Normally, parameters set on the COPYandPAY token cannot be overwritten. It is sometimes useful to be able to overwrite certain session parameters (e.g. change the value of "ADDRESS.STREET") rather than having to regenerate a new token with different parameter values. This is possible if a "SECURITY.SECRET" parameter and value are set in the first GenerateToken call and the same values are resent later. The "SECURITY.SECRET" should be a randomly-generated, difficult to guess value and can be different for each generated token.

It is critical that the "SECURITY.SECRET" parameter is only sent in server-to-server calls and not browser-to-server calls. Otherwise the shopper can see the secret and overwrite parameters in the payment session.


API Changes

When a "SECURITY.SECRET" parameter is set, there are some changes in the API requirements. When calling certain COPYandPAY API URLs, the "SECURITY.SECRET" parameter must also be sent. Otherwise, a response with JSON path "transaction.processing.return.code" will have a value of "800.900.302" (authorization failed) returned. This is meant to prevent the shopper from being able to directly execute the action himself or read the result. The following API calls are affected:

  1. Validate

  2. GetStatus

Modifying Parameters

When you have sent the "SECURITY.SECRET" in the first GenerateToken call you can update parameters you already sent before by sending another GenerateToken call that also has the "SECURITY.SECRET" parameter. This can be done for any Server-to-Server GenerateToken call before the payment form is sent.

Modifiable Parameters

Not every parameter can have its value changed. Parameters that can have their value changed are: