Association user flow
Stay organized with collections
Save and categorize content based on your preferences.
Overview
The purpose of the association flow is to establish a long-lived token (aka, an opaque identifier) that both the Payment Integrator (company setting up their form of payment within our system) and Google agree represents the link between Google's user account and the integrator's user account. This long-lived token is called the Google Payment Token (GPT). An instrument is a way to pay for services and goods within Google's various ecosystems and marketplaces. A Google customer may have more than one instrument.
How the flow works
- Google negotiates a token to represent a link between Google's customer and the integrator's user account.
- Google gathers the necessary first time setup information to create and establish the
GPT.
Proof of identity and authentication must first be established through the authentication flow. The output of the authentication flow is passed to the associateAccount method. Then the association flow will associate the Google user account with the Google instrument. This sets up the instrument so it can be used for payments.
Here is a diagram which details the Association flow:
Association flow sequence diagram
Here is a list of the objects and what they represent:
- User: This is the person who wants to add a payment method to their Google account.
- Google UI: The interface at Google where the customer begins to setup a payment method.
- Payment Integrator UI: The integrator’s interface (web or Android) that the customer has access to for that account.
- Google Server: The backend servers at Google that perform the authentication checks and associate the user’s integrator account with a
GPT (Google Payment Token).
- Payment Integrator Server: The backend server of the integrator where the user has an account.
This is an association flow, where the user’s Google account is being linked by a Google token to their integrator account. Here is how this flow works.
- The user initiates the flow in the Google UI (such as a web or app interface).
- The Google UI sends a message for Google’s Server to supply it with an authentication request (Request Authentication Data).
- The Google Server sends a request for authentication (
authenticationRequest) back to the Google UI.
- The Google UI connects the user to the Payment Integrator UI (
authenticationRequest).
- The user is prompted for their identity and credentials.
- The Payment Integrator UI sends the response to the Payment Integrator Server.
- The Payment Integrator Server authenticates the response and sends the authentication response (
authenticationResponse) to the Payment Integrator UI.
- This authentication response is forwarded to the Google UI.
- The Google UI sends a message to the Google Server to verify the response from the Integrator (set up User instrument).
- The Google Server validates the response by verifying the signature, and then associates the user’s Account with the Payment Integrator with a
GPT and association ID (authenticationRequestID, associationID) at Google.
- A success message is sent to Google’s Server.
- A success message is sent to the Google UI.
- A success message is sent to the User, stating that their instrument is ready to use.
Best practices and other considerations
Multiple instruments
The integrator must allow for many GPT’s to be associated with a single user's integrator account. For example, this is needed if a user deletes their instrument and creates a new instrument with the same integrator user account.
It’s possible for two Google customers to associate with the same user’s integrator account. If that is the case, each user would have a different instrument associated with each individual. For each instrument there is an independent association flow and a unique GPT.
Safety measures
If the integrator believes there has been an account takeover on a user's integrator account, new associations can be declined for that account and existing instruments that have already been associated may return decline codes during future purchases.
GPT lifespan
The GPT is intended to be long lived, and by default has no expiration. Google strongly recommends a GPT that does not expire. This allows for an uninterrupted purchase experience by the user.
For those integrators that cannot support a token that has no expiration, the integrator can provide the expiration time via the tokenExpirationTime field of the associateAccount method. Once a token is near expiry, Google will send the user through the refresh token flow in order to extend the token's lifespan.
Other identifiers
There are other identifiers besides GPT that are exchanged during association. Here is a list of these with links to more information.
AssociationId: A Google defined, public facing token, identifying the association between the customer's account at Google and the instrument. Whereas the GPT is only used in server to server requests, the AssociationId is the client equivalent. (See the glossary entry for more information).AccountId: A vendor defined identifier (often an account number), used to discover fraud and understand account relationships. Google's customer operation agents also use it to identify, and then help diagnose customer issues. (See the glossary entry for more information).AccountNickname (or fullAccountNickname): A string that vendors use to identify their customers. It is used for display purposes as well. The AccountNickname is masked by the vendor for SPII sake, the fullAccountNickname is not masked.
All rights reserved. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-03 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-03 UTC."],[[["\u003cp\u003eThe association flow establishes a secure link between a Google user's account and a payment integrator's user account using a long-lived token called the Google Payment Token (\u003ccode\u003eGPT\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eThis process involves authentication to verify the user's identity and then associates their Google account with their chosen payment instrument for seamless transactions.\u003c/p\u003e\n"],["\u003cp\u003eIntegrators can support multiple \u003ccode\u003eGPT\u003c/code\u003es per user account, enabling users to add or replace payment methods without disrupting their Google account link.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eGPT\u003c/code\u003es are designed to be long-lived for uninterrupted purchasing, but integrators can define expiration times if needed, triggering a refresh token flow for renewal.\u003c/p\u003e\n"],["\u003cp\u003eThe flow involves secure exchange of identifiers like \u003ccode\u003eGPT\u003c/code\u003e, \u003ccode\u003eAssociationId\u003c/code\u003e, \u003ccode\u003eAccountId\u003c/code\u003e, and \u003ccode\u003eAccountNickname\u003c/code\u003e to facilitate account linking, fraud detection, and customer support.\u003c/p\u003e\n"]]],["The association flow establishes a long-lived Google Payment Token (`GPT`) linking a Google user account to an integrator's user account, enabling payment via the associated instrument. The process starts with user initiation in the Google UI, triggering an authentication request. The user authenticates through the Payment Integrator UI. Upon successful authentication, the Google Server verifies and associates the accounts with a `GPT` and `associationID`. Finally, a success message is sent, confirming the instrument is ready. Multiple `GPT`s can be associated with a single integrator account, and `GPT` is strongly recommended to be long-lived.\n"],null,["# Association user flow\n\nOverview\n--------\n\nThe purpose of the association flow is to establish a long-lived token (aka, an opaque identifier) that both the Payment Integrator (company setting up their form of payment within our system) and Google agree represents the link between Google's user account and the integrator's user account. This long-lived token is called the Google Payment Token (`GPT`). An instrument is a way to pay for services and goods within Google's various ecosystems and marketplaces. A Google customer may have more than one instrument.\n\nHow the flow works\n------------------\n\n1. Google negotiates a token to represent a link between Google's customer and the integrator's user account.\n2. Google gathers the necessary first time setup information to create and establish the `GPT`.\n\nProof of identity and authentication must first be established through the [authentication flow](/standard-payments/concepts/tokenized_fop/authentication-flow). The output of the authentication flow is passed to the [`associateAccount`](/standard-payments/payment-processor-service-api/v1/TopLevel/associateAccount) method. Then the association flow will associate the Google user account with the Google instrument. This sets up the instrument so it can be used for payments.\n\nHere is a diagram which details the Association flow:\n\n#### Association flow sequence diagram\n\nHere is a list of the objects and what they represent:\n\n- **User**: This is the person who wants to add a payment method to their Google account.\n- **Google UI**: The interface at Google where the customer begins to setup a payment method.\n- **Payment Integrator UI**: The integrator's interface (web or Android) that the customer has access to for that account.\n- **Google Server** : The backend servers at Google that perform the authentication checks and associate the user's integrator account with a `GPT` (Google Payment Token).\n- **Payment Integrator Server**: The backend server of the integrator where the user has an account.\n\nThis is an association flow, where the user's Google account is being linked by a Google token to their integrator account. Here is how this flow works.\n\n1. The user initiates the flow in the Google UI (such as a web or app interface).\n2. The Google UI sends a message for Google's Server to supply it with an authentication request (Request Authentication Data).\n3. The Google Server sends a request for authentication ([`authenticationRequest`](/standard-payments/v1/authentication-api/authenticationRequest)) back to the Google UI.\n4. The Google UI connects the user to the Payment Integrator UI ([`authenticationRequest`](/standard-payments/v1/authentication-api/authenticationRequest)).\n5. The user is prompted for their identity and credentials.\n6. The Payment Integrator UI sends the response to the Payment Integrator Server.\n7. The Payment Integrator Server authenticates the response and sends the authentication response ([`authenticationResponse`](/standard-payments/v1/authentication-api/authenticationResponse)) to the Payment Integrator UI.\n8. This authentication response is forwarded to the Google UI.\n9. The Google UI sends a message to the Google Server to verify the response from the Integrator (set up User instrument).\n10. The Google Server validates the response by verifying the signature, and then associates the user's Account with the Payment Integrator with a `GPT` and association ID ([`authenticationRequestID`](/standard-payments/payment-integrator-tokenized-fop-api-v1/v1/TopLevel/associateAccount), [`associationID`](/standard-payments/payment-integrator-tokenized-fop-api-v1/v1/TopLevel/associateAccount)) at Google.\n11. A success message is sent to Google's Server.\n12. A success message is sent to the Google UI.\n13. A success message is sent to the User, stating that their instrument is ready to use.\n\nBest practices and other considerations\n---------------------------------------\n\n### Multiple instruments\n\nThe integrator must allow for many `GPT`'s to be associated with a single user's integrator account. For example, this is needed if a user deletes their instrument and creates a new instrument with the same integrator user account.\n\nIt's possible for two Google customers to associate with the same user's integrator account. If that is the case, each user would have a different instrument associated with each individual. For each instrument there is an independent association flow and a unique `GPT`.\n\n### Safety measures\n\nIf the integrator believes there has been an account takeover on a user's integrator account, new associations can be declined for that account and existing instruments that have already been associated may return decline codes during future purchases.\n\n### GPT lifespan\n\nThe `GPT` is intended to be long lived, and by default has no expiration. Google strongly recommends a `GPT` that does not expire. This allows for an uninterrupted purchase experience by the user.\n\nFor those integrators that cannot support a token that has no expiration, the integrator can provide the expiration time via the [`tokenExpirationTime`](/standard-payments/payment-integrator-tokenized-fop-api-v1/v1/TopLevel/associateAccount) field of the [`associateAccount`](/standard-payments/payment-processor-service-api/v1/TopLevel/associateAccount) method. Once a token is near expiry, Google will send the user through the [refresh token flow](/standard-payments/concepts/tokenized_fop/refresh-token-flow) in order to extend the token's lifespan.\n\n### Other identifiers\n\nThere are other identifiers besides `GPT` that are exchanged during association. Here is a list of these with links to more information.\n\n- `AssociationId`: A Google defined, public facing token, identifying the association between the customer's account at Google and the instrument. Whereas the `GPT` is only used in server to server requests, the `AssociationId` is the client equivalent. (See the [glossary entry for more information](/standard-payments/reference/glossary#association_id)).\n- `AccountId:` A vendor defined identifier (often an account number), used to discover fraud and understand account relationships. Google's customer operation agents also use it to identify, and then help diagnose customer issues. (See the [glossary entry for more information](/standard-payments/reference/glossary#account_id)).\n- `AccountNickname` (or `fullAccountNickname`): A string that vendors use to identify their customers. It is used for display purposes as well. The [`AccountNickname`](/standard-payments/payment-integrator-tokenized-fop-api-v1/v1/TopLevel/associateAccount) is masked by the vendor for [SPII](/standard-payments/reference/glossary#spii) sake, the [`fullAccountNickname`](/standard-payments/payment-integrator-tokenized-fop-api-v1/v1/TopLevel/associateAccount) is not masked."]]