Skip to main content
Google Pay is the first device wallet supported by Guardian wallet tokens. You pass the encrypted Google Pay payload to Guardian, which verifies, decrypts, and stores the credential server-side — the decrypted card data never touches your systems.

Prerequisites

Google Pay encrypts every payload for a specific recipient. Before you can tokenize:
  1. Your instance holds an active ECv2 decryption key and is configured with your Google Pay merchant ID. Contact support to set this up.
  2. You register the public half of that key in the Google Pay & Wallet Console, so Google encrypts payloads your instance can decrypt.

Tokenizing a Google Pay Payment

When a customer completes a Google Pay sheet, the Google Pay API hands your client a PaymentMethodToken envelope. Send it to Tokenize Google Pay exactly as Google returns it — Guardian verifies the ECv2 signature chain against Google’s trusted signing keys, decrypts the payload, and stores the credential as a wallet token. The same envelope can be tokenized only once: resubmitting it returns 409 with the classifier GOOGLE_PAY_DUPLICATE_PAYLOAD.

Authentication Methods

Google Pay issues two flavors of credential. The auth_method field on the wallet token tells you which one you hold, and it determines everything downstream:
CRYPTOGRAM_3DSPAN_ONLY
CredentialDevice-bound token: DPAN, cryptogram, ECICard on file: funding PAN and expiry
ForwardingOnce — the cryptogram is single-useRepeatedly
Promotion to network tokenNot eligibleEligible
3-D SecureAuthentication carried in the cryptogramMay be required; check requires_3ds
The requires_3ds field indicates whether the payment still needs 3-D Secure authentication on your side before authorization.

Forwarding

Forwarding a wallet token works the same for every wallet; this section lists the placeholders and rules specific to Google Pay. Which placeholders a token carries depends on its auth_method:
PlaceholderCRYPTOGRAM_3DSPAN_ONLYDescription
{{ dpan }}The device PAN.
{{ cryptogram }}The 3-D Secure cryptogram.
{{ eci }}Electronic Commerce Indicator.
{{ fpan }}The funding PAN.
{{ expiry_month }}Card expiry month.
{{ expiry_year }}Card expiry year.
A CRYPTOGRAM_3DS token is single-use: the first successful forward consumes it, and later attempts return 400 with the classifier CRYPTOGRAM_CONSUMED. A PAN_ONLY token can be forwarded repeatedly. If your template references a placeholder the token’s auth_method does not carry (for example {{ fpan }} against a CRYPTOGRAM_3DS token), the forward is rejected with 422 and the classifier DESTINATION_POLICY_VIOLATION. A placeholder the token does carry but that has no value on this specific credential returns 422 with PLACEHOLDER_VALUE_MISSING. Both name the offending placeholder.

Promotion

A PAN_ONLY token carries the customer’s funding PAN, so you can promote it to a network token when you want a durable card-on-file credential with the full network token lifecycle. CRYPTOGRAM_3DS tokens carry no funding PAN and cannot be promoted — attempting to promote one returns 422 with the classifier UNSUPPORTED_WALLET_TYPE. Promotion is a regular Create token call with the wallet token as source:
{
  "source": {
    "type": "wallet_token",
    "wallet_token_id": "0d5c1774-5f3f-4a2f-9c86-1f30a0ea9be2"
  }
}
Guardian then:
  1. Vaults the wallet token’s funding PAN as a new PCI token.
  2. Provisions a network token from it with the card scheme.
  3. Records the link on the wallet token’s promoted_to field.
A wallet token can be promoted once — repeating the call returns 422 with the classifier WALLET_TOKEN_ALREADY_PROMOTED.