X-Pay-Token Encryption Issues For Postman (Visa InApp)

New Contributor

X-Pay-Token Encryption Issues For Postman (Visa InApp)



We're facing an issue when manually testing in sandbox the Visa Inapp API. Specifically we are trying to hit the (https://sandbox.api.visa.com/inapp/provisioning/cardData/applePay) endpoint. 


In postman - we have a Pre-request Script with the below logic


var resourcePath = 'inapp/provisioning/cardData/applePay';
var queryParams = 'apiKey=<API_KEY>'';
var sharedSecret = '<SHARED_KEY>';
var postBody = pm.request.body.toString();

var timestamp = Math.floor(Date.now() / 1000);
var preHashString = timestamp + resourcePath + queryParams + postBody;
var hashString = CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA256(preHashString, sharedSecret));
var xPayToken = 'xv2:' + timestamp + ':' + hashString;

postman.setEnvironmentVariable('x-pay-token', xPayToken);

with the POST endpoint being https://sandbox.api.visa.com/inapp/provisioning/cardData/applePay?apiKey=<API_KEY>

The body is: 

    "vCardID": "<DATA_HERE>",
    "deviceCert": "<DATA_HERE>",
    "nonceSignature": "<DATA_HERE>",
    "nonce": "<DATA_HERE>"


I have a header to have x-pay-token set based on the pre-request script env variable, and the param of the apiKey is also set. 


Currently I am getting a 

    "responseStatus": {
        "status": 401,
        "code": "9159",
        "severity": "ERROR",
        "message": "Token Validation Failed",
        "info": ""

And I am not sure why - I can see on a console.log() call in the pre-request script that the x-pay-token does get created. Any help on anything that we might have not considered would be much appreciated, thanks!


Community Moderator

Re: X-Pay-Token Encryption Issues For Postman (Visa InApp)

Hi, @vbcoreuserThank you for reaching out. Our agent will look into this and get back to you soon. In the meantime, if anyone has any ideas that you feel may help, please share them here.  -Jenn

Visa Developer Support Specialist

Re: X-Pay-Token Encryption Issues For Postman (Visa InApp)

Hi @vbcoreuser,


The 401 Token Validation Failed error you're getting will be seen when the x-pay-token sent in the header is invalid. 

A couple of things I'd like you to note while generating the token: 

  1. For starters, please follow the getting started documentation to generate a valid token. https://developer.visa.com/pages/working-with-visa-apis#get-started-overview  
  2. APIkey in the url query param should be the same as the one used to generate xpayToken 
  3. “resourcePath” sent in the xpaytoken has to be as per the documentation (eg: v2/payments?apikey={apikey}). 
  4. Payload sent in the request payload should exactly match along with spaces to the “requestBody” value used in xpaytoken. 


Also, could you check to see if you're passing a correct value for URI. For example, make sure it’s defined correctly in the beginning of your code, and use the same value for the URI in the middle of your code. In general, for cases like this (i.e. “helloworld works, but the API XX doesn’t”) I'd like to ask of you, if you could, to please extend your SOAPUI project, and make sure that you can call a particular API from SOAPUI project first.