Skip to main content
Important
We are pleased to announce that the Marqeta platform is transitioning away from the Marqeta.js library and its widgets in favor of Marqeta UX Toolkit for programs based in the United States. For this reason, we are no longer adding this functionality to new US programs.Existing US programs are not immediately impacted, but are encouraged to migrate over to UX Toolkit as soon as possible. Programs based outside the United States are not affected by this change, but may be eligible to use UX Toolkit. Contact your Marqeta representative for more information.
Marqeta provides customizable widgets that enable cardholders to securely activate their cards and set their PINs in your customer web and mobile applications. You can embed these widgets inline as iframes in your web applications. The widgets comply with the Payment Card Industry Data Security Standard (PCI DSS), which defines the security and protocol standards for organizations that store, transmit, or process card data. If you have already obtained PCI Compliance certification, using the Marqeta Activate Card and Set PIN widgets in your web applications is optional. At the end of this guide, you should understand:
  • What the Activate Card and Set PIN widgets are and when you need to use them.
  • How to create a customized widget to integrate with your web application.
  • How the input to the widgets is validated.
Note
Widgets reduce your burden of achieving data security compliance by providing a PCI-compliant way to allow cardholders to perform certain actions; however, you have other responsibilities regarding data security for other elements of your cardholder experience. Contact your Marqeta representative for details.

Associated endpoints

For details on how to active a card and set a PIN on the Marqeta platform without using the Activate Card and Set PIN widgets, use the following endpoints and methods:
  • POST /cardtransitions
  • POST /pins/controltoken
  • PUT /pins
For more information, see the Create card transition, Create PIN control token, and Create or update PIN API references.

Prerequisites

  • Read the Core API Quick Start.
  • Obtain a user token.
  • Obtain a card token that is associated with the user token, if working with the Set PIN widget.
  • Have a parent web application in which to integrate the widget. This application must use HTTPS.

Concepts

Data security compliance

You must comply with PCI DSS data security requirements if you want to store, transmit, or process sensitive card data such as the cardholder’s primary account number (PAN), personal identification number (PIN), and card expiration date. The process of becoming PCI DSS certified to store, transmit and process such data directly is both time consuming and expensive. The Activate Card and Set PIN widgets handle the encrypted transmission of sensitive card data, and can help you comply with some aspects of the PCI compliance burden. Marqeta is fully PCI-Service Provider Level 1 compliant, and securely handles the unencrypted, sensitive card data.

Available widgets

The Activate Card and Set PIN widgets are customizable iframes that enable the cardholder to provide sensitive card data to the Marqeta platform. When you embed a widget in your application, your servers never store, transmit, or process the card data so you are not required to be PCI DSS compliant. Embed the iframe in the parent page of your web application where you want the functionality of the widget to occur. You configure the iframe by passing query parameters in the iframe’s source URL. The Marqeta platform then processes the iframe.
Tip
Embed the iframe using a web element when adding a widget to a mobile application. This applies to both Android and iOS.
You can integrate the following widgets:
1
Activate Card – Allows authenticated cardholders to activate their program-specific cards.
2
Set PIN – Allows cardholders to set their online EMV PIN code on an activated card.
Upon successful completion, the Activate Card widget renders the Set PIN widget automatically. The Activate Card and Set PIN widgets apply to many use cases. For example, an alternative lender who leverages an authorized user model might have these widgets display as part of providing loans to businesses. The widgets would enable the business owners to activate their card, then choose their own PIN.
Warning
Your application must provide a login method to authenticate the user. Widgets do not provide user authentication; they only validate that the user-entered data matches the card data on the Marqeta platform.

Widget customization

Before integrating widgets into your application, you must submit your customized style attributes to Marqeta. Marqeta provides the Marqeta Widget Style Preview page as a testing ground for you to determine how you want your widgets to look. The following styles are customizable:
Style CategoryAttributes and Values
Global styles- Font stack, such as Helvetica, Arial, sans-serif.
- Font color.
- Font size (max 18px).
- Background color.
Form labels- Label text color.
- Label font size.
- Label font weight.
- Label text style.
Headers- Option to show the Activate Card header.
- Option to show the Set PIN header.
- Header font size.
Button styles- Font stack, such as Helvetica, Arial, sans-serif.
- Button background color.
- Button font color.
- Hover state background color.
- Hover state font color.
Error message stylesErrors are displayed above the widget in a flash-message style list.

- Font stack, such as Helvetica, Arial, sans-serif.
- Font color.
- Font size (max 18px).
- Background color.
iframe size- Minimum height: 120px.
- Minimum width: 300px.
Any global styles you define are overridden by more specific style category declarations. For example, if you define a font stack in both the Global Styles category and the Button Styles category, the fonts of the Button Styles stack will apply to the buttons. Other styles are unaffected by this declaration.

iframe parameters

The widgets are accessible from base URLs for both the private sandbox and production environments. Depending on your environment, use one of the following base URLs as the source of the iframe:
EnvironmentWidgetBase URL
SandboxActivate Cardhttps://widgets-sandbox.marqeta.com/activate_card
SandboxSet PINhttps://widgets-sandbox.marqeta.com/set_pin
ProductionActivate Cardhttps://widgets.marqeta.com/activate_card
ProductionSet PINhttps://widgets.marqeta.com/set_pin
Using query parameters, you can specify the language to use when rendering the widget, as well as customize the message displayed upon successful completion of the widget’s task. Build your iframe content for the desired widget by adding the appropriate query parameters:
FieldsDescription
application_id

string

Required		The application ID for use with widgets, obtained from Marqeta in Step 2.

NOTE: This value is not required when calling endpoints related to the Marqeta.js JavaScript library such as show_pan or reveal_pin, nor do you need to supply it in order to retrieve a client access token.

Allowable Values:

A valid application ID.
one_time_token

string

Required		User’s one-time authentication token, generated via POST at /users/auth/onetime in Step 3.

Allowable Values:

A valid one-time authentication token.
user_token

string

Required		Existing user token. Send a GET request to /users to retrieve an existing user token.

Allowable Values:

A valid user token.
card_token

string

Conditionally required		Existing card token that is associated with the user token. Send a GET request to /cards/user/{token} to retrieve card tokens for a specific user. Required by the Set PIN widget.

Allowable Values:

A valid card token.

NOTE: Only applies to the Set PIN widget.
success_url

string

Required		HTTPS URL of the page that is loaded in the iframe upon successful completion.

The success_url must use HTTPS as the protocol; most browsers do not allow HTTP content to be loaded into the iframe window. In addition, the protocol must be specified for the widget to recognize it as a valid success_url. This URL must not be enclosed in quotation marks, but it can be URL encoded.

When calling a widget in an iframe, make sure the page provided does not set the X-Frame-Options to DENY or SAMEORIGIN; otherwise the iframe cannot display in modern browsers. If using the widget directly in the browser window, the redirect does not require the X-Frame-Options header.

If the success_url is invalid or not provided, the widget displays a generic message informing the cardholder that the request has been successfully processed.

Allowable Values:

A valid URL.
display_headers

boolean

Optional		If set to false, the widget’s standard headers are not displayed above the iframe.

Allowable Values:

true, false

Default value:
true
locale

string

Optional		The language to use when rendering the widget. This parameter is a language tag composed of a language code and a country code.

Allowable Values:

en-US English (United States), cs-CZ Czech (Czechia), de-DE German (Germany), es-ES Spanish (Spain), fr-CA French (Canada), fr-FR French (France), it-IT Italian (Italy), pl-PL Polish (Poland), pt-BR Portuguese (Brazil), sv-SE Swedish (Sweden)

Default value:
en-US

Validation and error handling

The one-time user authentication token you create expires 120 minutes from when the Card Activation widget appears on-screen. The cardholder must complete the card activation during this period. After the Card Activation widget closes, the timer resets to zero to allow the cardholder another 120 minutes to set the PIN in the Set PIN widget. After the card data has been supplied to the widget, the widget performs a number of validations before sending the data to Marqeta’s servers. The cardholder has five attempts to correctly input data in the Activate Card or the Set PIN widget. After five failed attempts, the widget displays an error message. To try another five times, the cardholder has to refresh the parent web page to force the generation of a new widget. A cardholder might successfully activate a card using the Activate Card widget, but fail to set a PIN using the Set PIN widget. In this case, the next time the cardholder accesses the widgets, the Set PIN widget appears without displaying the Activate Card widget again.
Warning
There is no way for the widget to inform the parent web page in the event of an error. If the widget encounters an error, the cardholder must refresh the parent web page. Consider providing instructions to the cardholder on how to do this.
Activate Card validation The following validations are performed on the data entered in the widget when the cardholder clicks or taps Activate Card:
  • PAN has been entered in the widget.
  • PAN is a valid card number.
  • CVV has been entered in the widget.
  • CVV is 3 or 4 characters in length.
  • CVV is a numeric value.
If successful, the failure count and the timer are reset to 0, and the Activate Card widget automatically renders the Set PIN widget. Set PIN validation The following validations are performed on the data entered in the widget when the cardholder clicks or taps Set PIN:
  • PIN does not contain consecutive ascending or descending values, such as 1-2-3-4 or 9-8-7-6.
  • PIN is not a single digit repeated four times, such as 2-2-2-2.
  • PIN is not one of the most common PINs chosen by cardholders.
  • PIN confirmation value matches the PIN value.
If successful, the page specified by the success_url parameter is loaded.

Tutorial

This tutorial walks you through how to customize the Activate Card widget and integrate it with a web application in your private sandbox environment. The Activate Card and Set PIN widgets are not supported in the public sandbox.

Step 1 — Define the widget style attributes

Go to the Marqeta Widget Style Preview page to configure and preview the widget’s styles. Choose attributes that match your web application. Send the finalized styles to Marqeta for implementation when you are ready to integrate a widget into your production environment.

Step 2 — Obtain a new application ID from Marqeta

Contact your Marqeta representative to obtain an application ID, which is a value used specifically for embedding the Activate Card and Set PIN widgets. You must use the same application ID for both widgets. This value is typically provided when you begin working with Marqeta.

Step 3 — Generate a one-time user authentication token

Configure your web application to send a POST request to /users/auth/onetime to generate a one-time user authentication token for the logged-in user. The single-use access token you create for the logged-in user is valid for one request only, and expires five minutes after it is generated. See the Create single-use token section of the Users page for more information about this endpoint. The following is an example of a cURL request that generates a one-time user authentication token:
cURL
curl -X POST \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Basic dXNlcjM5MDQxNTM2ODY0MTY4OjRhN2VkNDlhLWZjOTctNDdmNy04NmY0LTUxN2VjZTE1ZGY5ZQ==' \
-d '{
    "user_token": "bc381ddf-b8c9-47b5-a724-4ae71f1aad7d"
  }' \
'https://your_payments_instance.com/v3/users/auth/onetime'
Warning
After the one-time token is redeemed to render the parent web page, it cannot be reused. If the widget times out or the parent web page is refreshed by the cardholder, a new one-time token must be generated and passed to the iframe.

Step 4 — Add query parameters to the iframe

Build the iframe content for the widget by adding the appropriate query parameters from the table in the “iframe parameters” section.

Step 5 — Embed the iframe in the parent website

Embed the iframe in the parent website, using the following as the iframe’s source: https://widgets-sandbox.marqeta.com/activate_card. Since the iframe is requesting an HTTPS domain, the parent website URL must also use the HTTPS protocol. When completed, the HTML for the iframe should resemble the following: <iframe src="https://widgets-sandbox.marqeta.com/activate_card?one_time_token=11111111-1111-1111-1111-111111111111&user_token=22222222-2222-2222-2222-222222222222&application_id=33333333-3333-3333-3333-3333&success_url=https://yoursite.com/success_widget.html&display_headers=false"></iframe>

Samples

Below are samples of iframes you can create by following the tutorial’s steps. In each of these samples, a success URL is specified and the headers are disabled. The base URL reflects whether the iframe is used in a private sandbox or a production environment. Activate Card widget, private sandbox environment <iframe src="https://widgets-sandbox.marqeta.com/activate_card?one_time_token=11111111-1111-1111-1111-111111111111&user_token=22222222-2222-2222-2222-222222222222&application_id=33333333-3333-3333-3333-3333&success_url=https://yoursite.com/success_widget.html&display_headers=false"></iframe> Activate Card widget, production environment <iframe src="https://widgets.marqeta.com/activate_card?one_time_token=11111111-1111-1111-1111-111111111111&user_token=22222222-2222-2222-2222-222222222222&application_id=33333333-3333-3333-3333-3333&success_url=https://yoursite.com/success_widget.html&display_headers=false"></iframe> Set PIN widget, private sandbox environment <iframe src="https://widgets-sandbox.marqeta.com/set_pin?one_time_token=11111111-1111-1111-1111-111111111111&user_token=22222222-2222-2222-2222-222222222222&card_token=44444444-4444-4444-4444-444444444444&application_id=33333333-3333-3333-3333-3333&success_url=https://yoursite.com/success_widget.html&display_headers=false"></iframe> Set PIN widget, production environment <iframe src="https://widgets.marqeta.com/set_pin?one_time_token=11111111-1111-1111-1111-111111111111&user_token=22222222-2222-2222-2222-222222222222&card_token=44444444-4444-4444-4444-444444444444&application_id=33333333-3333-3333-3333-3333&success_url=https://yoursite.com/success_widget.html&display_headers=false"></iframe>

Related topics

Cardholder and Card Management in EuropeCardsAbout CardsRevealing PIN NumbersCard Transitions