Prerequisites
Google Pay encrypts every payload for a specific recipient. Before you can tokenize:- Your instance holds an active ECv2 decryption key and is configured with your Google Pay merchant ID. Contact support to set this up.
- You register the public half of that key in the Google Pay & Wallet Console, so Google encrypts payloads your instance can decrypt.
Tokenizing a Google Pay Payment
When a customer completes a Google Pay sheet, the Google Pay API hands your client aPaymentMethodToken envelope. Send it to Tokenize Google Pay exactly as Google returns it — Guardian verifies the ECv2 signature chain against Google’s trusted signing keys, decrypts the payload, and stores the credential as a wallet token.
The same envelope can be tokenized only once: resubmitting it returns 409 with the classifier GOOGLE_PAY_DUPLICATE_PAYLOAD.
Authentication Methods
Google Pay issues two flavors of credential. Theauth_method field on the wallet token tells you which one you hold, and it determines everything downstream:
CRYPTOGRAM_3DS | PAN_ONLY | |
|---|---|---|
| Credential | Device-bound token: DPAN, cryptogram, ECI | Card on file: funding PAN and expiry |
| Forwarding | Once — the cryptogram is single-use | Repeatedly |
| Promotion to network token | Not eligible | Eligible |
| 3-D Secure | Authentication carried in the cryptogram | May be required; check requires_3ds |
requires_3ds field indicates whether the payment still needs 3-D Secure authentication on your side before authorization.
Forwarding
Forwarding a wallet token works the same for every wallet; this section lists the placeholders and rules specific to Google Pay. Which placeholders a token carries depends on itsauth_method:
| Placeholder | CRYPTOGRAM_3DS | PAN_ONLY | Description |
|---|---|---|---|
{{ dpan }} | ✓ | — | The device PAN. |
{{ cryptogram }} | ✓ | — | The 3-D Secure cryptogram. |
{{ eci }} | ✓ | — | Electronic Commerce Indicator. |
{{ fpan }} | — | ✓ | The funding PAN. |
{{ expiry_month }} | ✓ | ✓ | Card expiry month. |
{{ expiry_year }} | ✓ | ✓ | Card expiry year. |
CRYPTOGRAM_3DS token is single-use: the first successful forward consumes it, and later attempts return 400 with the classifier CRYPTOGRAM_CONSUMED. A PAN_ONLY token can be forwarded repeatedly.
If your template references a placeholder the token’s auth_method does not carry (for example {{ fpan }} against a CRYPTOGRAM_3DS token), the forward is rejected with 422 and the classifier DESTINATION_POLICY_VIOLATION. A placeholder the token does carry but that has no value on this specific credential returns 422 with PLACEHOLDER_VALUE_MISSING. Both name the offending placeholder.
Promotion
APAN_ONLY token carries the customer’s funding PAN, so you can promote it to a network token when you want a durable card-on-file credential with the full network token lifecycle. CRYPTOGRAM_3DS tokens carry no funding PAN and cannot be promoted — attempting to promote one returns 422 with the classifier UNSUPPORTED_WALLET_TYPE.
Promotion is a regular Create token call with the wallet token as source:
- Vaults the wallet token’s funding PAN as a new PCI token.
- Provisions a network token from it with the card scheme.
- Records the link on the wallet token’s
promoted_tofield.
422 with the classifier WALLET_TOKEN_ALREADY_PROMOTED.