error 9159 token validation failure

Regular Visitor

error 9159 token validation failure

dear all,

i wanted to test the payment API via soap ui.


so i prepared the following Groovy script to the generate the request token


import javax.crypto.Mac;


import javax.crypto.spec.SecretKeySpec;
def hmac(String secretKey, String data) {
 Mac mac = Mac.getInstance("HmacSHA256")
 SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256")
 byte[] digest = mac.doFinal(data.getBytes())
 return digest
def APIKey = 'MY API KEY'
def sharedSecret = 'My Secret'
def URI = "v2/payments"
def QS = "apikey="+APIKey
def timeStampUTC = String.valueOf(System.currentTimeMillis().intdiv(1000L))
def payload = "{"+
    "\"clientReferenceInformation\": {"+
        "\"code\": \"TC50171_3\""+
    "\"processingInformation\": {"+
        "\"commerceIndicator\": \"internet\""+
    "\"aggregatorInformation\": {"+
        "\"subMerchant\": {"+
            "\"cardAcceptorID\": \"1234567890\","+
            "\"country\": \"US\","+
            "\"phoneNumber\": \"650-432-0000\","+
            "\"address1\": \"900 Metro Center\","+
            "\"postalCode\": \"94404-2775\","+
            "\"locality\": \"Foster City\","+
            "\"name\": \"Visa Inc\","+
            "\"administrativeArea\": \"CA\","+
            "\"region\": \"PEN\","+
            "\"email\": \"\""+
        "\"name\": \"V-Internatio\","+
        "\"aggregatorID\": \"123456789\""+
    "\"orderInformation\": {"+
        "\"billTo\": {"+
            "\"country\": \"US\","+
            "\"lastName\": \"VDP\","+
            "\"address2\": \"Address 2\","+
            "\"address1\": \"201 S. Division St.\","+
            "\"postalCode\": \"48104-2201\","+
            "\"locality\": \"Ann Arbor\","+
            "\"administrativeArea\": \"MI\","+
            "\"firstName\": \"RTS\","+
            "\"phoneNumber\": \"999999999\","+
            "\"district\": \"MI\","+
            "\"buildingNumber\": \"123\","+
            "\"company\": \"Visa\","+
            "\"email\": \"\""+
        "\"amountDetails\": {"+
            "\"totalAmount\": \"102.21\","+
            "\"currency\": \"USD\""+
    "\"paymentInformation\": {"+
        "\"card\": {"+
            "\"expirationYear\": \"2031\","+
            "\"number\": \"5555555555554444\","+
            "\"securityCode\": \"123\","+
            "\"expirationMonth\": \"12\","+
            "\"type\": \"002\""+

def HMACDigest = hmac(sharedSecret, timeStampUTC + URI + QS + payload)
def encodedDigest = HMACDigest.encodeHex().toString()
def XPayToken = "xv2:"+ timeStampUTC + ":" + encodedDigest
testRunner.testCase.setPropertyValue("xpayToken", XPayToken)



however when using it, in the request, i have

{"responseStatus": {
   "code": "9159",
   "severity": "ERROR",
   "info": "",
   "status": 401,
   "message": "Token validation failed"


My request was the following:

Accept-Encoding: gzip,deflate
Content-Type: application/json
x-pay-token: xv2:1527259011:1a6534e2bfee3a64bafe90708180dbb0790bf2260a985b206c28a012c7807134
Content-Length: 1549
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)


    "clientReferenceInformation": {
        "code": "TC50171_3"
    "processingInformation": {
        "commerceIndicator": "internet"
    "aggregatorInformation": {
        "subMerchant": {
            "cardAcceptorID": "1234567890",
            "country": "US",
            "phoneNumber": "650-432-0000",
            "address1": "900 Metro Center",
            "postalCode": "94404-2775",
            "locality": "Foster City",
            "name": "Visa Inc",
            "administrativeArea": "CA",
            "region": "PEN",
            "email": ""
        "name": "V-Internatio",
        "aggregatorID": "123456789"
    "orderInformation": {
        "billTo": {
            "country": "US",
            "lastName": "VDP",
            "address2": "Address 2",
            "address1": "201 S. Division St.",
            "postalCode": "48104-2201",
            "locality": "Ann Arbor",
            "administrativeArea": "MI",
            "firstName": "RTS",
            "phoneNumber": "999999999",
            "district": "MI",
            "buildingNumber": "123",
            "company": "Visa",
            "email": ""
        "amountDetails": {
            "totalAmount": "102.21",
            "currency": "USD"
    "paymentInformation": {
        "card": {
            "expirationYear": "2031",
            "number": "5555555555554444",
            "securityCode": "123",
            "expirationMonth": "12",
            "type": "002"



any idea?





Visa Dev Moderator

Re: error 9159 token validation failure

Hi @nono,


The 401 Token Validation Failed error you're getting will be seen when the x-pay-token sent in the header is invalid.


A couple of things I'd like you to note while generating the token:

1. For starters, please follow the getting started documentation to generate a valid token.

2. APIkey in the url query param should be the same as the one used to generate xpayToken

3. “resourcePath” sent in the xpaytoken has to be as per the documentation (eg: v2/payments?apikey={apikey}).

4. Payload sent in the request payload should exactly match along with spaces to the “requestBody” value used in xpaytoken.


Can you please provide the request payload of this API call via screenshot? It's possible that you're missing a field or have an inaccurate format. I'd like to see screenshot attachments of the error provided.


Also, could you check to see if you're passing a correct value for URI. For example, make sure it’s defined correctly in the beginning of your code, and use the same value for the URI in the middle of your code. In general, for cases like this (i.e. “helloworld works, but the API XX doesn’t”) I'd like to ask of you, if you could, to please extend your SOAPUI project, and make sure that you can call a particular API from SOAPUI project first.


Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.


Regular Visitor

Re: error 9159 token validation failure

thank you Diana.

Indeed i discovered yesterday that it was very important that the body is exactly the same than the one in request body.


It works perfectly now !