Secure-data requests use a client-generated AES-256 session key, the Payblr RSA-4096 Wrap Public Key, and an encrypted response that the client application decrypts using the original session key.
The client application or device generates a new AES-256 session key for the request.
The original AES session key must remain on the client side. It is required later to decrypt the response.
The client encrypts the AES session key using the Payblr RSA-4096 Wrap Public Key.
The AES session key must be encrypted using RSA OAEP padding according to the current secure-data configuration.
The encrypted AES key is Base64-encoded before being included in the secure-data request body as key.
Send the secure-data request using the card’s publicToken.
POST /thr/thredd/cards/{publicToken}/encrypted
paddingMode: PKCS2_2encryptionKeyLength: Rsa4096hashingAlgorithm: Sha256Payblr decrypts the AES session key using its private key.
Payblr uses the AES session key to encrypt the requested card data and returns the encrypted response.
ivencryptedPayloadsignatureOfPayloadAndIvVerify the response signature by validating the encrypted payload and iv using the applicable Payblr Signing Public Key.
The client application or device decrypts encryptedPayload using the original AES session key and returned iv.