On this page:


With Opayo's Token feature, you can ask to save the customer's card number as a reusable token.

The card details remain completely secure on our system and you can use the token when you process the returning customer's purchases. Returning customers need only:

  1. Sign in to your website.
  2. Proceed to checkout.
  3. Select a card to pay with.
  4. When required, enter the card's CV2.


The CV2 may not be necessary for all transactions. If a CV2 is not submitted when required then the transaction may fail.

    Save a Token

    To save the card details as a token for future purchases during the initial Transaction Registration:

    1. Prepare a Transaction Registration POST as usual.
    2. Set the TxType to PAYMENT, DEFERRED, or AUTHENTICATE.
    3. Set CreateToken to 1.
    4. Update the Credential on File fields.
    Note: Opayo stores all your customer’s card details against the token except the CV2. The CV2 is sensitive authentication data and cannot be stored after authorisation even when encrypted. Your returning customer must resubmit their card’s CV2 for each purchase.

      A Successful Response

      You will receive all the data you need to store the card in the card object as a token when the transaction is successful.

      You can now reuse the token for this customer’s future transactions.

      Important: Opayo Token System does not validate any customer information associated with the token and therefore it is important for you to store the correct token with the customer's details to ensure that payment is taken from the correct card.
      The returned token will be formatted as a GUID.

      Reuse a Token

      When successfully created and stored, a token can be used for future purchases made by the customer.

      Important: To continue to reuse the token, you must set the StoreToken value to 1 each time it is used.
      Important: You will need to provide the appropriate Credential on File fields when reusing a token.

      Delete a Token

      Tokens are easily deleted. Fore example, when your customer deletes their account on your website or replaces the stored card with another.

      To delete a token, your server creates and submits a POST to the remove token URL with TxType set to REMOVETOKEN. Opayo will repond with the result of your REMOVETOKEN request.