Card Link (v1)
Download OpenAPI specification:Download
Card Link is the concept of resolving a payment method to a non-sensitive 3rd party id.
Card Link may be used in multiple use-cases, for example
- Loyalty member id lookup A card is enrolled with a member id
- Company card identification A card enrolled with a company id
- Group splitting Cards are enrolled with a group id which can be used to e.g. tell groups apart
The basic idea in Card Link is that when the card is used, the payment terminal returns a card token or PAR value, which can then be used
to look up a previously defined id for that card.
The id (userId) is set at enrolment of the payment card, and could be e.g. a loyalty member id or any other desired reference.
UserId for a card cannot be updated at a later date.
Basic Card Link
Provides Card Link lookups using the card token and card manipulation such as enrolment via cardframe, list, delete, etc. via Storebox Card API.
Terminal Card Link
Extending Basic Card Link functionality via terminals running Viking and OnePA. This allows in-store card enrolment and card lookups through Baxi commands.
API based card enrolment
Via a dedicated PCI compliant API cards can be enrolled programmatically. Please note that adding cards programmatically carries extensive security requirements and may even require PCI-DSS certification on integrator side.
All data exchange is in JSON and is UTF-8 encoded. To ensure forward compatibility, client implementations must be resilient to new elements being added to the API responses in the future.
The API has the following rate limiting to ensure performant operation:
| Operation | Limit |
|---|---|
| Add card | 1 per second |
| List/delete card | 10 per second |
| Lookup card | 1000 per second |
If higher rates are required, Storebox must be contacted in advance to avoid automatic blacklisting.
The table below describes the two environments that are available.
| Environment | Description |
|---|---|
| Test | All development should be done using this environment. The implementation is end-to-end testable using test equipment, for example test terminals. Note that this environment also acts as internal test environment, so there may be short outages. |
| Production | Live environment that works with production terminal |
To start using Card Link you must first get an API key from Storebox.
Card manipulation using Card API
Handling of card life-cycle management like, add, delete and list is done through Card API. After a card has been added it is available for card link lookups thus it is strongly recommended to implement card manipulation, or at least adding, before card lookup.
Interaction with Card API is server to server. For card enrolment, the generated CardFrame URL is supplied to the client.
Cards enrolled via Card API CardFrame are based on user interaction and are immediately active.
Cards enrolled as part of Terminal Card Link (in-store via terminal) must be activated in order to become available for lookups.
Card lookup
Card lookup is typically done by the ECR before a transaction, so that e.g. the amount can be adjusted according to a discount level or likewise. The lookup may, of course, be done at any favorable point in the payment process.
Using Basic Card Link the ECR fetches the card token from the terminal and calls Card Link lookup.
The result will either be a 404 Not Found if the card is unknown, otherwise the user id and a card id is returned.
| Term | Description |
|---|---|
| Token | A token is a non-sensitive representation of the payment card, and cannot be used for payment nor any other actions with fiscal impact. The value may change at random for the same payment card. Tokens are not standard and thus implementation highly depends on the terminal Payment Application (PA). |
| cardRef | A token as described above. Available via Viking and OnePA. |
| Funding PAN (FPAN) | The card number on the physical payment card |
| Token PAN (TPAN) | A virtual card number that is issued when a payment card is added to a wallet like Apple Pay or Google Pay. A TPAN is issued per device. |
| PAR | Payment Account Reference (PAR) is a standard specified by EMVCo which is static value for cross referencing the FPAN and any derived TPANs. One can think of a PAR value as a shared token across the physical and any virtual cards derived hereof. |
- Card Lookup
- Card Enrolment
- Card Activation
- Online card enrolment and management
- Short path to receipt delivery
Card lookup is handled via a high availability, high performance card lookup endpoint.
Card manipulation is handled via Storebox Card API
- Add card: Insertion of a new card is done via Storebox Card API card frame. An html form that can be styled and internationalized as needed.
- List cards: List cards associated with a specific userId.
- Delete card: Delete a specific card identified by a specific externalCardId.
Card Lookup
Check if a card is known and which id is registered on card.
query Parameters
| token required | string Token or PAR referencing the user's card. Please make sure to URL encode the token/PAR. |
Responses
Response samples
- 200
[- {
- "userId": "d17458f2-4764-4096-867b-06f6f47a6941",
- "externalCardId": "cf840424bf2f403582384a810247aaf4"
}
]The addition of the 'Terminal Card Link' package enables the use of Viking and OnePA terminals as clients for card lookup and card enrolment.
The methods described herein are not available via Storebox Card Link API, but solely via Baxi. The inclusion in this documentation serves to provide basic examples of the responses that may be expected in the "payload" object of the response when using Baxi functions to facilitate Storebox Card Link operations.
Baxi uses its own error codes, error messages and has its own possible failures in Baxi context.
Check if a card is known and which userId is registered on a known card using the terminal operation getAsset.
Lookup happens towards Storebox Card Link API from the terminal instead of via integration to Storebox CardLink API.
Baxi structure is defined by Nets. Currently the response from Storebox is contained as payload under da.dam2ra.getasset.asset.attributes.
Card Link API responses are contained within the cardlinkapi object under the root object payload from Storebox' systems.
Besides structural differences, the response via getAsset is the same as Card Lookup in Basic Card Link.
Example of succesful card lookup response via Baxi
{
"payload": {
"cardlinkapi": {
"users": [
{
"userId": "511618771",
"externalCardId": "ha0u3xb395c4lps1hbfajrdbotq3f4h7"
},
{
"userId": "797745330",
"externalCardId": "x83is6m0uf3c55icykcihhraizfsnaj3"
}
]
}
}
}
Available via the Baxi insertAsset operation and delivers the card to Storebox in a 'pending verification' state. Card awaits activation call.
Example of succesful card enrolment response via Baxi
{
"payload": {
"id": "800unxobgxyrguqqv11ankz0vsuy2p5w",
"posapi": {
"userId": [
{
"type": "pan",
"value": "f37388e0-0a1f-11eb-b596-5c4242535400"
}
]
},
"cardlinkapi": {
"activationCode": "969fc04a-d102-4c2e-b04f-808d0b9ea5d6"
}
}
}
Status codes and messages are Baxi specific. Documentation must be provided by Nets.
For complete documentation of getAsset and insertAsset in a Baxi context, please refer to NETS documentation.
For a quick'n'dirty flow introduction you may consult our getting started guide to Viking, but please note that it is NOT usable as direct copy/paste reference as Baxi action codes etc. may have changed and thus Nets Baxi documentation must be consulted.
Get all pending cards
!! Card API !!
Return all pending cards registered to the caller. The result is pageable and sortable.
query Parameters
| page | integer <int32> Pagenumber to return. The page index is zero-based. Defaults to 0 (zero) |
| size | integer <int32> Elements returned per page. Defaults to 100. |
| sort | string^(activationCode|created),(asc|desc)$ Sort the returned content. Defaults to 'sort=created,desc'. Sort can have any of the values: activationCode, created. In addition to defining the field to sort in, the sort direction is also defined in this field by either asc or desc Example: '...&sort=activationCode,asc&...' |
Responses
Response samples
- 200
{- "content": [
- {
- "provider": "storebox",
- "activationCode": "b84aba71-b364-4297-ac4c-a52817ec613a",
- "parameters": "storeid=store_141",
- "entryExpires": "2014-05-14T15:22:11Z",
- "created": "2014-05-14T15:22:11Z"
}
], - "totalElements": 1000,
- "totalPages": 10,
- "first": true,
- "last": false,
- "numberOfElements": 100,
- "page": 0
}Check existence of an activationCode
!! Card API !!
Verify existence of a specific activationCode before calling activate card, or before creating user profile in external system. This is not strictly necessary, but may help communicate what is going to happen to the end user.
The endpoint will return 404 if the activation code is not found, which may be the case if it is expired or already used.
path Parameters
| activationCode required | string Example: b84aba71-b364-4297-ac4c-a52817ec613a Check existence of an activationCode |
Responses
Activate a pending card
!! Card API !!
Finalizes enrolment of a card where the enrolment was started from a terminal.
There are several cases, where the request may fail.
activationCodemight not exist. This may happen if it was already used or it has expired (default TTL is 30 days).- The user id has more cards registered than what is allowed. The default is 5, but can be in/de-creased by contacting Storebox Partner support.
- If the configuration disallows duplicate card and the card is already registered.
- The card is of a card type that is not allowed. For example if the system if configured to only allow Visa and Mastercard, then all other card types would be rejected.
path Parameters
| activationCode required | string Example: b84aba71-b364-4297-ac4c-a52817ec613a Activate the pending card |
Request Body schema: application/json
| userId required | string The userId provided when the card was registered |
Responses
Request samples
- Payload
{- "userId": "d17458f2-4764-4096-867b-06f6f47a6941"
}