thredd.comDocumentation Portal

Get Encrypted Data

Suggest Edits

The Get Encrypted Data endpoint enables you to share secure card data to a cardholder's device.

You can get encrypted data by making a POST request to the Get Encrypted Data endpoint. For example:

{{base-url}}/cards/{{PublicToken}}/encrypted

The device-generated session key must be included in the request body to the endpoint. The value of the key is a base64 encoded string, comprising of an AES key that you've encrypted with your company specific public RSA key provided to you by Thredd.

📘

Note

If you are not PCI DSS compliant then the key must be generated and encrypted on the device.

📘

Note

For information on how to create an AES Key, see Introduction to Sending Secure Data.

When you have the encoded key, add it to the request body. The below is an example of what the body should look like.

{     

    “key”: “a6hse8g8wspi5mgtZfLshBJYuMbW3x8jpSqNlOxnk3r5eoDd2z0XB/5/OtJDixJCA1XbxhZWu9Tm601mA6jJKED3+E+VRiwz9IVxPGi9+RSvCp8KXWCoun1vZovVRaufXN4QNNuA3iBYyy/6D8wYpDl/3rtCLE3VdZ+L0dFdX22SSeS23T2BhaZJD0jq3XSqyJnmgdElNsX9nerL6mTkhTCvEuJYom9Pv/MolWnXtZ/jhghZxEjZogmN1zOsoeB6BlMMPD+fUgGNpJH8nkdKPqN8bM+sfD4oiT9VsQeUVnrFd5jzzlZDc7J+PBIE9w6tYg93IaEQf452y7E2eZRIwA==”

}

A successful response will return a HTTP 200 response code, as in the following example response:

{
    "iv": "6gq/DgXSllG/U+fVjlWV6Q==",
    "encryptedPayload": "shLEyy/H/6BYqS3zI9oHI0UBaK2x6s0ZPWRITkZYFItBN8p+UDc/xX0binhN9J7LbNAIt4LkBv2n3MSKs3+3Gg==",
    "signatureOfPayloadAndIv": "mk0GpVNR6ksQFpWS5m4boCS8WJSB4Popuikce+W0eubFH2vMcQ3XyASqnG0rKNaKW0MbgI7V6u5ZkbPllhroczn01ZhZAwYUWPD72KFpe4bBZjAjzdPkBzYc2SBybUBRey/5Q2VuGGlBG0hw/LmHRfOqCh1sA9EFE/c06jjCvGcqPmV6dAIKzE6/JK8oG+9JU89b+cznuKAJPa/qhX1f0VZkLriXMTu7Fv6wPF0gFnETDJJW0J/va7O5zynlvxYs86umP2h5MM2+/RgFzPOnleeE5mczlPGPtFS+KRuUWAQL2CwnWI+JLMEAeUngFE3wWic8h8GzIEVpWPeuNcaPxA=="
}

📘

Verifying the Signature

To verify the signature (to ensure the message and data has come from Thredd), you will need to decode each field and combine the EncryptedData & IV arrays into one. You should then verify this combined Encrypted Data and IV array against the signature using the generic Thredd public RSA key which we have provided.

To extract the card data, use the IV with the unencrypted AES key to decrypt the EncryptedData from the response into a decrypted data object. See the below example:

{
    "PAN": "9999990146686890",
    "CVV": "684"
}

Updated about 2 months ago