m2pfintech
API LibraryCard Tokenization

Pair ECDH Public Key (One-Time Setup)

Register your ECDH public key with M2P. This is a one-time setup step performed during partner onboarding — not per-session.

The public key is generated using the P-256 (secp256r1) elliptic curve and submitted as a hex-encoded string. M2P stores this key and uses it as the base for ECDH shared secret derivation in subsequent generateSharedSecret calls.

Note: This endpoint is on the Core VDMS API server (/Yappay context), not the Auth/Tokenization service. Use the servers https://secure.yappay.in/Yappay (production) or https://sit-secure.yappay.in/Yappay (sandbox).

POST
/business-entity-manager/pairPublicKey

Authorization

BasicAuth
AuthorizationBasic <token>

Partner credentials (username/password) provisioned during onboarding

In: header

Header Parameters

TENANT*string

Tenant identifier (sponsor bank) provisioned during onboarding

Request Body

application/json

publicKey*string

Client ECDH public key in uncompressed hex format (P-256 / secp256r1 curve). Uncompressed keys are 65 bytes (130 hex chars) and begin with 04.

Response Body

application/json

application/json

application/json

application/json

curl -X POST "https://secure.yappay.in/Yappay/business-entity-manager/pairPublicKey" \  -H "TENANT: TENANT_NAME" \  -H "Content-Type: application/json" \  -d '{    "publicKey": "04605a53e4d1a8c6a8b4d3e9f7c2a1b8e5d4f3c2a1b8e5d4f3c2a1b8e5d4f3c2a1b8e5d4f3c2a1b8e5d4f3c2a1b8e5d4f3c2a1b8e5d4f3c2a1b8e5d4"  }'
{
  "result": true,
  "exception": null
}
{
  "result": null,
  "error": {
    "errorCode": "VALIDATION_ERROR",
    "shortMessage": "Invalid request",
    "detailMessage": "recipientPan is required",
    "fieldErrors": [
      "recipientPan: must not be blank"
    ]
  }
}
{
  "result": null,
  "error": {
    "errorCode": "AUTH_FAILED",
    "shortMessage": "Authentication failed",
    "detailMessage": "Invalid credentials"
  }
}
{
  "result": null,
  "error": {
    "errorCode": "INTERNAL_ERROR",
    "shortMessage": "Internal server error",
    "detailMessage": "An unexpected error occurred. Please contact support."
  }
}

Generate Shared Secret (Per-Session) POST

Generate an ECDH shared secret and receive a one-time tokenization URL for this session. Called **from your backend server** once per card-entry session before rendering the card input UI. **What this does:** 1. Accepts your ephemeral ECDH public key 2. Performs ECDH key agreement server-side to derive a shared secret 3. Returns the M2P server public key, shared secret, and a signed one-time URL to be used in Step 3 (`createCardToken`) **Security model:** - The `sharedSecret` returned here is used by the **frontend** to derive the AES encryption key for card data. It must be passed to the browser/app securely (e.g., embedded in page state, not logged). - The `url` in the response is a signed, single-use endpoint for card tokenization. It encodes session context via the `key` query parameter and expires after a short TTL. > **Note:** This endpoint is on the Auth/Tokenization Service. The exact base URL > is provided during onboarding. Use the `token` header with the API token > provisioned for your integration.

Check Card Eligibility POST

Verify if a card is eligible for push (OCT) or pull (AFT) transactions. - Automatically routes to Visa Direct or Mastercard Send based on card BIN - Returns eligibility details including Fast Funds support - Use `transactionType` to check for specific capabilities (OCT or AFT)