3

How can I somehow obtain an example of an Apple Pay Payment Token (as described here) without actually requesting a payment from Apple using an Apple Device?

I am creating an endpoint that will accept the Apple Pay payment token exactly as it is received on the device requesting payment from Apple. However, it is a binary data and it will thus have to be decoded into what I assume is a normal json object. What would the format/structure of this json object be?

From Checkout.com's documentation on Apple Pay (here) I would assume the decoded json object looks something like this (although they mark it as an "example", so I can't be sure):

{
  "type": "applepay",
  "token_data": {
    "version": "EC_v1",
    "data": "t7GeajLB9skXB...",
    "signature": "MIAGCSqGSIb3DQEHAq...",
    "header": {
      "ephemeralPublicKey": "MFkwEwYHKoZIzj...",
      "publicKeyHash": "tqYV+tmG9aMh+l/K6cicU...",
      "transactionId": "3cee89679130a4b2617c..."
    }
  }
}

Note that the data in the fields above were shortened for brevity.

What is the exact object/data that Apple sends the device requesting payment?

Any help would be greatly appreciated!

AnonymousAngelo
  • 996
  • 3
  • 15
  • 37

1 Answers1

5

I've managed to figure out what Apple sends as a payment token.

Apple sends a binary data (PKPaymentToken) that can be decoded into json. The json object looks as follows:

{
    "data":"...",
    "signature":"...",
    "version":"..",
    "header":{
        "applicationData":"...",
        "ephemeralPublicKey":"...",
        "wrappedKey":"...",
        "publicKeyHash":"...",
        "transactionId":"..."
    }
}

Using the payment token thus first requires decoding the binary data into json, which can then be sent to a merchant (like Checkout or Stripe). It should be noted that some of the fields in the json object are encrypted. They may be used unencrypted or encrypted. Checkout, for instance, accepts the encrypted fields.

The token

data: payment data dictionary, Base64 encoded as a string

header: header dictionary

signature: detached PKCS #7 signature, Base64 encoded as string

version: string

Header

applicationData: SHA–256 hash, hex encoded as a string

ephemeralPublicKey: X.509 encoded key bytes, Base64 encoded as a string

wrappedKey: A Base64 encoded string

publicKeyHash: SHA–256 hash, Base64 encoded as a string

transactionId: A hexadecimal identifier, as a string

More information/detail can be found in the Apple documentation.

AnonymousAngelo
  • 996
  • 3
  • 15
  • 37
  • do you have an example how to send this decrypted data to Stripe? – Elmar Jan 21 '21 at 09:08
  • @ElmarAbdurayimov nope, sorry. But you can have a look at Stripe's documentation... it should be pretty similar. – AnonymousAngelo Jan 21 '21 at 12:08
  • Hey @AnonymousAngelo , stuck in similar scenario. Got the `PKPaymentToken` but now how to decrypt it in json to send to Checkout.com? I can't understand Apple docs – Hyder Jul 29 '22 at 06:44