Skip to main content
Marqeta supports several methods for provisioning a token to insert a payment card into a digital wallet.
  • Manual entry — The cardholder enters the card data directly into the digital wallet, typically either by typing in the data or by taking a photo of the card. This method might be preferred when your users already possess the physical cards they want to insert into their digital wallets.
  • Card-on-file — The cardholder adds a card to an additional device. This method requires the digital wallet to already have the card information on file, possibly from a previous tokenization request. For example, the card is already stored in the digital wallet on a phone and the cardholder is adding the card to a watch.
  • In-app provisioning — Your mobile application dynamically creates a new virtual card and then adds it to the digital wallet for instant availability of the funds.
  • Web push provisioning — The cardholder requests and adds a new virtual card to their digital wallet via web browser.
For any card product, you can choose which of these methods you want to allow. For every token activation request processed through any of the methods, Marqeta sends an event notification to your configured webhook endpoint. You can use the information in the token activation request to determine the current status of a request and to change the status, when necessary.

Basic provisioning flow

In the basic provisioning flow, the cardholder initiates the provisioning request either by manually entering the data for a new card or by selecting a card that is already on file (i.e., the manual entry and card-on-file methods).
Basic provisioning flow
A basic token provisioning flow proceeds as follows:
1
The cardholder initiates the request via manual entry or card-on-file on the target device (e.g., Apple Pay wallet on an iPhone).
2
The digital wallet requests a token from the card network.
3
The card network, Marqeta (the issuer processor), and the digital wallet coordinate the approval of the token activation request.
4
Marqeta sends an event notification to your webhook endpoint. You can use this information to determine the current status and to take further actions, if necessary.
5
If the token activation request is approved, the card network issues a digital wallet token.
6
The digital wallet stores the digital wallet token on the target device, where the cardholder can now use it to make payments.

Instant issuance flow

In the instant issuance flow, your mobile application or the cardholder initiates the provisioning request to create a new Marqeta virtual card and then tokenize it. This unique capability from Marqeta allows you to create a virtual card and make it instantly available for use at both brick-and-mortar merchants that support the digital wallet and e-commerce merchants. There are two provisioning scenarios for the instant issuance flow:
  • In-app provisioning
  • Web push provisioning
Tip
To utilize the instant issuance flow, you must obtain approval from the digital wallet provider and integrate with their API, in addition to integrating with the Marqeta API. To facilitate this integration, Marqeta provides documentation.

In-app provisioning

In-app provisioning enables mobile applications to initiate provisioning requests to add virtual cards to digital wallets for instant access to funds. The following diagram outlines the in-app provisioning flow.
In-app provisioning flow
The in-app provisioning flow proceeds as follows:
1
Your mobile application initiates the request by calling your backend.
2
Your backend sends a POST request to the /cards endpoint to create a new virtual card.
3
Marqeta creates a new virtual card and returns the card token in the response object.
4
Your backend sends a POST request to the Marqeta API endpoint for the specific type of digital wallet, with the card token in the request object. For example, if you add the card to an Apple Pay digital wallet, your application sends a POST request to the /digitalwalletprovisionrequests/applepay endpoint. See the Digital Wallets Management API reference page for endpoint documentation.
5
The Marqeta API responds with encrypted card data for the new card. Your backend passes the encrypted card data to the digital wallet (e.g., Apple Pay) by integrating with the provider’s API.
6
The digital wallet requests a token from the card network.
7
The card network, Marqeta (the issuer processor), and the digital wallet coordinate the approval of the token activation request.
8
Marqeta sends an event notification to your webhook endpoint. You can use this information to determine the current status and to take further actions, if necessary.
9
If the token activation request is approved, the card network issues a digital wallet token.
10
The digital wallet stores the digital wallet token on the target device, where the cardholder can now use it to make payments.

Web push provisioning

Web push provisioning leverages existing instant issuance capabilities to allow cardholders to add virtual cards to digital wallets directly from program websites. This can be done on desktop and mobile, and across the most common web browsers (e.g., Chrome, Safari, Firefox, and Edge). Note that the diagram and flow steps in this section are specific to Apple Pay. The Google Wallet differ slightly, as the sign-in process occurs at the start of the workflow. For detailed implementation steps, please contact your Marqeta representatives. The following diagram outlines the web push provisioning flow.
Web push provisioning flow
The web push provisioning flow proceeds as follows:
1
The cardholder submits the request for a virtual card via the program website.
2
Your program website initiates the request by calling your backend.
3
Your backend sends a POST request to the /cards endpoint to create a new virtual card.
4
Marqeta creates a new virtual card and returns the card token in the response object.
5
Your backend sends a POST request to the Marqeta API endpoint for the specific type of digital wallet, with the card token in the request object. For example, if you add the card to an Apple Pay digital wallet, your application sends a POST request to the /digitalwallets/wpp/applePayJWT endpoint. See the Digital Wallets Management API reference page for endpoint documentation.
6
The Marqeta API responds with encrypted card data for the new card. Your backend passes the encrypted card data to the digital wallet (e.g., Apple Pay) by integrating with the provider’s API.
7
The digital wallet displays Apple sign-in.
8
The cardholder signs in.
9
Upon successful sign in, the digital wallet displays the device list.
10
The cardholder selects the device to use.
11
The digital wallet requests a token from the card network.
12
The card network, Marqeta (the issuer processor), and the digital wallet coordinate the approval of the token activation request.
13
Marqeta sends an event notification to your webhook endpoint. You can use this information to determine the current status and to take further actions, if necessary.
14
If the token activation request is approved, the card network issues a digital wallet token.
15
The digital wallet stores the digital wallet token on the target device, where the cardholder can now use it to make payments.

Choosing the allowable provisioning methods

The card product controls the allowable methods for providing card data during token provisioning. To see which methods are currently allowed, send a GET request to the /cardproducts endpoint. Optionally, include the token path parameter to see the allowable methods for a specific card product. The card product object indicates the allowable methods in the digital_wallet_tokenization.provisioning_controls element. For example, the following card product allows the manual entry and card-on-file methods but not the in-app provisioning or web push provisioning methods.
JSON
"digital_wallet_tokenization": {
  "provisioning_controls": {
    "manual_entry": {
      "enabled": true,
      "address_verification": {
        "validate": true
      }
    },
    "wallet_provider_card_on_file": {
      "enabled": true,
      "address_verification": {
        "validate": true
      }
    },
    "in_app_provisioning": {
      "enabled": false,
      "address_verification": {
        "validate": false
      }
    },
    "web_push_provisioning": {
        "wpp_apple_partner_id": "",
        "wpp_apple_card_template_id": "",
        "wpp_google_piaid": ""
    }
  }
}
To ensure that cards function as expected and meet all card network and regulatory requirements, Marqeta configures and maintains the card products in your production environment. If you want to change the provisioning controls for a card product, contact your Marqeta representative.

Related topics

Digital Wallets and TokenizationDigital Wallets ManagementTokenization in EuropeManaging the Digital Wallet Token LifecycleDigital Wallets Overview