worldline

Documentation

Worldline Management Interface

Version 1.0.3

Table of Contents

  1. Introduction

    1. Supplementary documentation

    2. Acronyms

    3. Tap on Mobile operation modes

      1. Standalone operation mode

      2. Integrated operation mode

      3. Operation modes summary

    4. Supported processes

      1. Checking ToM status outside WPI context

      2. ToM already registered with other application

      3. Integrated ToM registration process

      4. Integrated ToM deregistration process

    5. Interface limitations

  2. [WMI] Android Communication Layer

    1. Android Inter App Communication

      1. Interface structure

      2. Android Intent implementation

  3. [WMI] Integrated authentication functions

    1. Check application status

    2. Register terminal

    3. Unregister terminal

    4. Application statuses

    5. Result

    6. Service Types

  4. Tap on Mobile backend API

    1. ToM backend API OAuth2 authentication

      1. Request Parameters

      2. Response Parameters

    2. Retrieving and managing merchant’s terminal structure

      1. Request Parameters

      2. Response Parameters

    3. Locking a terminal selected for registration

      1. Request Parameters

      2. Response Parameters

1. Introduction

This page is intended for third-party application providers who wish to develop business applications interacting with Worldline Tap on Mobile application and explicitly covers the supplementary management processes which currently are built around the integrated registration functions. All payment context uses cases and operations are defined by Worldline Payment Interface. All source code examples used in this document are written in Kotlin (Android). High level architecture and interfaces view including Worldline Payment Interface and Tap on Mobile Management Interface flows is presented below.

1.1 Supplementary documentation

Reference

Specification Description

WPI

Worldline Payment Interface Specification for tap on Mobile

Tom API

Tap on Mobile backend API specificaiton: Tap on Mobile backend API specification

1.2 Acronyms

Acronym

Meaning

MID

Merchant ID

TID

Terminal ID

WMI

Worldline Management Interface

ToM

Worldline Tap on Mobile

WPI

Worldline Payment Interface

1.3 Tap on Mobile operation modes

Due to regulatory constraints Tap on Mobile application uses a single and common distribution channel – Google Play Store. It means that all offered operation modes must be consistently supported in the same product. Hence, it is important to understand the dependencies between relevant operation modes, i.e. standalone and integrated authentication. Tap on Mobile application logic checks and relies on selected operation mode.

1.3.1 Standalone operation mode

Standalone operation mode represents all use cases in which the application has been manually enrolled by the user by the means of built-in UI registration options. This mode requires to establish a 4-digit application access code which entry is then required for any authentication operations. If supported by the current product configuration, access code may be replaced by the device biometry options.

Using standalone operation mode supports WPI methods. All WPI function calls to unauthenticated ToM application will trigger a login screen (4-digit access code or biometry means required). The only exception from this rule applies when product configuration specifically supports a delegated application login for WPI (setting is specific to standalone authentication mode).

In future releases ToM application logic for standalone mode operation will introduce a rule that will disable the manual application usage after the 1st processed WPI call. In this scenario: upon the manual launch the ToM application that already processed WPI calls will present a dedicated screen informing the user that it runs in an integrated mode.

1.3.2 Integrated operation mode

Integrated operation mode represents all use cases in which the application is enrolled using WMI. WPI functions are also supported for terminals using this mode, however there are several rules which are crucial for proper integrated mode usage and understanding, i.e.:

  1. ToM application registered in integrated mode cannot be accessed from the application GUI (except login screen upon manual application launch);

  2. After registering ToM application is responsible for its own authentication and session validity and hence login/authentication function does not need to be covered by 3rd party application;

  3. During the registration process in integrated mode, ToM application checks the registering 3rd party application package name and bounds to it;

  4. While ToM application is exclusively bound to certain 3rd party application package name, all WPI and selected WMI requests incoming from other application packages will be rejected with a dedicated errorCondition code;

    1. WMI_SVC_REGISTER service is exempted from this rule to allow automated re-bounding of ToM application to another 3rd party application package name running in the same device.

To allow assessing which action is required, WMI offers a dedicated function to retrieve the current ToM application status. It is strongly recommended to retrieve this information outside of payment acceptance context.

1.3.3 Operation modes summary

This section outlines ToM application behavior for selected functions in available operation modes.

Standalone operation mode

(manual registration)

Integrated operation mode

(WMI registration)

Manual desktop application launch

• ToM login screen (for unauthenticated app)

• ToM home screen (for authenticated app)

• ToM login screen

• [future function] dedicated screen informing that the application runs in an integrated mode

WPI functions

Supported (for whitelisted package names)

Supported only for 3rd party application package name that registered the ToM application

ToM application login upon calling WPI functions

• [global behavior] seamless – ToM app uses 4 digit access code set during registration or during 1st login activity;

• [optional behavior upon request] ToM login screen and manual provision of 4 digit access code every time the authentication is required

• Not applicable; handled internally by the ToM application

Manual desktop launch after calling WPI functions

Current logic :

• ToM login screen (for unauthenticated app)

• ToM home screen (for authenticated app)

Future logic :

[global behavior] : dedicated screen informing the user that ToM application is running in an integrate mode

[optional behavior upon request] :

o ToM login screen (for unauthenticated app)

o ToM home screen (for authenticated app)

• ToM login screen

• [future function] dedicated screen informing that the application runs in an integrated mode

Unregistration capabilities

No WPI requests processed:

• Unsubscribe option available from login screen (for unauthenticated app);

• Unregister function in app settings (for authenticated app);

• Unregistering from merchant portal;

WPI requests already processed:

• Unsubscribe option available from a dedicated screen informing the user that ToM application is running in an integrated mode;

• Unregistering from merchant portal;

• WMI_SVC_AUTH_UNREGISTER function;

• WMI_SVC_REGISTER function (available to all 3rd party packages and purging the previous registration process);

• Unsubscribe option available from login screen (for unauthenticated app);

• Unregistering from merchant portal;

1.4 Supported processes

Current interface design addresses thre processes that are relevant for 3rd party application developers

1.4.1 Checking ToM status outside WPI context

This process explains actors and operations’ sequence for assessing the current ToM application status

1.4.2 ToM already registered with other application

This process outlines actors and operations’ sequence for negative scenario where ToM application is already registered with other 3 rd party application package

1.4.3 Integrated ToM registration process

This process explains actors and operations’ sequence for new terminal registration

1.4.4 Integrated ToM deregistration process

This process explains actors and operations’ sequence for removing previously made terminal enrollment

1.5 Interface limitations

ID

Area

Limitation description

1

Manual ToM app Launch

ToM application may still be launched from device desktop. In this case a standard standalone login screen will be displayed, without any specific user explanation and without an effective option to login;

Potential future improvements:

  • Implement a dedicated activity replacing a standalone login screen to guide the user who opened the ToM app manually;

  • Implement a reverse intent interface which would redirect the user to 3rd party application in case ToM application is launched using a desktop icon

ID

Area

Limitation description

2

Registration token read from QR code

It is possible to launch WMI_SVC_REGISTER call without providing a registration token. In this scenario ToM app will launch a QR code scanner but without any preparatory screen;

It is strongly recommended not to consider any QR-code read based implementations until this process is explicitly covered by the documentation;

Potential future improvements:

  • Implement a dedicated preparatory screen before triggering an QR code reader by ToM application;

  • Implement a reverse intent interface which would redirect the user to 3rd party application in case ToM application is launched using a desktop icon;

2. [WMI] Android Communication Layer

2.1 Android Inter App Communication

Tap on Mobile Management Interface is using Intents in Android that are a means of communicating between components of an Android app, such as between Activities, Services, Broadcast Receivers, and Content Providers. An Intent object is used to describe what an app component should do, including the action to be performed and the data to be used.

Intent usage in Android for application integration can be broadly categorized into two types:

  1. Explicit Intents: These intents are used to launch a specific component within the same app. The target component is specified explicitly in the intent. For example, starting an Activity from another Activity within the same app.

  2. Implicit Intents: These intents do not specify the target component directly. Instead, they declare a general action to be performed and let Android resolve the target component based on the information provided in the intent. For example, sending an email or opening a web page. WMI is the implementation of this type of intent.

Intents can also carry data in the form of key-value pairs, called Extras, which can be used to pass data between components. By using intents, apps can delegate tasks to other components and take advantage of the existing Android framework to perform common actions.

2.1.1 Interface structure

Currently WMI version provides a single intent type that developers can use to build apps that work with the interface. Due to solution configuration process requirements, all operations fall to Display Action category, i.e. actions performed do not require user interaction but require starting of payment acceptance solution start, hence cannot be executed as a background process. The following table lists each intent, along with its purpose:

Type

Category

Intent

Purpose

Configuration

Display Action

com.worldline.management.action.PROCESS_OPERATION

Process a solution management operation

2.1.2 Android Intent implementation

The start of an operation is based on an intent. Each special transaction type has a set of parameters that are mandatory

val intent = Intent("com.worldline.management.action.PROCESS_OPERATION").apply{flags += Intent.
FLAG_ACTIVITY_REORDER_TO_FRONT}

This intent requires some extras:

Extra

Description

Type

Condition

WMI_SERVICE_TYPE

Specify the subtype of action to be executed

String

Mandatory

WMI_REQUEST

The request contains JSON structured data mandatory for given service type, in some specific cases this fiedls is not given or empty

String

Conditional (depending on function)

SHOW_OVERLAY

Flag that specifies wheteher to show a semi-transparent overlay with a loader in the middle while processing the intent

Boolean

Conditional (true by default)

The transaction request fields and examples per transaction type are explained in the subsequent sections

/**
* Example code snippet on how to send a WMI request and handle the response.
*/

class LoginActivity : AppCompatActivity() {

    private val launcher = registerForActivityResult(
        ActivityResultContracts.StartActivityForResult()
    ) { result ->
        result.data?.let { handleTransactionResponse(it) }
    }

    private fun startWMIOperation(WMIRequestJson: String, serviceType: String)  {
        val intent = Intent("com.worldline.management.action.PROCESS_OPERATION").apply {
        putExtra("WMI_SERVICE_TYPE", serviceType)
        putExtra("WMI_REQUEST", WMIRequestJson)
        putExtra("SHOW_OVERLAY ", false) // when we don’t want the overlay
    }
        launcher.launch(intent)
    }

    private fun handleWMIResponse(intent: Intent) {
        val rawJsonResponse = intent.getStringExtra("WMI_RESPONSE")
        // Handle response
    }
}

As you can see in the above example, the transaction request is sent to the payment application as JSON. The final result of the transaction is returned from the intent started previously and needs to be handled based on the service type. The JSON format is described in chapter 3.

3. [WMI] Integrated authentication functions

This chapter describes the data exchange format, all requests and responses are described here. WMI is using JSON as data exchange.

3.1 Check application status

This function is intended to be used outside of payment acceptance context to determine the current Tap on Mobile application status and assess whether it is properly authenticated and ready to perform payment acceptance functions

Request:

Extra

Description

Type

Condition

WMI_SERVICE_TYPE

WMI_SVC_CHECK_STATUS

String

Mandatory

WMI_REQUEST parameters: None - might be created for future use

Response

Extra

Description

Type

Condition

WMI_SERVICE_TYPE

WMI_SVC_CHECK_STATUS

String

Mandatory

WMI_RESPONSE

JSON structured response parameters as described in subsequent table

String

Mandatory

WMI_RESPONSE_ parameters

Field name

Description

Type

Condition

result

Result of the transaction (success or failure)

String

Mandatory

errorCondition

Specific error reason (see table below)

String

Mandatory

remark

Terminal/transaction specific message for detailed error descriptions. Text provided by payment app in English

String

Optional

appStatus

Tap on Mobile application status indicating whether application is already registered

String

Mandatory

Error conditions

Error condition

Description

WMI_ERR_COND_NONE

Will always be present if no error occurred, confirms successful result

WMI_ERR_COND_SERVICE_NOT_SUPPORTED

Requested service type is not supported by the Payment Application

WMI_ERR_COND_INVALID_JSON

Incorrect request structure or contents, parsing error

WMI_ERR_COND_GENERIC

A mobile application generic error that is not explicitly outlined here

WMI_ERR_COND_INTERNAL_

Backend-driven generic error taht is not explicitly outlined here

WMI_ERR_COND_TERMINAL_BUSY

Terminal communication is exclusively restricted to another 3rd party application package

3.2 Register terminal

This function is intended to be used outside of payment acceptance context to determine the current Tap on Mobile application status and assess whether it is properly authenticated and ready to perform payment acceptance functions.

Request

Extra

Description

Type

Condition

WMI_SERVICE_TYPE

WMI_SVC_REGISTER

String

Mandatory

WMI_REQUEST parameters

Fields name

Description

Type

Condition

registrationToken

TID specific registration token retrieved from Tap on Mbile backend (Merchant API) in case this parameter is not present, Tap on Mobile app will collect all required permissions and launch QR-code reader to scan the registration token

String

Optional

Response

Extra

Description

Type

Condition

WMI_SERVICE_TYPE

WMI_SVC_REGISTER

String

Mandatory

WMI_RESPONSE

JSON structured response parameters as described in subsequent table

String

Mandatory

WMI_RESPONSE_ parameters

Field name

Description

Type

Condition

result

Result of the transaction (success or failure)

String

Mandatory

errorCondition

Specific error reason (see table below)

String

Mandatory

remark

Terminal/transaction specific message for detailed error descriptions. Text provided by payment app in English

String

Optional

Error conditions

Error condition

Description

WMI_ERR_COND_NONE

Will always be present if no error occurred, confirms successful result

WMI_ERR_COND_SERVICE_NOT_SUPPORTED

Requested service type is not supported by the Payment Application

WMI_ERR_COND_INVALID_JSON

Incorrect request structure or contents, parsing error

WMI_ERR_COND_AUTH_NOT_POSSIBLE

Registration was not possible due to an auth issue, for example a passed registration token invalid

WPMI_ERR_COND_GENERIC

A mobile application generic error that is not explicitly outlined here

WMI_ERR_COND_INTERNAL

Backend-driven generic error that is nto explicitly outlined here

WMI_ERR_COND_TERMINAL_BUSY

Terminal communication is exclusively restricted to another 3rd party application package

3.3 Unregister terminal

This function is intended to be used only with already registered terminal. It allows to unregister the currently assigned TID from the mobile application instance.

Request:

Extra

Description

Type

Condition

WMI_SERVICE_TYPE

WMI_SVC_AUTH_UNREGISTER

String

Mandatory

WMI_REQUEST parameters: None - might be created for future use

Response

Extra

Description

Type

Condition

WMI_SERVICE_TYPE

WMI_SVC_AUTH_UNREGISTER

String

Mandatory

WMI_RESPONSE

JSON structured response parameters as described in subsequent table

String

Mandatory

WMI_RESPONSE_ parameters

Field name

Description

Type

Condition

result

Result of the transaction (success or failure)

String

Mandatory

errorCondition

Specific error reason (see table below)

String

Mandatory

remark

Terminal/transaction specific message for detailed error descriptions. Text provided by payment app in English

String

Optional

Error conditions

Error condition

Description

WMI_ERR_COND_NONE

Will always be present if no error occurred, confirms successful result

WMI_ERR_COND_SERVICE_NOT_SUPPORTED

Requested service type is not supported by the Payment Application

WMI_ERR_COND_AUTH_NOT_POSSIBLE

Valid terminal registration was not found

WPMI_ERR_COND_GENERIC

A mobile application generic error that is not explicitly outlined here

WMI_ERR_COND_INTERNAL

Backend-driven generic error that is nto explicitly outlined here

WMI_ERR_COND_TERMINAL_BUSY

Terminal communication is exclusively restricted to another 3rd party application package

3.4 Application Statuses

Status

Description

NEW

Technical status (should not be expected) indicating that registration process may be performed; Tap on Mobile application is not registered

INITIALIZED

Registration process may be performed; Tap on Mobile application is not registered

REGISTERED

Tap on Mobile application is registered but not yet authenticated – WPI functions may be performed;

AUTHENTICATED

Technical status (should not be expected) indicating that Tap on Mobile application still performs configuration activities

ACTIVE

Tap on Mobile application is authenticated and ready to perform payment acceptance functions (WPI)

ERROR

Tap on Mobile application crash

3.5 Result

Result

Description

WMI_RESULT_SUCCESS

In case of successful transaction

WMI_RESULT_FAILURE

In case of failed transaction

3.6 Service Types

Action Codes

Description

WMI_SVC_CHECK_STATUS

Service type for checking current Tap on Mobile application status

WMI_SVC_REGISTER

Service Type for initiating the terminal enrollment sequence

WMI_SVC_AUTH_UNREGISTER

Service type for unregistering the terminal by the 3rd party application package used previously for enrollment

4. Tap on Mobile backend API

Implementing Tap on Mobile integrated authentication mode requires integrating 3rd party application backend directly to ToM backend API. Storing OAuth2 access credentials directly in the mobile application not allowed.

This integration process requires covering the following areas:

  1. ToM backend API oauth2 authentication;

  2. The logic to retrieve and manage merchant terminals structure in 3rd party application backend;

  3. The logic to lock free terminal selected for registration.

4.1 ToM backend API OAuth2 authentication

The Oauth2 token endpoint provides access tokens which are used to authenticate and authorize requests to protected resources as described in ToM API and subsequent sections.

To request an access token it is required to provide a valid client ID and client secret.

4.1.1 Request Parameters

The following parameters are used in the OAuth2 token endpoint (/oauth2/token).

Parameter

Description

grant_type

A string indicating which grant type is being used: client_credentials

scope

The scope of the access token, indicating the permissions that are granted to the client

client_id

A unique identifier for the client application, issued by the authorization server

client_secret

A secret string used to authenticate the client application with the authorization server

4.1.2 Response Parameters

The response from the token endpoint will include a number of parameters

Parameter

Description

access_token

A string containing the access token, which will be used for the terminal authentication endpoint

scope

The scope of the access token, indicating the permissions that are granted to the client

Token_type

The type of access toekn. For example "Bearer"

expires_in

The number of second before the access token expires and a new one must be requested

4.2 Retrieving and managing merchant’s terminal structure

Merchant applications access to ToM backend API should reflect the complete merchant organization structure. Organization structure uses up to three tier levels, i.e.:

  • CONTRACT_ID

    • VAT_ID#1

      • MID#11

      • MID#12

      • […]

      • MID#1n

    • VAT_ID#2

      • MID#21

    • […]

    • VAT_ID#n

      • MID#31

      • MID#32

      • […]

      • MID#3n

CONTRACT_ID is optional and only used in case lower level tiers require aggregation;

VAT_ID is optional and only used in case lowe level tier requires aggregation;

MID is the lowest and most common merchant organization structure tier; TIDs are allocated on a MID level.

Merchant structure is always assigned and edited by the acquiring entity. However, merchant’s 3rd party application backend should be capable of retrieving this structure from ToM backend, track the potential changes in it and be capable of deciding which TID should be assigned during the registration process.

ToM API documentation lists several merchant level functions that may be used for terminal management, however a suggested function for retrieving current merchant terminal structure is POST /api/v1/terminals/search .

4.2.1 Request Parameters

Complete list of function request elements is available in ToM API specification . Tables below summarize most important parameters and function filters.

Request Parameters

Description

page

Integer defining a zero-based page index (default is 0)

size

Integer defining number of items to be returned in a single page (default is 10)

sort

String defining response list sorting creiteria in the format: property,(asc|desc). Default sort order is ascending. Multiple sort criteria are supported

Request body

Description

contract_id

Merchant tier level identifier or tier level identifiers combination defining which part of terminal structure should be returned

vat_id

Merchant tier level identifier or tier level identifiers combination defining which part of terminal structure should be returned

mid

Merchant tier level identifier or tier level identifiers combination defining which part of terminal structure should be returned

tid

Terminal identifier. Adding this field may for use cases where current terminal details need to be checked

connected

Terminal assignment status. true – means that tid is currently linked to a device; false – means that terminal is currently not assigned to any device and available for registration

disabled

Flag informing whether the terminal condition is not temporarily restricted from performing operations

4.2.2 Response Parameters

Complete list of response elements is available in ToM API specification . Table below summarizes most important fields.

Response body

Descrpition

id

Terminal UUID stored in the ToM backend

external_id

3rd party terminal identifier (if assigned and present)

tid

ToM backend recognized active tid selected for assignment

mid

ToM backend recognized mid corresponding to tid selected for assignment

4.3 Locking a terminal selected for registration

Decision on TID selected for registration should be followed with registration token generation. Creating a registration token moves the TID to ‘locked’ status. It means that throughout the registration token validity, TID cannot be manually registered in standalone mode.

ToM API function for the registration token generation operation is POST /api/v1/terminals/{id}/registrationtoken , where id is a terminal UUID stored in ToM backend.

Important note : registration token’s expiry timestamp may be extended by calling POST /api/v1/terminals/{id}/registration-token/refresh ToM API function. This operation maintains previous token value and new validity timestamp is returned in the response.

4.3.1 Request Parameters

Complete list of request elements is available in ToM API specification . Table below summarizes most important fields

Request Parameters

Description

id

Terminal UUID stored in the ToM backend

Request body

Description

email

Optional parameter allowing to share an email address of the user who should receive a welcome email containing the registration toekn in a QR-code format; an empty body structure should be used for use cases which do not use end user notification

4.3.2 Response Parameters

Complete list of response elements is available in ToM API specification. Table below summarizes most important field

Response body

Description

toekn

Generated registration token which should be used with Tap on Mobile application to register a selected TID

expiry_date

Registration token expiry timestamp

created

Registration token creation timestamp