Token Encryption Guide
Use a Pre-shared Encryption Key​
Your integration and PayWise share one encryption secret.
- Keep this key on your side only
- Encrypt locally (client, backend, or secure middleware)
- Send encrypted values only
Never send your pre-shared key to PayWise
Do not include your pre-shared encryption key in headers, request bodies, logs, support tickets, or screenshots.
Transport and Access Controls​
- Authenticate API calls with
PW-subscription-key - Enforce source IP allowlisting where configured
- Keep key material and payload encryption local/offline from PayWise
Algorithm Contract​
PayWise legacy compatibility contract:
- AES-256-CBC
- EVP_BytesToKey key derivation (MD5 chain, 8-byte salt)
- Encrypted envelope payload with
ct,iv,s - Final wire value is base64-encoded JSON envelope
Which Field Must Be Encrypted?​
| Endpoint | Field to send from your app | Wrapper forwards upstream as |
|---|---|---|
POST /institution/quote | session_token_enc | session_token |
POST /institution/transaction | session_token_enc | session_token |
GET /institution/transaction | transaction_id_enc | transaction_id |
POST vs GET Clarification​
POST /institution/transaction:transaction_idis plaintext idempotency idGET /institution/transaction:transaction_id_encis encrypted
Language Samples​
- TypeScript: Client-side Encryption (TypeScript)
- Java: Client-side Encryption (Java)
- Python: Client-side Encryption (Python)
- C#/.NET: Client-side Encryption (.NET/C#)