Provision Network Tokens for Payments
In addition to using the Outbound Routes to share sensitive PCI data with third-party endpoints, VGS supports issuing Network Tokens and cryptograms. Network Tokens serve a variety of purposes in the payments ecosystem. In this guide, we will walk through how Network Tokens can be used to perform payments to PSPs.
Step 1: Create a Server-Side Card Management Service Account
Navigate to the Service Accounts section of the VGS Dashboard: Vault > Organization > Service Accounts.
Click on the Create New button.
Select your Vault and add the following scopes:
cards:read, &network-tokens:readPress "Create" to generate the service account
Save the client_id and client_secret in a secure area in your environment.
Reference Documentation
Full Service Account Setup Guide
Step 1: Creating Network Tokens
VGS has two options for creating network tokens for a customer account: On-Create and Manual.
If your account is set to "On-Create", then the system will automatically attempt to generate a network token when the card object is created. If your account is set to "Manual", it means that you are enabled to generate Network Tokens on a card via the Create Network Token endpoint.
After creating a Network Token, the network token details can always be referenced using the Get Card endpoint. The Network Token details are found in the network_tokens object that is found in the included array. Below is a sample Get Card response with the network token generated.
{
"data": {
"id": "CRDecqZp3xRgXU3TFmtcDdzQs",
"type": "cards",
"attributes": {
"pan": "4111111111111111",
"cvc_status": "active",
"bin": "411111",
"first8": "41111111",
"last4": "1111",
"exp_month": 5,
"exp_year": 28,
"card_fingerprint": "6TeSCB16LtyifEAmY2goxYfSk5sALriXpefzzxh29xhu",
"capabilities": [
"network-tokens"
],
"created_at": "2025-08-01T00:00:00Z",
"updated_at": "2025-08-01T00:00:00Z"
},
"included": [
{
"type": "network_tokens",
"id": "NTabcdefghijklH2Dy1BVE9iR",
"attributes": {
"payment_account_reference": "V0010014610000000085141000282",
"network_token": "4124980000004244",
"last4": "4244",
"bin": "412492",
"exp_month": 11,
"exp_year": 27,
"created_at": "2025-07-24T04:13:51.428077",
"updated_at": "2025-07-24T04:13:51.428092",
"state": "active"
}
}
],
"meta": {
"token_type": "pan"
}
}
}Network Token Types for Agentic Platforms
By default, Network Tokens can only be used to perform transactions with the merchant who issues them. In order for an Agentic Platform to issue a Network Token that is meant to process payments with other merchants, the card networks will need to enable this setting on the Network Token account. Please reach out to your VGS representative to help facilitate this conversation with the card networks.
Step 2: Generating Cryptograms
After a Network Token is created, a cryptogram can be requested using the Request Cryptogram endpoint. The Network Token and cryptogram together can be used to perform transactions with third-party payment APIs.
A cryptogram is required for all Customer Initiated Transactions (CIT) that use Network Tokens. If you are performing a recurring, Merchant Initiated Transaction (MIT), such as a monthly recurring bill, you do not need to generate a cryptogram.
Types of Cryptograms
VGS has the ability to issue multiple types of cryptograms in order to support Network Token transactions to any third party. The standard “long” cryptogram format is a randomized string of alphanumeric and symbolic characters that can be used to make payments to common PSPs. Alternatively, the “short” cryptogram format is a 3-digit value that intentionally appears and can be used as a CVC.
Step 3: Performing Payments with Network Tokens
Customer Initiated Transactions (CIT) to PSPs
CIT payments with Network Tokens require a one-time use cryptogram to be provided along with the network token.
All major PSPs have endpoints that are designed to accept Network Tokens and long cryptograms rather than PAN and CVC. These APIs may not be publicly documented and will need to be explicitly enabled on merchant account.
In the case that the payment API does not support long-cryptograms, you can request access to short cryptograms. The Network Token and short cryptogram values should be sent in the PAN and CVC fields of the third-party API. This is particularly important when integrating into non-PSP payment APIs or when using network tokens on an e-commerce website form.
When a CIT payment is authorized, you will receive the Network Transaction ID in the response from the PSP. These values should be stored in the merchant account so that they can be used for MIT payments (see below).
CIT to Merchant Payment API
Agentic Providers need to solve for both paying their own merchant account (subscriptions), and also paying third-party Merchant Payment APIs in order to purchase goods on behalf of their customers. The payment APIs that are provided by merchants often do not have support for long cryptograms. In this case, Agentic Providers can utilize short cryptograms and include the Network Token and short cryptogram values where the PAN and CVC would typically be provided.
Merchant Initiated Transactions (MIT) to PSPs
MIT payments, such as recurring subscription payments, do not require a cryptogram to be generated, but they do require the Network Transaction ID from the originally authorized CIT payment to be included in the request.
Reference Documentation
Step 4: Consume Network Token Lifecycle Events
After a Network Token is issued, VGS will receive updates to the Network Tokens from each of the networks. These updates are then provided to you via webhook notifications. More details on Network Token update notifications can be found here.
Useful Resources
Last updated