTTP Response (RAW Output)
{"responseStatus": {
"status": 401,
"code": "9159",
"severity": "ERROR",
"message": "Token Validation Failed",
"info": ""
}}
GROOVY SCRIPT
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import groovy.json.JsonOutput
def hmac(String secretKey, String data) {
Mac mac = Mac.getInstance("HmacSHA256")
SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256")
mac.init(secretKeySpec)
byte[] digest = mac.doFinal(data.getBytes())
return digest
}
def APIKey = '8D2NG8AP36GFENNJPKOJ21Ni0pqrsjld6xnyYRy5v7Xm5RKxU'
def sharedSecret = '{Khmk$aa-hTj6X6YNfPuee5{21KHodAmCYB/#E7h'
def URI = "inapp/provisioning/cardData/applePay"
def QS = "apiKey="+APIKey
def timeStampUTC = String.valueOf(System.currentTimeMillis().intdiv(1000L))
def jsonPayload = [
deviceCert: "MIID/TCCA6OgAwIBAgIIMq/qUa9Z2nMwCgYIKoZIzj0EAwIwgYAxNDAyBgNVBAMMK0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZX...",
nonce: "kauVuA==",
nonceSignature: "QHuLYArUCO2OZevP0rHc99g9RJp4O1dgsZuVpUdlA7zPWqCDhVQo9Mxr1uPS6GVyjZYo3YElIhHRV4Mv3wEJ3hGOaxK1gResup88QWDK1fL0",
tokenServiceProvider: "V",
vcardId: "v-123-f98b91af-77c9-4e78-a1fe-345268939401"
]
def payload = JsonOutput.toJson(jsonPayload)
def HMACDigest = hmac(sharedSecret, timeStampUTC + URI + QS + payload)
def encodedDigest = HMACDigest.encodeHex().toString()
def XPayToken = "xv2:"+ timeStampUTC + ":" + encodedDigest
testRunner.testCase.setPropertyValue("xpayToken", XPayToken)
log.info(XPayToken)
