VerifyAuthRequestCryptogram - AWS Payment Cryptography Data Plane
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

VerifyAuthRequestCryptogram

Verifies Authorization Request Cryptogram (ARQC) for a EMV chip payment card authorization. For more information, see Verify auth request cryptogram in the AWS Payment Cryptography User Guide.

ARQC generation is done outside of AWS Payment Cryptography and is typically generated on a point of sale terminal for an EMV chip card to obtain payment authorization during transaction time. For ARQC verification, you must first import the ARQC generated outside of AWS Payment Cryptography by calling ImportKey. This operation uses the imported ARQC and an major encryption key (DUKPT) created by calling CreateKey to either provide a boolean ARQC verification result or provide an APRC (Authorization Response Cryptogram) response using Method 1 or Method 2. The ARPC_METHOD_1 uses AuthResponseCode to generate ARPC and ARPC_METHOD_2 uses CardStatusUpdate to generate ARPC.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the AWS Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different AWS accounts.

Related operations:

Request Syntax

POST /cryptogram/verify HTTP/1.1
Content-type: application/json

{
   "AuthRequestCryptogram": "string",
   "AuthResponseAttributes": { ... },
   "KeyIdentifier": "string",
   "MajorKeyDerivationMode": "string",
   "SessionKeyDerivationAttributes": { ... },
   "TransactionData": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

AuthRequestCryptogram

The auth request cryptogram imported into AWS Payment Cryptography for ARQC verification using a major encryption key and transaction data.

Type: String

Length Constraints: Fixed length of 16.

Pattern: [0-9a-fA-F]+

Required: Yes

AuthResponseAttributes

The attributes and values for auth request cryptogram verification. These parameters are required in case using ARPC Method 1 or Method 2 for ARQC verification.

Type: CryptogramAuthResponse object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: No

KeyIdentifier

The keyARN of the major encryption key that AWS Payment Cryptography uses for ARQC verification.

Type: String

Length Constraints: Minimum length of 7. Maximum length of 322.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:(key/[0-9a-zA-Z]{16,64}|alias/[a-zA-Z0-9/_-]+)$|^alias/[a-zA-Z0-9/_-]+

Required: Yes

MajorKeyDerivationMode

The method to use when deriving the major encryption key for ARQC verification within AWS Payment Cryptography. The same key derivation mode was used for ARQC generation outside of AWS Payment Cryptography.

Type: String

Valid Values: EMV_OPTION_A | EMV_OPTION_B

Required: Yes

SessionKeyDerivationAttributes

The attributes and values to use for deriving a session key for ARQC verification within AWS Payment Cryptography. The same attributes were used for ARQC generation outside of AWS Payment Cryptography.

Type: SessionKeyDerivation object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

TransactionData

The transaction data that AWS Payment Cryptography uses for ARQC verification. The same transaction is used for ARQC generation outside of AWS Payment Cryptography.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 1024.

Pattern: [0-9a-fA-F]+

Required: Yes

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "AuthResponseValue": "string",
   "KeyArn": "string",
   "KeyCheckValue": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AuthResponseValue

The result for ARQC verification or ARPC generation within AWS Payment Cryptography.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 16.

Pattern: [0-9a-fA-F]+

KeyArn

The keyARN of the major encryption key that AWS Payment Cryptography uses for ARQC verification.

Type: String

Length Constraints: Minimum length of 70. Maximum length of 150.

Pattern: arn:aws:payment-cryptography:[a-z]{2}-[a-z]{1,16}-[0-9]+:[0-9]{12}:key/[0-9a-zA-Z]{16,64}

KeyCheckValue

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

AWS Payment Cryptography computes the KCV according to the CMAC specification.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 16.

Pattern: [0-9a-fA-F]+

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 403

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to an invalid resource error.

HTTP Status Code: 404

ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 429

ValidationException

The request was denied due to an invalid request error.

HTTP Status Code: 400

VerificationFailedException

This request failed verification.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: