Single Immediate Payments
A single immediate payment (SIP) is a payment initiated on behalf of a PSU for immediate execution. 
Single Euro Payments Area – a payments system created by the European Union (EU) which harmonizes the way cashless payments transact between euro countries. European consumers, businesses, and government agents who make payments by direct debit, instant credit transfer, and through credit transfers use the SEPA architecture. The single euro payment area is approved and regulated by the European Commission.
SEPA currently includes 36 members. It encompasses the 28 EU member states along with Iceland, Norway, Liechtenstein, Switzerland, Andorra, Vatican City, Monaco and San Marino. The single euro payment area remains an ongoing, collaborative process between these parties. SEPA is in the process of harmonizing rules regarding mobile and online payments. transfers have a 3:00 pm cutoff time for same day processing. Requests received after this time will be processed the following business day.
Bank-initiated SIP (1-step)
Putting the full sequence into perspective, the diagram pictured next (hover to enlarge) shows the communication flow for
TPP-initiated SIP (2-step)
The sequence diagram pictured next shows the communication flow for a
Guidance for making the appropriate POST and GET calls, as well as handling Token's responses to these requests is covered next.
Base URLs
Correlated in the following table, the {{BASE_URL}} for calls and redirects depends on the environment in which you're operating.
| Environment | BASE_URL |
|---|---|
| API calls | |
| Production | https://api.token.io |
| Sandbox | https://api.sandbox.token.io |
| Web App Redirect (for consent) | |
| Production | https://web-app.token.io |
| Sandbox | https://web-app.sandbox.token.io |
Be sure to include the BASE_URL for the appropriate environment and purpose in each call.
Making the Token Request
To initiate a payment request with the bank, you'll need to be able to identify yourself as the calling
- Member ID – unique value generated by the Developer Dashboard when you signed up.
- Alias – unique email, domain, eIDAS or realmId you provided when you signed up.
A transfer request must include both parameters.
You can obtain the values from the dashboard by following these steps:
(1) If the dashboard isn't already open in a browser tab, sign in.
(2) Click Member Information in navigation panel on the left.
(3) Click the "eye" icon to the right of each value to reveal it.
(4) Copy the value you need.
Some banks in Germany, Austria and Hungary require the TPP to capture additional authentication information upfront from the user before a redirect to the bank.
If the selected bank imposes this initial credentials check requirement, you'll need to capture the credentialFields specified by the bank (e.g., the user's IBANInternational Bank Account Number – a number attached to all bank accounts in the EU countries, plus Norway, Switzerland, Liechtenstein and Hungary. The IBAN is made up of a code identifying the country to which the account belongs, the account holder's bank, and the account number itself.) in its response to your GET /banks call (see Bank Selection using GET /banks) and include this information in your payment request.
In addition, when initial credentials are required by the user-selected bank, the redirect URL in the sandbox will be:
https://tpp-integration.sandbox.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}
For production, the redirect URL changes to:
https://tpp-integration.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}
Here, {{your-redirect-url}} is your standard TPP redirect URL.
The exchange iterations necessary to provide initial credential information to the bank take place in the background.
See also Mandatory Token Request Pass-ins and Authorisation Models in Bank Selection using GET /banks for information about providing required bank-specific information in your request. Please note that bank-specified MandatoryFields may be different for different banks.
If you are not connecting to a bank in Germany, Austria or Hungary, the requirement for an initial credentials check using the redirect URL format above does not apply and you should instead use the standard format outlined below.
Payment Services User – an individual person or legal business entity making use of an Open Banking service as a payee, payer or both. gives consent
{
"requestPayload":
"refId": "xyz",
"to": {
"alias": { // include only one type and its corresponding value
"realmId": "value available from dashboard",
"type": "EIDAS",
"type": "EMAIL",
"value": "noverify@token.io" // example value
"value": "value available from dashboard"
}
"id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq"// member ID
},
"authorizationMetadata": { // map from response to GET /banks call
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"transferBody": {
"currency": "EUR",
"lifetimeAmount": "10",
"instructions": {
"transferDestinations": [
{
"sepa": {
"iban": "testIBAN",
"bic": "testBIC"
}
}
]
}
},
"description": "test",
"redirectUrl": "https://sample-merchant-domain.com/transfer"
}
}
Tip: "Available from Dashboard" indicates a value that can be looked up in the Developer Dashboard under Settings > Member Information .
The most important request fields and their corresponding descriptions are listed in the following table.
| Field | Description/Subfields | Required/Optional | |
|---|---|---|---|
| refId | Warning: If the description in subsequent token lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown. |
Required | |
| to | Identifies the member initiating the request | Required | |
| alias |
A human-readable proxy for your member identifier that contains your realmId or alias type (DOMAIN, EMAIL, other) and a value string.
A realmId identifies a member created under the realm of a specific bank. See Member Information in Understanding Dashboard Settings to find your member id and alias. |
Required | |
| id | Member ID of the |
Required | |
| authorizationMetadata | Maps the key-value pairs from the GET /banks response, where key is the name of the field and value is the value of the field. Needed to capture additional information from the user for initial authorization by the bank, thereby allowing the user to proceed with providing consent for the initiation request. | Required* | |
| transferBody | Specifies the critical details of the transfer: currency, lifetimeAmount, and transferDestinations |
Required | |
| currency | ISO 4217 currency code for the transaction | Required | |
| lifetimeAmount |
Amount of the payment/transfer valued in currency.
Precision: Recommended precision is rounding to 4 decimal places (HALF-EVEN |
Required | |
| instructions | Specifies beneficiary account information and any additional transfer instructions. | Required | |
| Required | |||
| callbackState | Developer-specified string allowing state to be persisted between the request and callback phases of the flow | Optional | |
| description |
Description of the payment with the following qualifiers:
This description field maps to description in the bank's consentRequest presented to the user. Warning: If description in a subsequent token request for lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown. |
Optional, with the caveats described in the previous column | |
| redirectUrl |
Defines the Important: When initial credentials are required by the bank as specified in its GET /banks response, see the note above for more on how to construct the redirect URL. |
Required | |
| reference | Augmenting refId and description, this is TPP-defined additional information pertinent to TPP's payments policies; for instance, could contain a full or partial credit card number when payment is being initiated for a credit card payment. Securely hashed to safeguard its transmission throughout the communication flow, this field should be considered by TPPs wishing to augment their transaction reference data for tracking and audit control. | Optional | |
| source | Account number from which the amount is being debited; set using the AccountIdentifier object, which allows four types of account identifiers:
Although setting source with the BankAccount object has been deprecated, it is still supported |
|
|
| traceID | TPP-provided unique value captured by Token and sent across to the bank to be stored with the request throughout its lifecycle as an audit-trail aid. | Optional | |
| requestOptions | • Bank ID where payment is to be initiated • Receipt Requested – to specify that an email receipt is to be sent to the PSU by Token |
Optional | |
| *Inclusion of some elements may be optional or bank-dependent | |||
Caution: A PANPrimary Account Number – refers to a 14-, 15-, 16-, or even up to 19-digit number generated as a unique identifier designated for a primary account; also called payment card number and permanent card number. is disallowed in the token request payload within the refId and description fields. In accordance with the PA-DSSPayment Application Data Security Standard – Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. security standard, RegexAPI to define a pattern for searching or manipulating strings. is used for pattern matching
of numeric strings that intentionally or inadvertently reveal or resemble a PAN in the refId or description of a token request. Potential PAN patterns found will now throw an exception.
Remember, whatever you specify as a transferDestination in the request will be reflected in the response. This means accuracy is extremely important here.
Payee Information
- STETCreated according to the new Payment Services Directive (PSD2), this API aims to provide a secure and easy-to-use set of services to be implemented by European ASPSPs. requires creditor account information.
- CMA9As part of the Open Banking initiative, the CMA9 are the nine largest banks in the UK as determined by the Competition and Markets Authority (CMA). The CMA is an independent department of the UK government chartered to promote market competition and fairness, and reduce any harmful monopolies., NextGenPSD2Common API standard for PSD2 developed by the Berlin Group to create uniform and interoperable communications between banks and TPPs., and PolishAPIThe PolishAPI standard is the key part of the Open Banking on the Polish financial market. It is defining the interface enabling third parties to access payment accounts, based on amended directive on payment services in the internal market (PSD2). have the creditor name and account identifiers, as well as the creditor agentFinancial institution servicing an account for the creditor.BICBank Identifier Code – a unique identifier for a specific financial institution. A BIC is composed of a 4-character bank code, a 2-character country code, a 2-character location code and an optional 3-character branch code.. However, these are optional fields, so the presence of creditor account information is bank-dependent.
- CMA9 needs the creditor agent address, whilst PolishAPI requires the creditor's address.
If you are initiating a payment to Barclays Bank UK, the creditor name can be no more than 18 characters. If this limit is exceeded, the bank will reject the payment.
Processing the Response
Here's an example of the response you'll receive:
"tokenRequest": {
"id": "rq:3g5RVV7Z4oU9P5rtzX2YhnssuPC5:5zKtXEAq", // request-id; add to BASE_URL for consent
"requestPayload": {
"to": {
"alias": {
"type": "EMAIL",
"value": noverify@token.io"
}
"id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq"// member ID
},
"transferBody": {
"currency": "EUR",
"lifetimeAmount": "10",
"instructions": {
"transferDestinations": [
{
"sepa": {
"iban": "testIBAN",
"bic": "testBIC"
}
}
]
}
},
"description": "test",
"redirectUrl": "https://sample-merchant-domain.com/transfer"
}
}
Create the redirect URL by appending the request id in the response (shown above in red) to the redirect base URL, then send it to the user to provide explicit consent to the bank.
https://{{BASE_URL}}/app/request-token/app/request-token/{{Insert request-id here}}
// example = https://web-app.sandbox.token.io/app/request-token/rq:3RKfCA7KQEEZERLoFsAt3MoAnoP5:5zKtXEAq
Tip: You can specify a particular language by passing its language code (lang=country-code) as a query parameter appended to the URL above, which the user can override in the webapp according to personal preference. Here's an example for passing the desired ISO 639-1Codes for the representation of names of languages—Part 1: Alpha-2 code, is the first part of the ISO 639 series of international standards for language codes. Part 1 covers the registration of two-letter codes. There are 184 two-letter codes registered as of December 2018. The registered codes cover the world's major languages.
See https://www.iso.org/iso-639-language-codes.html language code for German (de):
https://web-app.token.io/app/request-token/rq:o9adbFqJXcaDGNDaykPvpSZFZDW:5zKtXEAq?lang=de
TPPs using Token's licence only: This redirects the PSU to the Token Web App, which displays a payment confirmation page (pictured, hover to enlarge):
Note: If you did not capture the source account number from the PSU in your UI after user bank selection (see Filtering Banks), the user is presented with an input field (shown in the payment confirmation page above) in which to enter the source account number (IBANInternational Bank Account Number – a number attached to all bank accounts in the EU countries, plus Norway, Switzerland, Liechtenstein and Hungary. The IBAN is made up of a code identifying the country to which the account belongs, the account holder's bank, and the account number itself.).
Upon user consent, Token will redirect the user back to the
"redirectUrl": "https://sample-merchant-domain.com"/pis?tokenId=sample_token_id
"redirectUrl": "https://sample-merchant-domain.com"/pis?transferId=sample_transfer_id
URL encoding makes sure that the characters in the URL that are not allowed to be put into the URL directly can still be used. For example a space or : is not allowed, but replacing it with %20 or %3A encodes a space or : (and most browsers will display a space in the browser bar).
For encoded URLs, use Java's URLDecoder (java.net.URLDecoder) unless you have a different preference. the tokenIdUsing the tokenId sent by the bank, which confirms PSU consent, you can now initiate payment.
If the bank supports one-step payments, the callback will contain a transferId and a transferStatus (see Payment Status: Value and Meaning for the list of possible status codes), which you can then display to the customer/user. Use the transferId, as necessary, to check for status updates with a GET /transfers/{transferId} call, presuming you didn't subscribe to a webhook in the original token request.
For two-step payments, you'll need to redeem the transfer token with a POST /transfers request containing the Token-provided tokenId. Here's an example:
{
"payload": {
"refId": "{{your reference identifier}}", // optional
"tokenId": "{{TOKEN_ID}}", // tokenId in redirectUrl
"amount": {
"value": "100",
"currency": "EUR"
}
},
"payloadSignature": {
"memberId": "m:2Dt7S9Cf2QuDFEzAPRdoF7FWmCgq:5zKtXEAq",
"keyId": "0NgHZ8jUKdyHRJFW",
"signature": "D4iVAPUboFhKE8pQYZjwfH05TxRDSqgYZO94DgUHfx4lGddlZkIooKo6M5AVE"
}
}
The most important request fields and their corresponding descriptions are listed in the following table.
| Field | Description/Subfields | Required/Optional | ||
|---|---|---|---|---|
| payload | refId | Warning: If the description in subsequent token lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown. |
Required | |
| tokenId | Bank-generated identifier returned in the response to the original payment request | Required | ||
| amount | value |
Amount of the payment/transfer valued in currency.
Precision: Recommended precision is rounding to 4 decimal places (HALF-EVEN |
Required | |
| currency | ISO 4217 currency code for the transaction | Required | ||
| payloadSignature | memberId | Member ID of the |
Required* | |
| keyId | Your certificate's public key identifier | Required* | ||
| signature | Cryptographic signature guaranteeing the authenticity of the payload. | Required* | ||
| * Not required if you are using an API key | ||||
You'll receive a transferId and transferStatus in a callback, which you can then display to the customer/user.
Important: The POST /transfers call must pass in an appropriate authorisation header containing your authentication key. See Construct the Request Authorisation Header in Onboarding to review the details.
Please refer to the API's Swagger Reference for additional details on all of the above.