View a markdown version of this page

GenerateAuthRequestCryptogram - AWS Payment Cryptography Data Plane
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

GenerateAuthRequestCryptogram

Generates an Authorization Request Cryptogram (ARQC) for an EMV chip payment card authorization. For more information, see Generate auth request cryptogram in the AWS Payment Cryptography User Guide.

ARQC generation uses an Issuer Master Key (IMK) for application cryptograms (TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS) to derive a session key, which is then used to generate the cryptogram from the provided transaction data (when applicable). To use this operation, you must first create or import an IMK-AC key by calling CreateKey or ImportKey. The KeyModesOfUse should be set to DeriveKey for the IMK-AC encryption key.

Important

This operation is intended for development and testing scenarios only. It is not recommended to use this operation as a substitute for card-based cryptogram generation in production payment flows.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the AWS Payment Cryptography User Guide.

Cross-account use: This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see Resource-based policies.

Related operations:

Request Syntax

POST /cryptogram/generate HTTP/1.1
Content-type: application/json

{
   "KeyIdentifier": "string",
   "MajorKeyDerivationMode": "string",
   "SessionKeyDerivationAttributes": { ... },
   "TransactionData": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

KeyIdentifier

The keyARN of the IMK-AC (TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS) that AWS Payment Cryptography uses to generate the ARQC.

Type: String

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

MajorKeyDerivationMode

The method to use when deriving the major encryption key for ARQC generation within AWS Payment Cryptography.

Type: String

Valid Values: EMV_OPTION_A | EMV_OPTION_B

Required: Yes

SessionKeyDerivationAttributes

The attributes and values to use for deriving a session key for ARQC generation within AWS Payment Cryptography.

Type: SessionKeyDerivation object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

TransactionData

The transaction data that AWS Payment Cryptography uses for ARQC generation. The same transaction data is used for ARQC verification by the issuer using VerifyAuthRequestCryptogram.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 1024.

Pattern: [0-9a-fA-F]+

Required: Yes

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "AuthRequestCryptogram": "string",
   "KeyArn": "string",
   "KeyCheckValue": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AuthRequestCryptogram

The Authorization Request Cryptogram (ARQC) generated by AWS Payment Cryptography using the specified key and transaction data.

Type: String

Length Constraints: Fixed length of 16.

Pattern: [0-9a-fA-F]+

KeyArn

The keyARN of the IMK-AC that AWS Payment Cryptography uses for ARQC generation.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

KeyCheckValue

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

AWS Payment Cryptography computes the KCV according to the CMAC specification.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 403

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to an invalid resource error.

ResourceId

The resource that is missing.

HTTP Status Code: 404

ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 429

ValidationException

The request was denied due to an invalid request error.

fieldList

The request was denied due to an invalid request error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: