> ## Documentation Index
> Fetch the complete documentation index at: https://developer.hellgate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Tokenize Google Pay

> Turn a Google Pay payment into a stored wallet token. Pass the `PaymentMethodToken` envelope exactly as Google Pay returns it — Guardian verifies the ECv2 signature chain and decrypts the payload server-side, so the decrypted card data never touches your systems.

The resulting wallet token carries one of two authentication methods, reflected in the `auth_method` field:

- `CRYPTOGRAM_3DS` — a device-bound token with DPAN and cryptogram, forwardable once.
- `PAN_ONLY` — a card-on-file token with the funding PAN, forwardable repeatedly and eligible for [promotion to a network token](/products/guardian/tokens/wallet-tokens/google-pay#promotion).

Submitting the same envelope twice returns `409` with the classifier `GOOGLE_PAY_DUPLICATE_PAYLOAD`. Rejected envelopes return `422` with a classifier naming the cause: `GOOGLE_PAY_SIGNATURE_INVALID`, `GOOGLE_PAY_DECRYPTION_FAILED`, `GOOGLE_PAY_TOKEN_EXPIRED`, or `GOOGLE_PAY_MALFORMED_TOKEN`.

See [Google Pay](/products/guardian/tokens/wallet-tokens/google-pay) for prerequisites and the full flow.




## OpenAPI

````yaml /products/guardian/openapi.yaml post /api/wallet/google-pay/tokenize
openapi: 3.1.0
info:
  title: Guardian API
  version: '1.0'
  contact:
    name: Starfish GmbH & Co. KG
    email: hello@starfish.team
    url: https://hellgate.io/cpa/guardian
  license:
    name: Hellgate API Terms
    url: https://hellgate.io/terms-and-conditions
servers:
  - url: https://{cluster_id}.on-hellgate.cloud
    description: Guardian service instance
    variables:
      cluster_id:
        default: my-cluster-id
        description: |
          Guardian is a service of the Hellgate Cloud Platform.
          The unique cluster-id is used to connect to your instance.
security: []
tags:
  - name: pci
    description: Management of card payment credentials under the ruling of PCI DSS.
  - name: network
    description: Management of network tokens and cryptograms for secure transactions.
  - name: generic
    description: Management of generic tokens and their schemas for various use cases.
  - name: metadata
    description: Inquiries for card metadata based on PAN, PCI tokens, or network tokens.
  - name: wallet
    description: >-
      Management of wallet tokens ingested from device wallets such as Google
      Pay.
  - name: apikey
    description: Management of API keys for service access.
  - name: webhook
    description: Management of webhooks for event notifications.
  - name: types
    description: Management of types for generic token schemas.
paths:
  /api/wallet/google-pay/tokenize:
    post:
      tags:
        - wallet
      summary: Tokenize Google Pay
      description: >
        Turn a Google Pay payment into a stored wallet token. Pass the
        `PaymentMethodToken` envelope exactly as Google Pay returns it —
        Guardian verifies the ECv2 signature chain and decrypts the payload
        server-side, so the decrypted card data never touches your systems.


        The resulting wallet token carries one of two authentication methods,
        reflected in the `auth_method` field:


        - `CRYPTOGRAM_3DS` — a device-bound token with DPAN and cryptogram,
        forwardable once.

        - `PAN_ONLY` — a card-on-file token with the funding PAN, forwardable
        repeatedly and eligible for [promotion to a network
        token](/products/guardian/tokens/wallet-tokens/google-pay#promotion).


        Submitting the same envelope twice returns `409` with the classifier
        `GOOGLE_PAY_DUPLICATE_PAYLOAD`. Rejected envelopes return `422` with a
        classifier naming the cause: `GOOGLE_PAY_SIGNATURE_INVALID`,
        `GOOGLE_PAY_DECRYPTION_FAILED`, `GOOGLE_PAY_TOKEN_EXPIRED`, or
        `GOOGLE_PAY_MALFORMED_TOKEN`.


        See [Google Pay](/products/guardian/tokens/wallet-tokens/google-pay) for
        prerequisites and the full flow.
      operationId: wallet_google_pay_tokenize
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/google_pay_tokenize_request'
      responses:
        '200':
          description: Success response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/wallet_token'
        '401':
          $ref: '#/components/responses/401_UnauthorizedError'
        '403':
          $ref: '#/components/responses/403_ForbiddenError'
        '409':
          $ref: '#/components/responses/409_ConflictError'
        '422':
          $ref: '#/components/responses/422_ValidationError'
      security:
        - APIKey: []
        - AdminToken: []
components:
  schemas:
    google_pay_tokenize_request:
      type: object
      properties:
        payment_method_token:
          type: object
          description: >
            Google's `PaymentMethodToken` envelope, passed through verbatim as
            returned by the Google Pay API — including its original camelCase
            keys.
          properties:
            protocolVersion:
              type: string
              enum:
                - ECv2
              description: Only the `ECv2` protocol is supported.
            signature:
              type: string
            intermediateSigningKey:
              type: object
              properties:
                signedKey:
                  type: string
                signatures:
                  type: array
                  minItems: 1
                  items:
                    type: string
              required:
                - signedKey
                - signatures
            signedMessage:
              type: string
          required:
            - protocolVersion
            - signature
            - intermediateSigningKey
            - signedMessage
      required:
        - payment_method_token
      example:
        payment_method_token:
          protocolVersion: ECv2
          signature: MEQCIH6Q4OwQ...
          intermediateSigningKey:
            signedKey: '{"keyValue":"MFkwEwYHK...","keyExpiration":"1782914400000"}'
            signatures:
              - MEYCIQDh0Ry...
          signedMessage: >-
            {"encryptedMessage":"vXlWQTgA...","ephemeralPublicKey":"BJatN...","tag":"e5nDE..."}
    wallet_token:
      title: Wallet Token
      type: object
      properties:
        id:
          type: string
          format: uuid
        kind:
          type: string
          description: >-
            The specific credential kind, e.g. `google_pay_pan_only` or
            `google_pay_cryptogram_3ds`.
          example: google_pay_pan_only
        ingestion_path:
          type: string
          description: The wallet the token was ingested from.
          example: google_pay
        scheme:
          type: string
          enum:
            - visa
            - mastercard
            - american express
            - discover
            - diners club
            - jcb
            - unionpay
        auth_method:
          type: string
          enum:
            - PAN_ONLY
            - CRYPTOGRAM_3DS
          description: >
            The authentication method of the Google Pay credential. Determines
            which placeholders are available when
            [forwarding](/products/guardian/api-reference/wallet/forward-wallet-token)
            and whether the token can be
            [promoted](/products/guardian/tokens/wallet-tokens/google-pay#promotion).
        requires_3ds:
          type: boolean
          description: >-
            Whether the payment still requires 3-D Secure authentication on your
            side.
        promoted_to:
          type: string
          format: uuid
          description: >
            The ID of the network token this wallet token was promoted to.
            `null` until the token is promoted.
        card:
          $ref: '#/components/schemas/wallet_card'
        created_at:
          type: string
          format: date-time
        deleted_at:
          type: string
          format: date-time
          description: Set when the token has been deleted and its card data scrubbed.
      required:
        - id
        - kind
        - ingestion_path
        - scheme
        - card
        - created_at
      example:
        id: 0d5c1774-5f3f-4a2f-9c86-1f30a0ea9be2
        kind: google_pay_pan_only
        ingestion_path: google_pay
        scheme: visa
        auth_method: PAN_ONLY
        requires_3ds: true
        promoted_to: null
        card:
          scheme: visa
          last4: '4242'
          expiry_month: 12
          expiry_year: 2028
        created_at: '2026-06-29T12:00:00Z'
        deleted_at: null
    wallet_card:
      type: object
      properties:
        scheme:
          type: string
          example: visa
        last4:
          type: string
          example: '4242'
        expiry_month:
          type: integer
          example: 12
        expiry_year:
          type: integer
          example: 2028
      required:
        - scheme
        - last4
        - expiry_month
        - expiry_year
    ErrorGeneric:
      type: object
      properties:
        code:
          $ref: '#/components/schemas/ErrorStatusCode'
        classifier:
          $ref: '#/components/schemas/ErrorClassifier'
        message:
          $ref: '#/components/schemas/ErrorMessage'
    ErrorValidation:
      type: object
      properties:
        code:
          $ref: '#/components/schemas/ErrorStatusCode'
        classifier:
          $ref: '#/components/schemas/ErrorClassifier'
        message:
          $ref: '#/components/schemas/ErrorMessage'
        validation_errors:
          type: array
          items:
            type: object
            properties:
              path:
                type: string
                description: Json-path in the request which points to the validation error
              message:
                type: string
                description: Human readable validation message
    ErrorStatusCode:
      type: integer
      description: The corresponding HTTP status code for the error
    ErrorClassifier:
      type: string
      description: Technical code that helps to identify the error
    ErrorMessage:
      type: string
      description: Human readable representation of the error
  responses:
    401_UnauthorizedError:
      description: Unauthorized
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorGeneric'
          example:
            code: 401
            message: No valid means of authentication was provided
            classifier: UNAUTHORIZED
    403_ForbiddenError:
      description: Forbidden
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorGeneric'
          example:
            code: 403
            message: Not allowed to access this resource or feature
            classifier: FORBIDDEN
    409_ConflictError:
      description: Conflict
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorGeneric'
          example:
            code: 409
            message: Conflict
            classifier: CONFLICT
    422_ValidationError:
      description: Validation error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorValidation'
          example:
            code: 422
            classifier: VALIDATION_ERROR
            message: Validation error
            validation_errors:
              - path: json-path
                message: human readable error message
  securitySchemes:
    APIKey:
      type: apiKey
      name: x-api-key
      in: header
    AdminToken:
      type: apiKey
      name: x-admin-token
      in: header

````