Re: Token vaildation failed (code 9159) for x-pay-token value


Token vaildation failed (code 9159) for x-pay-token value

I'm getting the "Token validation failed" error when I submit a request to the Visa Payments (CyberSource) API and can't tell what's off in my code:


	Boolean testMode = true;
	String endPoint = testMode?''+apiKey:''+apiKey;

	Http objhttp = new Http();
	HttpRequest req = new HttpRequest();
	HttpResponse res = new HttpResponse();


         String queryString = 'apikey='+apiKey;
	 String URI = 'payments/v1/sales';

         DateTime dateTimeNow =;
         String unixTime = ''+dateTimeNow.getTime()/1000; 
         String timeStampUTC = unixTime;
	String payload = '{\"encryptionType\":\"WebCryptoAPI\"}';
	System.debug('=====> timestamp, uri, query string, payload = '+timeStampUTC+URI+queryString+payload);
	Blob hmacData = Crypto.generateMac('HmacSHA256', Blob.valueOf(timeStampUTC+URI+queryString+payload), Blob.valueOf(sharedSecret));
	String encodedDigest = EncodingUtil.base64Encode(hmacData);

         xPayToken = 'xv2:'+ timeStampUTC + ':'+ encodedDigest;
         System.debug('=====> xPayToken = '+xPayToken);
         req.setHeader('x-pay-token', xPayToken);

		 System.debug('=====> request body: '+reqBody);

          try {

	              	res = objhttp.send(req);
			System.debug('=====> http response: '+res.getBody());
          catch(System.CalloutException e) {
              System.debug('Callout error: '+ e);



I've checked the timestamp value to make sure it's the current time (UTC), the apiKey and shared secret match those in the sandbox, and the Hmac digest seems to be in order (at least code samples on the Salesforce developer forums for this type of header value).


The debug output includes:


=====> timestamp, uri, query string, payload = 1500065746payments/v1/salesapikey=...hidden...{"encryptionType":"WebCryptoAPI"}


=====> xPayToken = xv2:1500065746:69fTj20b36apeCz3KAOWKOr889w/m+tCgazRDiTeM3M=


=====> http response: {"responseStatus":{"code":"9159","severity":"ERROR","message":"Token validation failed","info":"","status":401}}


Could someone kindly point out what I'm doing wrong?



Frequent Helper

Re: Token vaildation failed (code 9159) for x-pay-token value

Few things to note while generating token:

  1. Please follow getting started documentation to generate a valid token.
  2. APIkey in the url query param should be same as the one used to generate xpayToken
  3. “resourcePath” sent in the xpaytoken has to be as per the documentation (eg: for keys à payments/flex/v1/keys).
  4. Payload sent in the request payload should exactly match along with spaces to the “requestBody” value used in xpaytoken.



For Flex Keys resource we have to send xpaytoken{apikey}


for flex Tokens there will be no xpaytoken


Try this out and keep me updated!





Re: Token vaildation failed (code 9159) for x-pay-token value

Hi Sanobar - 


Thanks for your response.  It turns out I was calculating the HMAC value wrong.





Re: Token vaildation failed (code 9159) for x-pay-token value

Hello Ron

may you please share with me how you calculated HMAC value, i have been struggling with this x-pay-token generator. Im using java and i have used thier sample here, still its not allowing me.

please you can respond to my email at :
Regular Visitor

Re: Token vaildation failed (code 9159) for x-pay-token value

I have a similar problem where the most likely thing to go wrong is the resource path area where I've tried many times to generate tokens in code that won't work but the token generated on SoapUI will work

Community Scholar

Re: Token vaildation failed (code 9159) for x-pay-token value

@Jitesh_Shah  or @shrtando  - are you able to help out here? 



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.