Skip to main content
POST
Generate Network Token Cryptogram
This endpoint returns an on-demand network token cryptogram for a vaulted card, together with the card’s current network token (DPAN). A card’s network token alone cannot authorize a payment — card schemes require a single-use cryptogram per transaction, and only Yuno can request it because Yuno holds the Token Requestor ID. Use this endpoint when you want to take a Yuno network token and authorize the transaction on your own PSP. You identify the card with its vaulted_token — the same identifier you use in Create Payment. Yuno resolves the card’s current network token internally and absorbs token rotation, so you always receive a consistent, current (DPAN, cryptogram, ECI) set.
PCI merchants onlyThis endpoint is only available for PCI-certified merchants, because the response contains the full network token (DPAN). To enable it, contact your Key Account Manager (KAM).
Always submit the returned pair. A cryptogram is bound to a specific network token. Submit the network_token.number (DPAN) returned in the same response together with its cryptogram and eci. Never pair a returned cryptogram with a previously stored DPAN — after a token rotation, a stored DPAN will no longer match.

How it works

  1. Request a cryptogram right before you authorize. Every call generates a fresh, single-use cryptogram from the scheme — there is no idempotency, and duplicate calls simply return new cryptograms (no money moves).
  2. Submit network_token.number (DPAN), cryptogram, and eci to your PSP as a network-token transaction.
  3. If the authorization is declined and you retry, request a new cryptogram first — a used or stale cryptogram cannot be replayed.

Requirements

To use this endpoint your organization must:
  • Be a PCI-certified merchant (the response contains the DPAN).
  • Have the product enabled for your organization.
  • Be onboarded for network tokens for the card’s brand and the requested country.
The card referenced by vaulted_token must be an enrolled card of your organization that already has an active network token. Supported networks: Visa and Mastercard.
When you don’t need this endpoint. Recurring merchant-initiated transactions (MIT) authorize with the network token and the stored network_transaction_id and do not require a cryptogram. This endpoint is for customer-initiated transactions that need a fresh cryptogram.

Cryptogram lifetime

The cryptogram is single-use — request it immediately before you authorize, and do not cache it.

Errors

Errors return a code and a messages array. The exact messages value per code: A vaulted_token that doesn’t exist and one that belongs to another organization both return the same PAYMENT_METHOD_NOT_FOUND — no existence leak.

Authorizations

public-api-key
string
header
default:<Your public-api-key>
required
private-secret-key
string
header
default:<Your private-secret-key>
required

Body

application/json
vaulted_token
string<uuid>
required

The vaulted token of the card, the same identifier used as payment_method.vaulted_token in Create Payment. The card must be an enrolled card of your organization with an active network token.

Example:

"9b2f4b1c-7f3a-4c2e-9b1a-2b3c4d5e6f70"

country
string
required

ISO 3166-1 alpha-2 country code where the token will be used. Resolves the network token onboarding (organization + brand + country), with the same semantics as country in Create Payment.

Example:

"US"

amount
object

Optional. Forwarded to the scheme; recommended, as some scheme flows bind the amount.

Response

Cryptogram generated.

vaulted_token
string

Echo of the request's vaulted token.

network_token
object

The card's current network token. Same shape returned by the PCI network-token retrieval.

cryptogram
string

A fresh, single-use cryptogram from the scheme, generated on every call. Submit it together with network_token.number (DPAN) and eci to your PSP.

Example:

"AgAAAAAABk4DWZ4C28yUQAAAAAA="

eci
string | null

Electronic Commerce Indicator. May be null for some Mastercard DSRP formats.

Example:

"05"

created_at
string<date-time>

Issuance timestamp (UTC).