Issuers can offer app-to-web verification as an option for completing a yellow path ID&V challenge when provisioning a token. App-to-web verification is configured through your TSP and does not require any configuration by the Google Pay team. There are two important URLs referred to repeatedly:
- Issuer Web Redirect URL: Provided to Google by the Issuer through the TSP's response to Google's request for ID&V options. Used to launch the Issuer App to complete user ID&V. The Issuer can add any query parameters that they deem relevant to identify the request.
- Google Callback URL: Provided to the Issuer website as a URL parameter in the Issuer Web Redirect URL. Used to launch Google Wallet after the Issuer website has completed user ID&V.
The following flow shows an abstract user experience for the app-to-web verification process:
When users choose to activate their token through app-to-web verification, Google Wallet opens the Issuer Web Redirect URL in a Google Chrome Android Custom Tab. If Google Chrome is not installed, the system falls back to the default browser. After the website has completed user ID&V, it uses an Android Intent to navigate back to the Google Wallet client using the Google Callback URL to finish the provisioning flow.
Website development
When a user selects the app-to-web method to verify their identity, the Issuer website must:
- Receive the Issuer Web Redirect URL from Google Wallet and parse out the Google Callback URL.
- Authenticate the cardholder.
- Activate the token through a request to the TSP.
- Redirect the user back to Google Wallet using Google Callback URL.
Receiving the redirect
When a user chooses to verify their identity using app-to-web, Google Wallet opens the Issuer Web Redirect URL provided to Google by the Issuer through the TSP's response to Google's request for ID&V options. The Issuer website should be prepared to handle the query parameters appended to this URL, such as the Google Callback URL and any other extra URL parameters.
Mastercard URL
https://www.issuerurl.com/auth?TUR=xyz&panSuffix=1234&redirectUrl=https://pay.google.com/gp/wallet/webidvredirect
Visa URL
https://www.issuerurl.com/auth?a2apayload=abc&identifier=abc&wpcallback=https://pay.google.com/gp/wallet/webidvredirect
Token Activation
Issuer calls the TSP API to activate the token directly.
Flow description
| Step | Source | Description |
|---|---|---|
| 1 | Google Wallet | User manually adds a payment card to their Google Wallet. The user selects the app-to-web as the verification method. |
| 2 | Google Wallet | Google Wallet opens the Issuer Web Redirect URL in a Chrome Custom Tab. |
| 3 | Issuer's Website | The Issuer's website completes the identity verification process. |
| 4 | Issuer's Website | Issuer's server sends an activateToken(tokenId) request to the TSP. |
| 5 | TSP Server | The TSP forwards the token activation status to Google Wallet servers by calling handleTspEvent(). The TSP confirms the activation to the Issuer's server. |
| 6 | Issuer's Website | The Issuer's website redirects the user back to Google Wallet using the Google Callback URL. |
| 7 | Google Wallet | Google Wallet displays a success message and the card is ready to use. |