On this page:



With Opayo's Token feature, you can ask to save your customers card details as a reusable token.

The card details remain completely secure on our system and you can use the token when you process the returning customer's purchases. Returning customers need only:

  1. Sign in to your website.
  2. Proceed to checkout.
  3. Select a card to pay with.
  4. If required, enter the card's CV2.


The CV2 may not be necessary for all transactions. If a CV2 is not submitted when required then the transaction may fail.

Save a Token

To save the card details as a token for future purchases during the initial Transaction Registration:

  1. Prepare a Transaction Registration POST as usual.
  3. Set CreateToken to 1.
  4. Update the Credential on File fields.
Note: Opayo stores all your customer’s card details against the token except the CV2. The CV2 is sensitive authentication data and cannot be stored after authorisation even when encrypted. Your returning customer must resubmit their card’s CV2 for each purchase.

    A Successful Response

    You will receive all the data you need to store the card in the card object as a token when the transaction is successful.

    You can now reuse the token for this customer’s future transactions.

    Important: Opayo Token System does not validate any customer information associated with the token and therefore it is important for you to store the correct token with the customer's details to ensure that payment is taken from the correct card.
    The returned token will be formatted as a GUID.

    Reuse a Token

    When successfully created and stored, a token can be used for future purchases made by the customer.

    Important: To continue to reuse the token, you must set the StoreToken value to 1 each time it is used. If the StoreToken field is not passed or where StoreToken=0 the token will be deleted by default.
    Important: When reusing a token, you must include the appropriate Credential on File fields.

    Delete a Token

    Tokens are easily deleted. For example, when your customer deletes their account on your website or replaces the stored card with another.

    To delete a token, your server creates and submits a POST to the remove token URL with TxType set to REMOVETOKEN. Opayo will repond with the result of your REMOVETOKEN request.