On This Page

Capture Context API

The capture context request contains all of the merchant-specific parameters that tell the frontend JavaScript library how to behave within your payment experience.
The capture context is a signed JSON Web Token (JWT) containing this information:
  • Merchant-specific parameters that dictate the customer payment experience for the current payment transaction.
  • A one-time public key that secures the information flow during the current payment transaction.
The capture context request includes these elements:
  • allowedCardNetworks
  • allowedPaymentTypes
  • clientVersion
  • targetOrigins
  • transientTokenResponseOptions.includeCardPrefix
  • completeMandate
For information on JSON Web Tokens, see JSON Web Tokens.
Target Origin
The target origin is defined by the scheme (protocol), hostname (domain) and port number (if used).
You must use the https:// protocol. Sub domains must also be included in the target origin.
Any valid top-level domains, such as .com, .co.uk, and .gov.br, are supported. Wildcards are not supported.
For example, if you are launching
Unified Checkout
 on example.com, the target origin could be any of the following:
You can define the payment cards and digital payments that you want to accept in the capture context.
Allowed Card Networks
Use the
allowedCardNetworks
 field to define the card types.
These card networks are available for card entry:
  • American Express
  • Cartes Bancaires
  • Carnet
  • China UnionPay
  • Diners Club
  • Discover
  • EFTPOS
  • ELO
  • JCB
  • JCrew
  • Mada
  • Maestro
  • Mastercard
  • Meeza
  • Visa
To support dual-branded or co-badged cards, you must list your supported card types values for the
allowedCardNetworks
 field based on your preference for processing card numbers. For example, if a card is dual-branded as Visa and Cartes Bancaires and Cartes Bancaires is listed first, the card type is set to Cartes Bancaires after the card number is enter in your
Unified Checkout
 card collection form. For information on dual-branded or co-badged cards, see Support for Dual-Branded Cards.
Allowed Payment Types
You can specify the type of
Unified Checkout
 digital payment methods you want to accept in the capture context.
Use the
allowedPaymentTypes
 field to define the payment type:
  • APPLEPAY
  • CHECK
  • CLICKTOPAY
  • GOOGLEPAY
  • PANENTRY
  • PAZE
IMPORTANT
Click to Pay
 supports American Express, Mastercard, and Visa for saved cards. Visa and Mastercard tokenize payment credentials using network tokenization for all
Click to Pay
 requests.
Click to Pay
 uses
Click to Pay
 Token Requester IDs (TRIDs) rather than the your existing TRIDs.
For more information on enabling and managing these digital payment methods, see these topics:
Include Card Prefix
You can control the length of the card number prefix to be received in the response to the capture context
/sessions
 request:
  • 6 digits
  • 8 digits
  • no prefix at all
To specify your preferred card number prefix length, include or exclude the
transientTokenResponseOptions.includeCardPrefix
 field in the capture context
/sessions
 request.
If you want to receive a 6-digit card number prefix in the response
  • Do not
     include the
    transientTokenResponseOptions.includeCardPrefix
     field in the capture context
    /sessions
     request.
  • This example shows how a 6-digit card number prefix
    411111
     is returned in the transient token response:
    "maskedValue" : "XXXXXXXXXXXX1111”,
"bin" : "411111"
If you want to receive an 8-digit card number prefix in the response
  • Include the
    transientTokenResponseOptions.includeCardPrefix
     field in the capture context request, and set the value to
    true
    .
    IMPORTANT
    Per PCI DSS requirements, this requirement applies only to card numbers longer than 15 digits and for Discover, JCB, Mastercard, UnionPay, and Visa brands.
    • If the card type entered is not part of these brands, a 6-digit card number prefix is returned instead.
    • If the card type entered is not part of these brands but is
      co-branded
       with these brands, an 8-digit card number prefix is returned.
  • This example shows how an 8-digit card prefix
    41111102
     is returned in the transient token response:
    "maskedValue" : "XXXXXXXXXXXX1111”,
"prefix" : "41111102"
If you do not want to receive a card number prefix in the response
  • Include the
    transientTokenResponseOptions.includeCardPrefix
     field in the capture context request, and set the value to
    false
    .
  • This example shows how a card number is returned without a card number prefix in the transient token response:
    "maskedValue" : "XXXXXXXXXXXX1111"
Best practice:
If your application does not require card number prefix information for routing or identification purposes,
National Australia Bank
 recommends that you include the
transientTokenResponseOptions.includeCardPrefix
 field in the capture context request and set its value to
false
. Doing so limits the exposure of payment data to only what is necessary for your processing needs.
For more information about PCI DSS, see
Frequently Asked Questions
 on the PCI Security Standards Council site.
Complete Mandate
The complete mandate feature provides instructions to service orchestration in
Unified Checkout
 and simplifies your integration. Service orchestration enables
Unified Checkout
 to orchestrate services on your behalf. The complete mandate feature provides instructions to the
unifiedPayment.complete()
 method in the JavaScript SDK. Include the
completeMandate
 field object in your capture context to have
Unified Checkout
 initiate services on your behalf from the browser.
The complete mandate feature is defined by two fields:
  1. completeMandate.type
    : This field is used to indicate how a payment should be processed. Possible values:
    • AUTH
    • CAPTURE
    • PREFER_AUTH
  2. completeMandate.decisionManager
    : This field determines if
    Decision Manager
     should used. When this field is set to
    true
    , device fingerprinting is run. When set to
    false
    , device fingerprinting is not run and
    Decision Manager
     services are not used.
IMPORTANT
When integrating with
National Australia Bank
 APIs,
National Australia Bank
 recommends that you dynamically parse the response for the fields that you are looking for. Additional fields may be added in the future.
You must ensure that your integration can handle new fields that are returned in the response. While the underlying data structures will not change, you must also ensure that your integration can handle changes to the order in which the data is returned.
National Australia Bank
 uses semantic versioning practices, which enables you to retain backwards compatibility as new fields are introduced in minor version updates.

Features

This section includes information on the features that are supported in
Unified Checkout
.
Save Card
Save Card is supported for the
Click to Pay
 and PAN entry payment methods when they are configured as allowed payment types on
Unified Checkout
.
When the feature is enabled, the
Unified Checkout
 payment flow offers the customer the option to save their card information for future purchases placed at your website.
IMPORTANT
This feature is available only for card credentials that are manually entered during checkout. If
Click to Pay
 is an available payment method, do
not
 select
Save this card with
Click to Pay
.
When the customer selects the checkbox and finalizes their purchase, you receive a notification in the transient token response to your capture context request. The transient token payload includes the
consumerPreference.saveCard
 field value set to
true
.
Combo Cards
A combo card is a single card that functions as both a debit and a credit card.
Unified Checkout
 enables the cardholder to choose whether to pay for a transaction using a debit or credit card. The cardholder can select the card that they want to use when they enter their card details or when they choose a stored Visa card from their
Click to Pay
 wallet during checkout. While in the card details section of the payment form, the cardholder is prompted to decide if they would like to pay using a debit or credit card. Credit is selected as the default option.
IMPORTANT
Combo cards are supported on client version 0.24 and later.
IMPORTANT
Combo cards are required for issuers that are located in Brazil.
To enable combo cards during checkout, you must include the
comboCard
 field in your capture context request and set the field value to
true
. When the
comboCard
 field value is set to
true
, the option to use a debit or credit card appears for all Visa cards that are entered in
Unified Checkout
 and for all cards that are already stored in
Click to Pay
. If you do not want to offer combo card at checkout, do not include the
comboCard
 field in your capture context request.
Tax ID
The tax ID feature provides your customers with a way to include their Consumer National Identifier when it is requested at checkout.
IMPORTANT
This feature is required for customers in Brazil.
Email Autolookup
Automatic email lookup occurs when an email address is included in the capture context request. If the user has a
Click to Pay
 account but is not on a recognized device, a one-time password (OTP) screen appears and the user is prompted to enter their OTP. If the user does not have a
Click to Pay
 account, the user must enter their card information manually and they will have the option to create a
Click to Pay
 account.
To enable email autolookup, you must include
CLICKTOPAY
 as a value in the
allowedPaymentTypes
 field and include an email address in the capture context.

Requesting the Capture Context

This section shows you how to request the capture context.

Endpoint

Production:
POST
https://nabgateway-api.nab.com.au
/up/v1/capture-contexts
Test:
POST
https://nabgateway-api-test.nab.com.au
/up/v1/capture-contexts

Required Fields for Requesting the Capture Context

Use these required fields to request the capture context:

Required Fields for Requesting the Capture Context

Your capture context request must include these fields:
allowedPaymentTypes
clientVersion
country
locale
orderInformation.amountDetails.currency
orderInformation.amountDetails.totalAmount
targetOrigins
The URL in this field value must contain
https
.

Required Fields for Enabling the Save Card Feature

allowedPaymentTypes
Set to
CLICKTOPAY
,
PANENTRY
, or both to support the Save Card feature for
Unified Checkout
.
captureMandate.requestSaveCard
Set to
true
 to enable the Save Card feature for
Unified Checkout
.
clientVersion
Set to
0.24
 or newer to support the Save Card feature for
Unified Checkout
.

Required Field for Enabling Combo Cards

comboCard
Set to
true
 to enable combo cards.

Required Fields for Requesting the Capture Context with the Tax ID

CPF
Set to
true
 if the tax ID is required.
buyerInformation.personalIdentification.cpf
Set to the tax ID.

REST Example: Requesting the Capture Context

Request
{
  "targetOrigins": [
      "https://unified-payments.appspot.com"
    ],
    "clientVersion": "0.26",
    "allowedCardNetworks" : [ "VISA", "MASTERCARD", "AMEX" ],
    "allowedPaymentTypes" : [ "CLICKTOPAY", "PANENTRY", "GOOGLEPAY" ],
    "country": "US",
    "locale": "en_US",
    "captureMandate": {
      "billingType": "FULL",
      "requestEmail": true,
      "requestPhone": true,
      "requestShipping": true,
      "shipToCountries": [ "US", "GB" ],
      "showAcceptedNetworkIcons": true
    },
    "orderInformation": {
      "amountDetails": {
        "totalAmount": "21.00",
        "currency": "USD"
      },
      "billTo": {
        "address1": "1111 Park Street",
        "address2": "Apartment 24B",
        "administrativeArea": "NY",
        "buildingNumber": "3",
        "country": "US",
        "district": "district",
        "locality": "New York",
        "postalCode": "00000",
        "company": {
          "name": "Visa Inc",
          "address1": "900 Metro Center Blvd",
          "administrativeArea": "CA",
          "buildingNumber": "1",
          "country": "US",
          "district": "district",
          "locality": "Foster City",
          "postalCode": "94404"
        },
        "email": "[email protected]",
        "firstName": "Maya",
        "lastName": "Tran",
        "middleName": "S",
        "title": "Ms",
        "phoneNumber": "1234567890",
        "phoneType": "phoneType"
      },
      "shipTo": {
        "address1": "Visa",
        "address2": "123 Main Street",
        "address3": "Apartment 102",
        "administrativeArea": "CA",
        "buildingNumber": "string",
        "country": "US",
        "locality": "Springfield",
        "postalCode": "99999",
        "firstName": "Joe",
        "lastName": "Soap"
      }
   }
}
Successful Encrypted JWT Response
eyJraWQiOiJqNCIsImFsZyI6IlJTMjU2In0.eyJmbHgiOnsicGF0aCI6Ii9mbGV4L3YyL3Rva2VucyIsImRhdGEiOiJHeUhXV0d5SG5lK2Fld1JsalVUaGJoQUFFQVZMbTR6QTA0UHBqaGFXOHVSZ2UvNFQweEtIbW9KUWNYaE1hd0RmVzVQVFBLNXBlZ05vRkVocnNacjdnbldLeHBRdTNWSm4vTDBjbmZOaTRSdjdlTElcdTAwM2QiLCJvcmlnaW4iOiJodHRwczovL3N0YWdlZmxleC5jeWJlcnNvdXJjZS5jb20iLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJ1c2UiOiJlbmMiLCJuIjoibVhHbi1DbllDX1pkODVQdTJaaDluVDdZOUpQX1RjUV9BSzlBQTFHQkJfOFVXd2FHWEZIMGxfa2EwXzV0ekFleU5uVWZLQ016WFFHV2dMZ2hnZXdLMjJzWlVXVTdDT0k4RkNTWktpUjBYRGJ2TTVZYkYxejk0TmNmWVJGc0p0ZzhTbE1jY0stS00tOUFjdldYQWlxUEs0Mk5GZnlIVE5uX3BpVDdhZHRDMGFZQlhCdkw2WXFmcWM5bXBua05FQTJVN0x5VWFyRy1rVFVIQW8xX2tjdW1tTEF1X1Y5OEQyMndsaHMtekhEcnFVTFhsNEdKSGF6WjNXVWJDWHc5c0o2dFowVmVnX1Bpbnhmck9mazA0RWNaVlM5clBXWW1HRnA3V2NyR0FQTkRCQzFPZ0NKNW1mRmpMNEtpcVpVNURpTWFsbURGdzg5VVp1bllBVWlrdUU1SURRIiwia2lkIjoiMDBDeWg5UHhhdDdCUkMwa0pXUG5hUVJsOU9jTGMzZVoifX0sImN0eCI6W3siZGF0YSI6eyJhbGxvd2VkUGF5bWVudFR5cGVzIjpbeyJwYWdlIjoxLCJ0eXBlIjoiUEFORU5UUlkifSx7InBhZ2UiOjIsInR5cGUiOiJTUkNWSVNBIn0seyJwYWdlIjozLCJ0eXBlIjoiU1JDTUFTVEVSQ0FSRCJ9LHsicGFnZSI6NCwidHlwZSI6IlNSQ0FNRVgifSx7InBhZ2UiOjUsInR5cGUiOiJHT09HTEVQQVkifSx7InBhZ2UiOjYsInR5cGUiOiJBUFBMRVBBWSJ9XSwicGF5bWVudENvbmZpZ3VyYXRpb25zIjp7IlNSQ1ZJU0EiOnsib3JpZ2luIjoiaHR0cHM6Ly9zYW5kYm94LWFzc2V0cy5zZWN1cmUuY2hlY2tvdXQudmlzYS5jb20iLCJwYXRoIjoiL2NoZWNrb3V0LXdpZGdldC9yZXNvdXJjZXMvanMvc3JjLWktYWRhcHRlci92aXNhU2RrLmpzIiwicGFuRW5jcnlwdGlvbktleSI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsInVzZSI6ImVuYyIsImtpZCI6IldaTEQzS0VBUFdJRThMS0pEMU0xMTNYMXExamZUZE5pNTI0al9aQWxLVmtlanBxM0EiLCJuIjoic1pQSXVzRGY3eVFubmhCa1U5bXUxNFZPTzNDcnVpM2I3ckFmMktZZW9iVVJtWEExN2IxSlg5amcwQ2QtdmdwbXV5VHJ4QlVTYy00YjAtVVBnU3dHRnFQV1VweDA4RXhxcndQRE92Rm9qQm91MndseXE4YmN5MFVzLUJmZUN6U0U1bE1WZFNYVFhYWGNOcXUtcWIyMmpDQ0NKQUxweHNBcnNib01PWHNMZWRoM000WE5RNVhHQXRSZjdiLS11VFk1RHI5S0xZeVV2WktBblkwNE1LSlBFTzU0WWlJRk01RFRBaE5PbXMwODlqZE1keC1VUklLSmpQVTItUnBIRzF1OExDRzAyOFJUSXBQc05iUmFudVM1VEFZX3pseERnYjFoS0ozNlliWkVOSExnOVBYVEJoZE9NbFU5MERUTGxmY2JMVGEtRDdEZ2xqQWFXQ3V2ekxQYUd3In0sInBhcmFtZXRlcnMiOnsic3JjSW5pdGlhdG9ySWQiOiJSNDVOMzQzRDZLWFpSWU1CSVhMSTIxeDgtWGtMaWh4Q21lcFMzaEFlUm91RWcwaTVVIiwic3JjaURwYUlkIjoiOTBhZDlhN2QtOTU5Ni00ZWQxLWE3MTEtMmJjOTllM2JjNWZmIiwic3JjaVRyYW5zYWN0aW9uSWQiOiIzMWJkNTRjZi1hOGIyLTQwMTEtODQ0Ny1jYjczZDM4OGU0NjYiLCJkcGFUcmFuc2FjdGlvbk9wdGlvbnMiOnsiZHBhTG9jYWxlIjoiZW5fVVMiLCJwYXlsb2FkVHlwZUluZGljYXRvciI6IkZVTEwiLCJyZXZpZXdBY3Rpb24iOiJjb250aW51ZSIsImRwYUFjY2VwdGVkQmlsbGluZ0NvdW50cmllcyI6W10sImRwYUFjY2VwdGVkU2hpcHBpbmdDb3VudHJpZXMiOltdLCJkcGFCaWxsaW5nUHJlZmVyZW5jZSI6IkFMTCIsImRwYVNoaXBwaW5nUHJlZmVyZW5jZSI6IkFMTCIsImNvbnN1bWVyTmFtZVJlcXVlc3RlZCI6dHJ1ZSwiY29uc3VtZXJFbWFpbEFkZHJlc3NSZXF1ZXN0ZWQiOnRydWUsImNvbnN1bWVyUGhvbmVOdW1iZXJSZXF1ZXN0ZWQiOnRydWUsInRyYW5zYWN0aW9uQW1vdW50Ijp7InRyYW5zYWN0aW9uQW1vdW50IjoiMS4wMSIsInRyYW5zYWN0aW9uQ3VycmVuY3lDb2RlIjoiVVNEIn0sInBheW1lbnRPcHRpb25zIjp7ImRwYUR5bmFtaWNEYXRhVHRsTWludXRlcyI6MTUsImR5bmFtaWNEYXRhVHlwZSI6IlRBVlYiLCJkcGFQYW5SZXF1ZXN0ZWQiOmZhbHNlfX19fSwiU1JDTUFTVEVSQ0FSRCI6eyJvcmlnaW4iOiJodHRwczovL3NhbmRib3guc3JjLm1hc3RlcmNhcmQuY29tIiwicGF0aCI6Ii9zZGsvc3Jjc2RrLm1hc3RlcmNhcmQuanMiLCJwYW5FbmNyeXB0aW9uS2V5Ijp7Imt0eSI6IlJTQSIsImUiOiJBUUFCIiwidXNlIjoiZW5jIiwia2lkIjoiMjAyMzAyMDcyMjM1MjEtc2FuZGJveC1mcGFuLWVuY3J5cHRpb24tc3JjLW1hc3RlcmNhcmQtaW50Iiwia2V5X29wcyI6WyJlbmNyeXB0Iiwid3JhcEtleSJdLCJhbGciOiJSU0EtT0FFUC0yNTYiLCJuIjoidDA2SThzamxTLXJyczd1Q2FnSDhldm9ldW1hUm92S3ppWlNJOVMyTjlJRFE5dFcyUGFwZlJhOUxjMUt2ZUVCRFZzMjdQa2hrVTVPeUhnUDBpRWpUdUtWcHZoNTlUNGxhLW1CU0lsczdVZWNVUUxMYTBXa21idEw3ak5kbHRBNWZxN0FoY0FyNXFjYTk4OHFyTGQ3SXlyOUUwQzNUeGJUOXRvMWlRY3B6OG9jWk9EUlhvaWRGQW5PVkw1WUdGbWxzcmVEYko0VmhzaTBwQWRjY1FjaWwteWRTZ3VyS0ItcnFLcHBiOWVwb211NFFVaDMzODJDdjhOb2JZbUYzb3M4bkdHZ0dQLWN5WG8wbnNLY1BBZ2ZybFF6b3M3cUh4VU9yRmUyeF9sWjFHMUFFLVhya3J4akJ5czlxNTNHTVJTTkNROGMtX21jRjlwYnE0SFlCcy12RDVRIn0sInBhcmFtZXRlcnMiOnsic3JjaVRyYW5zYWN0aW9uSWQiOiIzMWJkNTRjZi1hOGIyLTQwMTEtODQ0Ny1jYjczZDM4OGU0NjYiLCJzcmNpRHBhSWQiOiI5ODQ4Y2ZmNC1jODY0LTRmMTgtOWYwMy1hOGY1MGE2OTJlZGRfc3lzdGVtdGVzdCIsInNyY0luaXRpYXRvcklkIjoiNmY1ZDZjMDktZjhlMi00MzMwLWEzZGYtMjBiOWFkN2E0NTJiIiwiZHBhVHJhbnNhY3Rpb25PcHRpb25zIjp7InRyYW5zYWN0aW9uVHlwZSI6IlBVUkNIQVNFIiwiZHBhTG9jYWxlIjoiZW5fVVMiLCJkcGFBY2NlcHRlZFNoaXBwaW5nQ291bnRyaWVzIjpbXSwiY29uc3VtZXJFbWFpbEFkZHJlc3NSZXF1ZXN0ZWQiOnRydWUsImNvbnN1bWVyUGhvbmVOdW1iZXJSZXF1ZXN0ZWQiOnRydWUsInRyYW5zYWN0aW9uQW1vdW50Ijp7InRyYW5zYWN0aW9uQW1vdW50IjoiMS4wMSIsInRyYW5zYWN0aW9uQ3VycmVuY3lDb2RlIjoiVVNEIn0sImRwYUFjY2VwdGVkQmlsbGluZ0NvdW50cmllcyI6W10sImRwYUJpbGxpbmdQcmVmZXJlbmNlIjoiRlVMTCIsImRwYVNoaXBwaW5nUHJlZmVyZW5jZSI6IkZVTEwiLCJjb25zdW1lck5hbWVSZXF1ZXN0ZWQiOnRydWUsInBheWxvYWRUeXBlSW5kaWNhdG9yIjoiRlVMTCIsInBheW1lbnRPcHRpb25zIjp7ImR5bmFtaWNEYXRhVHlwZSI6IkNBUkRfQVBQTElDQVRJT05fQ1JZUFRPR1JBTV9TSE9SVF9GT1JNIn19fX0sIlNSQ0FNRVgiOnsib3JpZ2luIjoiaHR0cHM6Ly9xd3d3LmFleHAtc3RhdGljLmNvbSIsInBhdGgiOiIvYWthbWFpL3JlbW90ZWNvbW1lcmNlL3NjcmlwdHMvYW1leFNESy0xLjAuMC5qcyIsInBhbkVuY3J5cHRpb25LZXkiOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJ1c2UiOiJlbmMiLCJraWQiOiJzcmMtYW1leC1jYXJkLWVuYy0yMDI0IiwiYWxnIjoiUlNBLU9BRVAtMjU2IiwibiI6Im1FazBibUxDMlpRVy1hNEtYMW5EWTNaZlBMRnJIOHRuVXlJYjVrVEtnemFlYWdpbWFINFhxUDRadzA1aWk2TXZkdk4wVDJweVNKUTRqb2toUEMySVdlbWlWUEc4ZkNQQk1KeHhqeTJFdTlvdGJpd0dSQkNneHdjdS1hY2pZYXVwVlB0RE43ZW5nSERkbk9nYXJsb0dyUFVNNklFRVpXX3ZFQjljU3JNX0JhOFNjQzhSYWZnTlNZODFpeGF4UEE4Y09oQUF2ckxRN0toRTVReFN6SU1mcnpiMUxCWUdMNFlQQnVuZk5BMnczZnZMd2ZCbDJfLVJGUkNVbVBFdjFOdVhxeG8xUk4wOGoydW44ZWljR3ZudDBndC0yMW5HcmJjNnhwcDdwWlkyb2otaGMwWlVsTnlFX2tKcExTNU9VWjhHZU9acDRxVlJ4aGtJUEd4RWVGLVFXaVNnOHVXazF4Nm5jdGhyTVVKWVYxSFB1OHRIa0pEbThBYS1Ec2hQTmVpeERqX1ZGVkVTOFYteUlJUndnLVUyODJXUGIwVDJ0S1JYZG5qbE52Y2xCc0lfNFZ3ZzVjV0VoU2tTc3pVQXkxUENTRm5rWjVJRU9yaGdfMFRwZTdhaU84dzVzUndOaFpuUnBKeUlzUHQtbE1Dbzd6cjg1QjJ2eGNvUGZmU1NwM0ZaIn0sInBhcmFtZXRlcnMiOnsic3JjaVRyYW5zYWN0aW9uSWQiOiIzMWJkNTRjZi1hOGIyLTQwMTEtODQ0Ny1jYjczZDM4OGU0NjYiLCJzcmNJbml0aWF0b3JJZCI6ImQyZTdkOTc1LWIwYWEtNGZhYS05YTUxLTY4MDAyMjkwZDc1NiIsImRwYURhdGEiOnsiZHBhTmFtZSI6InRlc3QgU2hvcCB3ZWJzaXRlIFJlZ2lzdHJhdGlvbiIsImRwYUxvZ29VcmkiOiJodHRwOi8vd3d3LnRlc3RzcmNyZWdpc3RyYXRpb24uY29tIiwiZHBhUHJlc2VudGF0aW9uTmFtZSI6InRlc3QgU2hvcCB3ZWJzaXRlIFJlZ2lzdHJhdGlvbiIsImRwYVVyaSI6Imh0dHA6Ly93d3cudGVzdHNyY3JlZ2lzdHJhdGlvbi5jb20ifSwiZHBhVHJhbnNhY3Rpb25PcHRpb25zIjp7ImRwYUxvY2FsZSI6ImVuX1VTIiwiZHBhQWNjZXB0ZWRCaWxsaW5nQ291bnRyaWVzIjpbXSwiZHBhQWNjZXB0ZWRTaGlwcGluZ0NvdW50cmllcyI6W10sImRwYUJpbGxpbmdQcmVmZXJlbmNlIjoiQUxMIiwiZHBhU2hpcHBpbmdQcmVmZXJlbmNlIjoiQUxMIiwiY29uc3VtZXJOYW1lUmVxdWVzdGVkIjp0cnVlLCJjb25zdW1lckVtYWlsQWRkcmVzc1JlcXVlc3RlZCI6dHJ1ZSwiY29uc3VtZXJQaG9uZU51bWJlclJlcXVlc3RlZCI6dHJ1ZSwicmV2aWV3QWN0aW9uIjoiY29udGludWUiLCJ0aHJlZURzUHJlZmVyZW5jZSI6Ik5PTkUiLCJwYXltZW50T3B0aW9ucyI6W3siZHluYW1pY0RhdGFUeXBlIjoiRFlOQU1JQ19DQVJEX1NFQ1VSSVRZX0NPREUiLCJkcGFEeW5hbWljRGF0YVR0bE1pbnV0ZXMiOiIxNSJ9XX19fSwiR09PR0xFUEFZIjp7ImNsaWVudExpYnJhcnkiOiJodHRwczovL3BheS5nb29nbGUuY29tL2dwL3AvanMvcGF5LmpzIiwicGF5bWVudE9wdGlvbnMiOnsiZW52aXJvbm1lbnQiOiJURVNUIn0sInBheW1lbnREYXRhUmVxdWVzdCI6eyJhcGlWZXJzaW9uIjoyLCJhcGlWZXJzaW9uTWlub3IiOjAsIm1lcmNoYW50SW5mbyI6eyJtZXJjaGFudElkIjoiQkNSMkRONFQ3RERZQlRUViIsIm1lcmNoYW50TmFtZSI6IlVuaWZpZWQgQ2hlY2tvdXQgTWVyY2hhbnQifSwiYWxsb3dlZFBheW1lbnRNZXRob2RzIjpbeyJ0eXBlIjoiQ0FSRCIsInBhcmFtZXRlcnMiOnsiYWxsb3dlZEF1dGhNZXRob2RzIjpbIlBBTl9PTkxZIiwiQ1JZUFRPR1JBTV8zRFMiXSwiYWxsb3dlZENhcmROZXR3b3JrcyI6WyJWSVNBIiwiTUFTVEVSQ0FSRCIsIkFNRVgiXSwiYmlsbGluZ0FkZHJlc3NSZXF1aXJlZCI6dHJ1ZSwiYmlsbGluZ0FkZHJlc3NQYXJhbWV0ZXJzIjp7ImZvcm1hdCI6IkZVTEwiLCJwaG9uZU51bWJlclJlcXVpcmVkIjp0cnVlfX0sInRva2VuaXphdGlvblNwZWNpZmljYXRpb24iOnsidHlwZSI6IlBBWU1FTlRfR0FURVdBWSIsInBhcmFtZXRlcnMiOnsiZ2F0ZXdheSI6ImN5YmVyc291cmNlIiwiZ2F0ZXdheU1lcmNoYW50SWQiOiJwc19ocGEifX19XSwidHJhbnNhY3Rpb25JbmZvIjp7InRvdGFsUHJpY2VTdGF0dXMiOiJGSU5BTCIsInRvdGFsUHJpY2UiOiIxLjAxIiwiY291bnRyeUNvZGUiOiJVUyIsImN1cnJlbmN5Q29kZSI6IlVTRCJ9LCJlbWFpbFJlcXVpcmVkIjp0cnVlLCJzaGlwcGluZ0FkZHJlc3NSZXF1aXJlZCI6dHJ1ZSwic2hpcHBpbmdBZGRyZXNzUGFyYW1ldGVycyI6eyJwaG9uZU51bWJlclJlcXVpcmVkIjp0cnVlfX19LCJBUFBMRVBBWSI6eyJzZXNzaW9uUGF0aCI6Ii9mbGV4L3YyL2FwcGxlL3BheW1lbnQtc2Vzc2lvbnMiLCJtZXJjaGFudElkZW50aWZpZXIiOiJtZXJjaGFudC5jb20uY3liZXJzb3VyY2Uuc3RhZ2VmbGV4IiwiZGlzcGxheU5hbWUiOiJVQyBUZXN0In19LCJjYXB0dXJlTWFuZGF0ZSI6eyJiaWxsaW5nVHlwZSI6IkZVTEwiLCJyZXF1ZXN0RW1haWwiOnRydWUsInJlcXVlc3RQaG9uZSI6dHJ1ZSwicmVxdWVzdFNoaXBwaW5nIjp0cnVlLCJzaGlwVG9Db3VudHJpZXMiOltdLCJzaG93QWNjZXB0ZWROZXR3b3JrSWNvbnMiOnRydWV9LCJvcmRlckluZm9ybWF0aW9uIjp7ImFtb3VudERldGFpbHMiOnsidG90YWxBbW91bnQiOiIxLjAxIiwiY3VycmVuY3kiOiJVU0QifX0sInRhcmdldE9yaWdpbnMiOlsiaHR0cHM6Ly90aGUtdXAtZGVtby5hcHBzcG90LmNvbSJdLCJpZnJhbWVzIjp7Im1jZSI6Ii9tY2UvaWZyYW1lLmh0bWwiLCJidXR0b25zIjoiL2J1dHRvbmxpc3QvaWZyYW1lLmh0bWwiLCJzcmMiOiIvc2VjdXJlLXJlbW90ZS1jb21tZXJjZS9zcmMuaHRtbCIsImN0cCI6Ii9jdHAvY3RwLmh0bWwiLCJnb29nbGVwYXkiOiIvZ29vZ2xlcGF5L2dvb2dsZXBheS5odG1sIiwiYXBwbGVwYXkiOiIvYXBwbGVwYXkvYXBwbGVwYXkuaHRtbCIsInBhemUiOiIvcGF6ZS9wYXplLmh0bWwifSwiY2xpZW50VmVyc2lvbiI6IjAuMTkiLCJjb3VudHJ5IjoiVVMiLCJsb2NhbGUiOiJlbl9VUyIsImFsbG93ZWRDYXJkTmV0d29ya3MiOlsiVklTQSIsIk1BU1RFUkNBUkQiLCJBTUVYIl0sImNyIjoiNmM0dUcyemFXdVBvbkxLM0R2NEwxVlJpTFVOMkFVczY4QU84bVdaUTA0X1RNLVFDdDhNUDNTQklvcGQ2Y2NtOTdmSEo1QXViVzh6VFhJTW91TTRjQWFrbm80NktIVndGRFpxQ0tfWTVwMEVzRHJmdFVTREFrZ21KZ0pNbHJ2cnYzTkpFOWdzcldBMl8zdDJBR2hQbEtfMU9rZyIsInNlcnZpY2VPcmlnaW4iOiJodHRwczovL3N0YWdldXAuY3liZXJzb3VyY2UuY29tIiwiY2xpZW50TGlicmFyeSI6Imh0dHBzOi8vc3RhZ2V1cC5jeWJlcnNvdXJjZS5jb20vdXAvdjEvYXNzZXRzLzAuMTkuMC9TZWN1cmVBY2NlcHRhbmNlLmpzIiwibG9nZ2luZ1BhdGgiOiIvdXAvdjEvbG9nLWV2ZW50cyIsImFzc2V0c1BhdGgiOiIvdXAvdjEvYXNzZXRzLzAuMTkuMCIsImNsaWVudExpYnJhcnlJbnRlZ3JpdHkiOiJzaGEyNTYtWllDT2tucVh5bjRad3NyOFYwaE5OcjZaUitZYThJbHNkdFplTkhPbDJYVVx1MDAzZCJ9LCJ0eXBlIjoiZ2RhLTAuOS4wIn1dLCJpc3MiOiJGbGV4IEFQSSIsImV4cCI6MTcxMDk2NDc4MCwiaWF0IjoxNzEwOTYzODgwLCJqdGkiOiI4SWs4bHU2NEh3NmpDVDhsIn0.XWXmjiZZGyHWIhT1hbBnc2xfhcYczpBYxhTn4g9NMt2utMaPR8wWcZ8TYDXd8HRLBWZkktkXxFFetJ4Tc6dQ4irZ6KmalWItWEUJpjN-5sLC4Qr1gG1JOOH5_hK6n_1hnjcQeRUBg-MsCSRBE_MA6ROSZgyfc1_WwL0g1TQUiKN5SvaM_37ooimebPQfvYyXyR_6Zkn9fu51w6NF_Qj0wtuQP4J4P3cgyZzzOFNKuHOwi7ISmyW6BcQXQrec577SRBfcMhhC3PBxl5OrXua4qUJ_qYbplA8P4n6f2--onAYef3UXFHmc28eRiTEeN0l0P1Yj45CIotbuw36mZrnRPQ
Decrypted Capture Context Header
{
  "kid": "j4", 
  "alg": "RS256"
}
Decrypted Capture Context Body with Selected Fields
{ 
  "flx" : { 
    // filled with token metadata 
  }, 
  "ctx" : [ { 
    // filled with data related to your capture context request parameters 
    "data" : { 
      "clientLibrary" : "https://apitest.
example
.com/up/v1/assets/0.26.0/SecureAcceptance.js" 
    }, 
    "type" : "gda-0.9.0" 
  } ], 
  "iss" : "Flex API", 
  "exp" : "1710964780", 
  "iat" : "1710963880", 
  "jti" : "8Ik8lu64Hw6jCT8l" 
}

Validating the Capture Context

The capture context that you generate is a JSON Web Token (JWT) data object. The JWT is digitally signed using a public key. This confirms the validity of the JWT and that it comes from
National Australia Bank
. When you do not have a key in the JWT header,
National Australia Bank
 recommends that you follow cryptography best practices and validate the capture context signature.
To validate a JWT, you must obtain its public key. This public RSA key is in JSON Web Key (JWK) format. The public key is associated with the capture context on the
National Australia Bank
 domain.
To get the public key of a capture context from the header of the capture context itself, you must retrieve the key ID associated with the public key and then pass the key ID to the
/flex/v2/public-keys
 endpoint:
  1. From the header of the capture context, get the key ID (
    kid
    ):
    {
    "kid": "3g",
    "alg": "RS256"
}
  2. Send a GET request to the
    /flex/v2/public-keys
     endpoint and include the key ID. For example:
    • Test:
      GET
      https://nabgateway-api-test.nab.com.au
      /flex/v2/public-keys/{3g}
    • Production:
      GET
      https://nabgateway-api.nab.com.au
      /flex/v2/public-keys/{3g}
    Depending on the cryptographic method you use to validate the public key, you might need to convert the key to privacy-enhanced mail (PEM) format.
  3. The resource returns the public key: 
    eyJmbHgiOnsicGF0aCI6Ii9mbGV4L3YyL3Rva2VucyIsImRhdGEiOiI2bUFLNTNPNVpGTUk5Y3RobWZmd2doQUFFRGNqNU5QYzcxelErbm8reDN6WStLOTVWQ2c5bThmQWs4czlTRXBtT21zMmVhbEx5NkhHZ29oQ0JEWjVlN3ZUSGQ5YTR5a2tNRDlNVHhqK3ZoWXVDUmRDaDhVY1dwVUNZWlZnbTE1UXVFMkEiLCJvcmlnaW4iOiJodHRwczovL3Rlc3RmbGV4LmN5YmVyc291cmNlLmNvbSIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsInVzZSI6ImVuYyIsIm4iOiJyQmZwdDRjeGlkcVZwT0pmVTlJQXcwU1JCNUZqN0xMZjA4U0R0VmNyUjlaajA2bEYwTVc1aUpZb3F6R3ROdnBIMnFZbFN6LVRsSDdybVNTUEZIeTFJQ3BfZ0I3eURjQnJ0RWNEanpLeVNZSTVCVjNsNHh6Qk5CNzRJdnB2Smtqcnd3QVZvVU4wM1RaT3FVc0pfSy1jT0xpYzVXV0ZhQTEyOUthWFZrZFd3N3c3LVBLdnMwNmpjeGwyV05STUIzTS1ZQ0xOb3FCdkdCSk5oYy1uM1lBNU5hazB2NDdiYUswYWdHQXRfWEZ0ZGItZkphVUVUTW5WdW9fQmRhVm90d1NqUFNaOHFMOGkzWUdmemp2MURDTUM2WURZRzlmX0tqNzJjTi1OaG9BRURWUlZyTUtiZ3QyRDlwWkJ1d2gzZlNfS3VRclFWTVdPelRnT3AzT2s3UVFGZ1EiLCJraWQiOiIwOEJhWXMxbjdKTUhjSDh1bkcxc1NDUVdxN2VveWQ1ZyJ9fSwiY3R4IjpbeyJkYXRhIjp7InRhcmdldE9yaWdpbnMiOlsiaHR0cHM6Ly93d3cudGVzdC5jb20iXSwibWZPcmlnaW4iOiJodHRwczovL3Rlc3RmbGV4LmN5YmVyc291cmNlLmNvbSJ9LCJ0eXBlIjoibWYtMC4xMS4wIn1dLCJpc3MiOiJGbGV4IEFQSSIsImV4cCI6MTYxNjc3OTA5MSwiaWF0IjoxNjE2Nzc4MTkxLCJqdGkiOiJ6SG1tZ25uaTVoN3ptdGY0In0.GvBzyw6JKl3b2PztHb9rZXawx2T817nYqu6goxpe4PsjqBY1qeTo19R-CP_DkJXov9hdJZgdlzlNmRY6yoiziSZnGJdpnZ-pCqIlC06qrpJVEDob3O_efR9L03Gz7F5JlLOiTXSj6nVwC5mRlcP032ytPDEx5TMI9Y0hmBadJYnhEMwQnn_paMm3wLh2v6rfTkaBqd8n6rPvCNrWMOwoMdoTeFxku-
    Use this public RSA key to validate the capture context.
  4. Base64 decode the capture context to get the
    kid
     from its header:
    {
    "kid": "3g",
    "alg": "RS256"
}
  5. Send a GET request to retrieve the public key from
    /flex/v2/public-keys/3g
    :
    {
    "kty":"RSA",    
    "use":"enc",
    "kid":"3g",
    "n":"ir7Nl1Bj8G9rxr3co5v_JLkP3o9UxXZRX1LIZFZeckguEf7Gdt5kGFFfTsymKBesm3Pe
     8o1hwfkq7KmJZEZSuDbiJSZvFBZycK2pEeBjycahw9CqOweM7aKG2F_bhwVHrY4YdKsp
     _cSJe_ZMXFUqYmjk7D0p7clX6CmR1QgMl41Ajb7NHI23uOWL7PyfJQwP1X8HdunE6ZwK
     DNcavqxOW5VuW6nfsGvtygKQxjeHrI-gpyMXF0e_PeVpUIG0KVjmb5-em_Vd2SbyPNme
     nADGJGCmECYMgL5hEvnTuyAybwgVwuM9amyfFqIbRcrAIzclT4jQBeZFwkzZfQF7MgA6QQ",
     "e":"AQAB"
}