Single-Use-Tokens API

Single-use-tokens API

Single-use-tokens allow you to avoid sending card or bank account details to your server.

Single-use-tokens can be used to:

Single-use-tokens can only be used once for the above actions, and will expire after 10 minutes.

Single-use-tokens can be used to perform 3D Secure Authentication without being consumed. The token is then consumed by the actions listed above.

Generate token

Use this resource to generate a single-use-token using a credit card or bank account.

This resource is most commonly used by the Trusted Frame.

Your PCI DSS compliance costs may be lower when your server does not store or process credit card details.

Request

POST `/single-use-tokens`

Use your Publishable API key to access this resource.

Request body

Field	Format	Data
`supplierBusinessCode`	`string`	The business to be used for validation of other fields. This value will not be checked when using the token to make payments or register accounts. Accepted values can be obtained via the Businesses API.
`accountType`	`string`	One of: `CREDIT_CARD`, `DIRECT_DEBIT`, `DIRECT_DEBIT_NZ`.
`cardholderName`	`string`	Optional. Name printed on the card. For `CREDIT_CARD` only.
`cardNumber`	`string`	Digits printed on the card. For `CREDIT_CARD` only.
`expiryDateMonth`	`string`	Two digit expiry month. For `CREDIT_CARD` only.
`expiryDateYear`	`string`	Four digit expiry year. For `CREDIT_CARD` only.
`cvn`	`string`	Optional. Card Verification Number. Also known as Security Code, CVV2 and CVC2. The three or four digit security code. For `CREDIT_CARD` only.
`accountName`	`string`	Name of account holder. For `DIRECT_DEBIT` only.
`bsb`	`string`	The bank-state-branch holding their account. For `DIRECT_DEBIT` only.
`accountNumber`	`string`	The account number at that branch. For `DIRECT_DEBIT` only.
`nzAccountName`	`string`	Name of account holder. For `DIRECT_DEBIT_NZ` only.
`nzBankCode`	`string`	The bank code holding their account. For `DIRECT_DEBIT_NZ` only.
`nzBranchCode`	`string`	The branch of the bank holding their account. For `DIRECT_DEBIT_NZ` only.
`nzAccountNumber`	`string`	The account number at that branch. For `DIRECT_DEBIT_NZ` only.
`nzAccountSuffix`	`string`	The account suffix. For `DIRECT_DEBIT_NZ` only.
`threeDS2`	`boolean`	Optional. `true` indicates to QuickStream that 3D Secure authentication should be attempted.
`browserProfile`	Browser Profile	Required when `threeDS2`=`true`. The cardholder's browser information.

Browser Profile model

All fields are required when threeDS2=true.

Field	Format	Data
`browserJavaEnabled`	`boolean`	The `navigator.javaEnabled` value indicating if the cardholder's browser is able to execute Java.
`browserLanguage`	`string`	The `navigator.language` value representing language of the cardholder's browser, as defined in IETF BCP 47. Max length of 8 digits.
`browserScreenHeight`	`string`	The `screen.height` value representing the total height of the cardholder's screen in pixels. Max length of 6 digits.
`browserColorDepth`	`string`	The `screen.colorDepth` value representing the colour depth of the cardholder's screen in bits per pixel. Values are `1`,`4`,`8`,`15`,`16`,`24`,`32`,`48`.
`browserScreenWidth`	`string`	The `screen.width` value representing the total width of the cardholder's screen in pixels. Max length of 6 digits.
`browserTZ`	`string`	The `getTimezoneOffset()` value representing the time-zone offset in between UTC and the local time of the cardholder's browser in minutes. Max length of 5 characters.

Example requests

To generate a single-use-token for a card account from fully PCI-DSS compliant software:

{
    "supplierBusinessCode": "MYSUPPLIER",
    "accountType" : "CREDIT_CARD",
    "cardholderName" : "Jane Smith",
    "cardNumber" : "4242424242424242",
    "expiryDateMonth": "12",
    "expiryDateYear": "2027",
    "cvn": "123"
}

To generate a single-use-token for an Australian bank account:

{
    "supplierBusinessCode": "MYSUPPLIER",
    "accountType" : "DIRECT_DEBIT",
    "accountName" : "Jane Smith",
    "bsb" : "032-000",
    "accountNumber": "123410"
}

To generate a single-use-token for a New Zealand bank account

{
    "supplierBusinessCode": "MYSUPPLIER",
    "accountType" : "DIRECT_DEBIT_NZ",
    "nzAccountName" : "Jane Smith",
    "nzBankCode" : "15",
    "nzBranchCode": "01",
    "nzAccountNumber": "123416",
    "nzAccountSuffix": "01"
}

To generate a 3D Secure single-use-token for a card account from fully PCI DSS compliant software:

{
    "accountType" : "CREDIT_CARD",
    "cardholderName" : "Amira Spenar",
    "cardNumber" : "4242424242424242",
    "expiryDateMonth": "12",
    "expiryDateYear": "2027",
    "cvn": "123",
    "supplierBusinessCode": "MYSUPPLIER",
    "threeDS2": true,
    "browserProfile": {
        "browserJavaEnabled": true,
        "browserLanguage": "en",
        "browserColorDepth": "1",
        "browserScreenHeight": "1000",
        "browserScreenWidth": "2000",
        "browserTZ": "60"
    }
}

Response

If you send valid fields a Single-use-token model is returned:

a singleUseTokenId is returned in the response,
the masked credit card or bank account details and surcharge percentage are returned in the response for you to use in a confirmation step,
the credit card or bank account details are stored in QuickStream for 10 minutes,
you should send the singleUseTokenId in a request to take a payment or register an account.

Single use token model

Field	Format	Data
`links`	Array of Links	Links to related resources and documentation.
`singleUseTokenId`	`string`	The single-use-token.
`accountType`	`string`	`CREDIT_CARD`, `DIRECT_DEBIT`, `DIRECT_DEBIT_NZ`, `APPLE_PAY`, `GOOGLE_PAY`.
`creditCard`	Credit Card	For credit card account types, masked account information and surcharge percent.
`bankAccount`	Bank Account	For Australian bank account payments, masked account information.
`nzBankAccount`	New Zealand Bank Account	For New Zealand bank account payments, masked account information.

Credit card model

Field	Format	Description
`cardNumber`	`string`	Masked credit card number displaying the first 6 and last 3 digits.
`expiryDateMonth`	`string`	Two digit expiry month.
`expiryDateYear`	`string`	Two digit expiry year.
`cardScheme`	`string`	The card scheme. `VISA`, `MASTERCARD`, `AMEX`, `DINERS`, `JCB`, or `UNIONPAY`.
`cardType`	`string`	The card type. `CREDIT`, `DEBIT`. Note: This is only for `VISA` and `MASTERCARD`. Other card types may be added in the future.
`cardholderName`	`string`	The name printed on the card.
`surchargePercentage`	`string`	Percentage added to payments for the credit card type.
`maskedCardNumber4Digits`	`string`	Masked credit card number displaying the first 6 and last 4 digits.
`threeDS2AuthRequired`	`boolean`	`true` indicates that you must perform a 3D Secure Authenication call prior to taking a payment or tokenising the card.
`threeDS2`	`object`	3D Secure browser information.
`threeDS2Status`	`string`	A status indicating the state of the 3D Secure authentication flow.

Bank account model

Field	Format	Description
`accountName`	`string`	Name of account holder.
`bsb`	`string`	The masked bank-state-branch holding their account.
`accountNumber`	`string`	The masked account number at that branch.

New Zealand bank account model

Field	Format	Description
`nzAccountName`	`string`	Name of account holder.
`nzBankCode`	`string`	The bank holding their account.
`nzBranchCode`	`string`	The branch holding their account.
`nzAccountNumber`	`string`	The account number at that branch.
`nzAccountSuffix`	`string`	The type of account.

HTTP status codes

See HTTP Status Codes for more.

Status Code	Description	More information
`200`	OK	The request has succeeded.
`401`	UNAUTHORIZED	You may have used a Secret API Key instead of your Publishable API Key, or your key has expired. View more.
`422`	UNPROCESSABLE ENTITY	If you send invalid fields, you will receive a 422 Unprocessable Entity response.
`429`	TOO MANY REQUESTS	You may have exceed your token quota. View more.

Example responses

{
  "links": [],
  "singleUseTokenId": "6a8f86e6-dfc0-4306-b07d-c7df137234aa",
  "accountType": "CREDIT_CARD",
  "creditCard": {
    "cardNumber": "424242...242",
    "expiryDateMonth": "01",
    "expiryDateYear": "17",
    "cardScheme": "VISA",
    "cardType": "CREDIT",
    "cardholderName": "Jane Smith",
    "cardType": "CREDIT",
    "maskedCardNumber4Digits": "424242...4242",
    "surchargePercentage": "0.400"
  }
}

Example Apple Pay response body:

{
  "links": [],
  "singleUseTokenId": "6a8f86e6-dfc0-4306-b07d-c7df137234aa",
  "accountType": "APPLE_PAY"
}

Example Google Pay response body:

{
  "links": [],
  "singleUseTokenId": "6a8f86e6-dfc0-4306-b07d-c7df137234aa",
  "accountType": "GOOGLE_PAY"
}

3D Secure Authentication

Authentication is the process of confirming that the person making an e-commerce transaction is entitled to use the payment card.

When you generate a single use token and the response indicates creditCard.threeDS2AuthRequired=true, your next step is to authenticate.

Request

POST `/single-use-tokens/{singleUseTokenId}/three-ds2-authentication`

Use your Secret API key to access this resource.

Request body

To authenticate the card stored in a single-use token using 3D Secure, send these fields:

Authentication Purpose: the reason for authenticating the card, and your merchant facility
Purchase Information: the amount and frequency of intended payments
Merchant Risk Indicator: fields to allow the risk of the transaction be to calculated
Cardholder Contact Details: email and phone numbers for your customer
Billing Address: your customer's billing address
Shipping Address: the address where you will ship physical goods
Cardholder Account Information: information about the cardholder's account on your website

You should send an Idempotency-Key to ensure authentication requests are not duplicated if there is a network problem.

Make sure the cardholder can not tamper with these fields before your server sends them to QuickStream.

Authentication Purpose

Send these fields when authenticating a card.

Field Format Data

messageCategory

string

Required. How you will use the single-use token.

`01`	Payment authentication. If you will use the token to conduct a payment.
`02`	Non-payment authentication. If you will use the token to store the card details.

threeDSRequestorAuthenticationInd

string

Required. The reason for the authentication request.

`01`	Payment transaction
`02`	Recurring transaction
`03`	Instalment transaction
`04`	Add card
`05`	Maintain card
`06`	Cardholder verification as part of EMV token ID&V

Purchase Information

If you will immediately conduct a payment or a recurring series of payments, send these fields when authenticating a card.

Field	Format	Data
`principalAmount`	`string`	Required for payment, recurring and instalment transactions. Purchase amount before any surcharge is added by QuickStream.
`currency`	`string`	Required for payment, recurring and instalment transactions. `AUD`
`recurringExpiry`	`string`	Required for recurring and instalment transactions. Date after which no further payments shall be performed. Format `YYYYMMDD`.
`recurringFrequency`	`string`	Required for recurring and instalment transactions. The minimum number of days between authorisations. e.g. `28`. Max `9999`.
`purchaseInstalData`	`string`	Required for instalment transactions. Required if you and Cardholder have agreed to instalment payments. The maximum number of authorisations permitted for instalment payments. Max `999`.

Merchant Risk Indicator

Information about the specific purchase by the cardholder.

Field Format Data

deliveryEmailAddress string Optional. For electronic delivery, the email address to which the merchandise will be delivered. Max 254 characters.

deliveryTimeframe

string

Optional. Your delivery timeframe.

`01`	Electronic Delivery
`02`	Same day shipping
`03`	Overnight shipping
`04`	Two-day or more shipping

giftCardAmount string Optional. For prepaid or gift card purchases, the purchase amount total of prepaid or gift cards in whole dollars (e.g. AUD 123.45 is 123). Max 15 characters.

giftCardCount string Optional. For prepaid or gift card purchases, the total count of individual prepaid or gift cards/codes purchased. (e.g. 2 is 02). Exactly 2 digits.

giftCardCurr string Optional. For prepaid or gift card purchases, the ISO-4217 three-digit currency code of the gift card. E.g. 036 for AUD.

preOrderDate string Optional. For a pre-ordered purchase, the expected date that the merchandise will be available. Format YYYYMMDD.

preOrderPurchaseInd

string

Optional. Indicates whether the cardholder is placing an order for merchandise with a future availability or release date.

`01`	Merchandise available
`02`	Future availability

reorderItemsInd

string

Optional. Indicates whether the cardholder is reordering previously purchased merchandise.

`01`	First time ordered
`02`	Reordered

shipIndicator

string

Optional. Indicates the shipping method chosen for the transaction.

You must choose the Shipping Indicator code that most accurately describes the cardholder's specific transaction, not your general business.

If one or more items are included in the sale, use the Shipping Indicator code for the physical goods, or if all digital goods, use the Shipping Indicator code that describes the most expensive item.

`01`	Ship to cardholder's billing address
`02`	Ship to another verified address you hold on file
`03`	Ship to address that is different than the cardholder's billing address
`04`	Ship to Store / Pick-up at local store (Store address shall be populated in shipping address fields)
`05`	Digital goods (includes online services, electronic gift cards and redemption codes)
`06`	Travel and Event tickets, not shipped
`07`	Other (for example, Gaming, digital services not shipped, e-media subscriptions, etc.)

Cardholder Contact Details

Use international format for phone numbers. e.g. +61499999999.

Field	Format	Data
`email`	`string`	Optional. The email address associated with the account that is either entered by the cardholder, or that you have on file. Max 254 characters.
`homePhone`	`string`	Optional. The home phone number provided by the cardholder. Max 15 characters.
`mobilePhone`	`string`	Optional. The mobile phone number provided by the cardholder. Max 15 characters.
`workPhone`	`string`	Optional. The work phone number provided by the cardholder. Max 15 characters.

Billing Address

These fields contain the billing address associated with the card. The billing address is required if you will use the token to conduct a payment, and recommended if you will use the token to store the card details.

Field	Format	Data
`billAddrLine1`	`string`	Optional. First line of the street address or equivalent local portion. Max 50 characters.
`billAddrLine2`	`string`	Optional. Second line of the street address or equivalent local portion. Max 50 characters.
`billAddrLine3`	`string`	Optional. Third line of the street address or equivalent local portion. Max 50 characters.
`billAddrCity`	`string`	Optional. The city of the billing address. Max 50 characters.
`billAddrPostCode`	`string`	Optional. ZIP or other postal code of the billing address. Max 16 characters.
`billAddrState`	`string`	Optional. The state or province. Max 3 characters. Use the ISO 3166-2 country subdivision code. e.g. `NSW`.
`billAddrCountry`	`string`	Optional. Use the ISO 3166-1 numeric three-digit country code. e.g. `036`.

Shipping Address

Send these fields if you will ship physical goods to the cardholder:

Field	Format	Data
`addrMatch`	`string`	Optional. `Y` is Shipping Address matches Billing Address, otherwise `N`.
`shipAddrLine1`	`string`	Optional. First line of the street address or equivalent local portion. Max 50 characters.
`shipAddrLine2`	`string`	Optional. Second line of the street address or equivalent local portion. Max 50 characters.
`shipAddrLine3`	`string`	Optional. Third line of the street address or equivalent local portion. Max 50 characters.
`shipAddrCity`	`string`	Optional. The city of the shipping address. Max 50 characters.
`shipAddrPostCode`	`string`	Optional. ZIP or other postal code of the shipping address. Max 16 characters.
`shipAddrState`	`string`	Optional. The state or province. Max 3 characters. Use the ISO 3166-2 country subdivision code. e.g. `NSW`.
`shipAddrCountry`	`string`	Optional. Use the ISO 3166-1 numeric three-digit country code. e.g. `036`.

Cardholder Account Information

These fields contain optional information about the cardholder account on your website. Fields used to define a time period can be included as either the specific date, or an approximate indicator for when the action occurred. You can use either format.

If the cardholder has not signed in to your website, send these fields:

Field Format Data

chAccAgeInd

string

Optional. The length of time that the cardholder has had the account with you.

`01`	No account (guest check-out)
`02`	Created during this transaction
`03`	Less than 30 days
`04`	30-60 days
`05`	More than 60 days

paymentAccInd

string

Optional. The length of time that the payment account was enrolled in the cardholder's account with you.

`01`	No account (guest check-out)
`02`	Created during this transaction
`03`	Less than 30 days
`04`	30-60 days
`05`	More than 60 days

If the cardholder has signed in to your website, send these fields:

Field Format Data

acctID string Optional. Cardholder Account Identifier. Additional information about the account optionally provided by you. Max 64 characters.

chAccAgeInd

string

Optional. Indicates the length of time that the cardholder has had the account with you.

`01`	No account (guest check-out)
`02`	Created during this transaction
`03`	Less than 30 days
`04`	30-60 days
`05`	More than 60 days

chAccChange string Optional. The date that the cardholder's account with you was last changed, including Billing or Shipping address, new payment account, or new user(s) added. Format YYYYMMDD.

chAccChangeInd

string

Optional. The length of time since the cardholder's account information with you was last changed, including Billing or Shipping address, new payment account, or new user(s) added.

`01`	Changed during this transaction
`02`	Less than 30 days
`03`	30-60 days
`04`	More than 60 days

chAccDate string Optional. The date that the cardholder opened the account with you. Format YYYYMMDD.

chAccPwChange string Optional. The date that cardholder's account with you had a password change or account reset. Format YYYYMMDD.

chAccPwChangeInd

string

Optional. Indicates the length of time since the cardholder's account with you had a password change or account reset.

`01`	No change
`02`	Changed during this transaction
`03`	Less than 30 days
`04`	30-60 days
`05`	More than 60 days

nbPurchaseAccount string Optional. The number of purchases with this cardholder account during the previous six months. Max 9999.

paymentAccAge string Optional. The date that the payment account was enrolled in the cardholder's account with you. Format YYYYMMDD.

paymentAccInd

string

Optional. Indicates the length of time that the payment account was enrolled in the cardholder's account with you.

`01`	No account (guest check-out)
`02`	Created during this transaction
`03`	Less than 30 days
`04`	30-60 days
`05`	More than 60 days

provisionAttemptsDay string Optional. The number of Add Card attempts in the last 24 hours. Max 999.

shipAddressUsage string Optional. The date when the shipping address used for this transaction was first used with you. Format YYYYMMDD.

shipAddressUsageInd

string

Optional. Indicates when the shipping address used for this transaction was first used with you.

`01`	This transaction
`02`	Less than 30 days
`03`	30-60 days
`04`	More than 60 days

shipNameIndicator

string

Optional. Indicates if the Cardholder Name on the account is identical to the shipping Name used for this transaction.

`01`	Account Name identical to Shipping Name
`02`	Account Name different to Shipping Name

suspiciousAccActivity

string

Optional. Indicates whether you have experienced suspicious activity (including previous fraud) on the cardholder account.

`01`	No suspicious activity has been observed
`02`	Suspicious activity has been observed

txnActivityDay string Optional. The number of transactions (successful and abandoned) for this cardholder account across all payment accounts in the previous 24 hours. Max 999.

txnActivityYear string Optional. The number of transactions (successful and abandoned) for this cardholder account across all payment accounts in the previous year. Max 999.

Response

If successful, this method returns a 3D Secure Authentication Response Model in the response body.

3D Secure Authentication Response Model

The 3D Secure authentication response indicates the outcome of the authentication.

Field Format Description

transStatus

string

Use the transStatus to choose what to do next.

`A`	Frictionless Flow
`C`	Challenge Flow
`N`	Authentication Failed
`R`	Authentication Failed
`U`	Authentication Failed
`Y`	Frictionless Flow

Frictionless Flow (`A` or `Y`)

The Frictionless Flow does not require further cardholder interaction to achieve a successful authentication and complete the 3D Secure authentication process.

If you receive a A or Y response, you must send a request with threeDS2=true to:

Challenge Flow (`C`)

Further cardholder interaction is required to complete the authentication.

If you receive a C response, you must display a web page containing a challenge iFrame. To do this, call the javascript function quickstreamapi.creditCards.createChallengeFrame.

After the challenge has been attempted, you will receive an updated transStatus or javascript callback to allow you to continue.

Authentication Failed (`N`, `R` or `U`)

If you receive a N or R or U response, you must display a web page indicating that authentication has failed.

Do not take a payment or register an account.

HTTP status codes

See HTTP Status Codes for more.

Status Code	Description	More information
`200`	OK	The request has succeeded. Use `transStatus` to determine the next step.
`401`	UNAUTHORIZED	You may have used a Secret API Key instead of your Publishable API Key, or your key has expired. View more.
`404`	NOT FOUND	The `singleUseTokenId` provided in the path is invalid or has expired.
`422`	UNPROCESSABLE ENTITY	If you send invalid fields, you will receive a 422 Unprocessable Entity response.
`429`	TOO MANY REQUESTS	You may have exceed your token quota. View more.
`503`	FORBIDDEN	`3DS2 not allowed for community` - Your QuickStream facility is not enabled for 3D Secure. To enable it you must contact your Westpac representative.

Example request and response

{
    "messageCategory": "01",
    "threeDSRequestorAuthenticationInd": "01",
    "principalAmount": "10.00",
    "currency": "AUD",
    "recurringExpiry": "20240926",
    "recurringFrequency": "31",
    "purchaseInstalData": "6",
    "deliveryEmailAddress": "customer@example.com.au",
    "deliveryTimeframe": "02",
    "giftCardAmount": "124",
    "giftCardCount": "02",
    "giftCardCurr": "036",
    "preOrderDate": "20210926",
    "preOrderPurchaseInd": "02",
    "reorderItemsInd": "02",
    "shipIndicator": "02",
    "email": "customer@example.com.au",
    "homePhone": "+61499999999",
    "mobilePhone": "+61499999999",
    "workPhone": "+61499999999",
    "billAddrLine1": "Shop 11",
    "billAddrLine2": "Level 2",
    "billAddrLine3": "New Village",
    "billAddrCity": "Newcastle",
    "billAddrPostCode": "2000",
    "billAddrState": "NSW",
    "billAddrCountry": "036",
    "addrMatch": "Y",
    "shipAddrLine1": "Shop 11",
    "shipAddrLine2": "Level 2",
    "shipAddrLine3": "New Vilage",
    "shipAddrCity": "Newcastle",
    "shipAddrPostCode": "2000",
    "shipAddrState": "NSW",
    "shipAddrCountry": "036",
    "acctID": "CUST12345678",
    "chAccAgeInd": "01",
    "chAccChange": "20220926",
    "chAccChangeInd": "01",
    "chAccDate": "20220926",
    "chAccPwChange": "20220926",
    "chAccPwChangeInd": "01",
    "nbPurchaseAccount": "2",
    "paymentAccAge": "20220926",
    "paymentAccInd": "01",
    "shipAddressUsage": "20220926",
    "shipAddressUsageInd": "03",
    "provisionAttemptsDay": "2",
    "shipNameIndicator": "02",
    "suspiciousAccActivity": "02",
    "txnActivityDay": "2",
    "txnActivityYear": "61"
}

{
  "transStatus": "Y"
}