# Provision Network Tokens for Payments
In addition to using the Outbound Routes to share sensitive PCI data with third-party endpoints, VGS supports issuing Network Tokens and cryptograms. Network Tokens serve a variety of purposes in the payments ecosystem. In this guide, we will walk through how Network Tokens can be used to perform payments to PSPs.
### Step 1: Create a Server-Side Card Management Service Account
1. Navigate to the Service Accounts section of the VGS Dashboard: Vault > Organization > Service Accounts.
2. Click on the Create New button.
3. Select your Vault and add the following scopes: `cards:read` , & `network-tokens:read`
4. Press "Create" to generate the service account
5. Save the client\_id and client\_secret in a secure area in your environment.
{% hint style="info" %}
Note that if you are comfortable with PCI data being returned to your server, you can additionally add the cards:read-pci scope. When this scope is included, you will receive the raw PCI data in the response from the Card Management API.
{% endhint %}
#### Reference Documentation
[Full Service Account Setup Guide](/enterprise-platform/access-management/service-accounts-for-programmatic-access/managing-service-accounts-in-the-dashboard.md)
### Step 2: Creating Network Tokens
VGS has two options for creating network tokens for a customer account: **On-Create** and **Manual**.
If your account is set to "On-Create", then the system will automatically attempt to generate a network token when the card object is created. If your account is set to "Manual", it means that you are enabled to generate Network Tokens on a card via the [Create Network Token](/cmp/developer-resources/api/network-tokens.md#post-cards-card_id-network-tokens) endpoint.
After creating a Network Token, the network token details can always be referenced using the [Get Card endpoint](/cmp/developer-resources/api/cards.md#get-cards-card_id). The Network Token details are found in the `network_tokens` object that is found in the `included` array. Below is a sample Get Card response with the network token generated.
```json
{
"data": {
"id": "CRDecqZp3xRgXU3TFmtcDdzQs",
"type": "cards",
"attributes": {
"pan": "4111111111111111",
"cvc_status": "active",
"bin": "411111",
"first8": "41111111",
"last4": "1111",
"exp_month": 5,
"exp_year": 28,
"card_fingerprint": "6TeSCB16LtyifEAmY2goxYfSk5sALriXpefzzxh29xhu",
"capabilities": [
"network-tokens"
],
"created_at": "2025-08-01T00:00:00Z",
"updated_at": "2025-08-01T00:00:00Z"
},
"included": [
{
"type": "network_tokens",
"id": "NTabcdefghijklH2Dy1BVE9iR",
"attributes": {
"payment_account_reference": "V0010014610000000085141000282",
"network_token": "4124980000004244",
"last4": "4244",
"bin": "412492",
"exp_month": 11,
"exp_year": 27,
"created_at": "2025-07-24T04:13:51.428077",
"updated_at": "2025-07-24T04:13:51.428092",
"state": "active"
}
}
],
"meta": {
"token_type": "pan"
}
}
}
```
#### Network Token Types for Agentic Platforms
By default, Network Tokens can only be used to perform transactions with the merchant who issues them. In order for an Agentic Platform to issue a Network Token that is meant to process payments with other merchants, the card networks will need to enable this setting on the Network Token account. Please reach out to your VGS representative to help facilitate this conversation with the card networks.
### Step 3: Generating Cryptograms
After a Network Token is created, a cryptogram can be requested using the [Request Cryptogram endpoint](/cmp/developer-resources/api/network-tokens.md#post-cards-card_id-cryptogram). The Network Token and cryptogram together can be used to perform transactions with third-party payment APIs.
A cryptogram is required for all Customer Initiated Transactions (CIT) that use Network Tokens. If you are performing a recurring, Merchant Initiated Transaction (MIT), such as a monthly recurring bill, you do not need to generate a cryptogram.
#### Types of Cryptograms
VGS has the ability to issue multiple types of cryptograms in order to support Network Token transactions to any third party. The standard “long” cryptogram format is a randomized string of alphanumeric and symbolic characters that can be used to make payments to common PSPs. Alternatively, the “short” cryptogram format is a 3-digit value that intentionally appears and can be used as a CVC.
{% hint style="info" %}
Note that access to Network Tokens for Agentic use-cases other than subscription or card-on-file payments to the Agentic Provider themselves requires approval by the card networks. Please reach out to your VGS representative for assistance with navigating these conversations.
{% endhint %}
### Step 4: Performing Payments with Network Tokens
#### Customer Initiated Transactions (CIT) to PSPs
CIT payments with Network Tokens require a one-time use cryptogram to be provided along with the network token.
All major PSPs have endpoints that are designed to accept Network Tokens and long cryptograms rather than PAN and CVC. These APIs may not be publicly documented and will need to be explicitly enabled on merchant account.
In the case that the payment API does not support long-cryptograms, you can request access to short cryptograms. The Network Token and short cryptogram values should be sent in the PAN and CVC fields of the third-party API. This is particularly important when integrating into non-PSP payment APIs or when using network tokens on an e-commerce website form.
When a CIT payment is authorized, you will receive the Network Transaction ID in the response from the PSP. These values should be stored in the merchant account so that they can be used for MIT payments (see below).
#### CIT to Merchant Payment API
Agentic Providers need to solve for both paying their own merchant account (subscriptions), and also paying third-party Merchant Payment APIs in order to purchase goods on behalf of their customers. The payment APIs that are provided by merchants often do not have support for long cryptograms. In this case, Agentic Providers can utilize short cryptograms and include the Network Token and short cryptogram values where the PAN and CVC would typically be provided.
#### Merchant Initiated Transactions (MIT) to PSPs
MIT payments, such as recurring subscription payments, do not require a cryptogram to be generated, but they do require the Network Transaction ID from the originally authorized CIT payment to be included in the request.
#### Reference Documentation
* [Request Cryptogram Endpoint](/cmp/developer-resources/api/network-tokens.md#post-cards-card_id-cryptogram)
### Step 5: Consume Network Token Lifecycle Events
After a Network Token is issued, VGS will receive updates to the Network Tokens from each of the networks. These updates are then provided to you via webhook notifications. More details on Network Token update notifications can be found [here](/cmp/api-dev/network-token-events.md).
#### Useful Resources
* [Network Tokens Overview](/cmp/products-and-services/network-tokens.md)
* [Payments 201: Network Tokens](https://www.verygoodsecurity.com/learn/payments-201/episode-three)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.verygoodsecurity.com/agentic-commerce/provision-network-tokens-for-payments.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.