{"activeVersionTag":"latest","latestAvailableVersionTag":"latest","collection":{"info":{"_postman_id":"0ab88c71-8825-4cc6-bdc9-681c3fefa345","name":"LoyaltyLayer API Integration Guide","description":"## Summary\n\nThis API provides a unified, secure interface to enrich cardholders with travel rewards. Key features include:\n\n- **Pass Creation and Management:** Create Lounge Pass, eSim and future services via a single endpoint, determined by plan_id mappings in our database. Supports batch operations for scale. For Priority Pass plans (determined by plan_id), support for tokenized enrollment via an optional enrol_token parameter, obtained from tokenized engine API, to avoid handling sensitive card data and ensure PCI de-scoping.\n    \n- **Security and Compliance:** OAuth 2.0 authentication\n    \n- **Key Benefits:** Simplifies integration, ensures idempotency for retries, and provides type-specific responses\n    \n- **Scope:** Covers enrollment, updates, status queries, and cancellations.\n    \n- **Environments:** UAT for testing; Production for live use.\n    \n\n## Getting Started Guide\n\n### Prerequisites\n\n- **Credentials:** During onboarding, you'll receive a _**client_id**_ and _**client_secret**_ for OAuth. Share _**plan_id**_ mappings via secure channel for our DB configuration. For Priority Pass integrations, user must first call /card/tokenize endpoint to generate an enrol_token (see tokenized engine API Guide for details). Share any specific plan_id mappings for tokenized flows via secure channel.\n    \n- **Tools:** Postman for testing. Use environment variables: base_url, client_id, client_secret, access_token (auto-set via auth request), pass_id (from create responses).\n    \n\n### Step-by-Step Integration\n\n1. **Authenticate:** Call LoyaltyLayer API /auth/token to get an access_token (expires in 30 minutes, control by system). Test script sets access_token.\n    \n2. **Tokenize Card:** Use LoyaltyLayer tokenize card flow:\n    \n    1. Fetch encryption keys from `GET /v1/card/encryption-keys`.\n        \n    2. Encrypt card data (CardNumber, CardExpiry, NameOnCard, Cvv) into a JWE compact string using the RSA public key. See the **Card Data Encryption Guide** section below for code examples.\n        \n    3. Call `POST /v1/card/tokenize` with the encrypted_value, plan_id, and card_type. This returns an `enrol_token`.\n        \n3. **Create a Pass:** Use `POST /v1/pass/create` with the enrol_token from step 2, along with holder details. Response includes pass_id and type-specific data (e.g., dmc_qr_data for Priority Pass).\n    \n4. **Batch Operations:** For bulk, use `POST /v1/pass/batch-create` with an array of pass objects, each including enrol_token from the tokenize step.\n    \n5. **Manage Passes:** Use `POST /v1/pass/status`, `POST /v1/pass/update`, or `POST /v1/pass/cancel`.\n    \n6. **Testing:** For Priority Pass in UAT, use a mock enrol_token. Validate responses against updated specs, ensuring no PAN is sent.\n    \n7. **Go Live:** Switch to Prod base URL after UAT complete.\n    \n8. **Postman Tips:** Run \"Auth Token\" first. Use variables for chaining (e.g., set pass_id from create response). Test edge cases like invalid plan_id (expect 400).\n    \n\nFor support, schedule a demo or provide logs with correlation IDs from errors.\n\n# 🤖 AI Agent Development\n\nIf you use AI agent to assiant development. You can find a .md file to pass to AI agent to overview the integration guideline.\n\n[AI agent readme](https://drive.google.com/file/d/1SJM3Td3aQOmKSxSjmdTh4aRSQMFXuf_g/view?usp=sharing)\n\n---\n\n## Authentication Overview\n\nOur API uses OAuth 2.0 Client Credentials flow. This ensures secure B2B access without user involvement.\n\n- **Endpoint:** POST /auth/token\n    \n- **Request Format:** application/json\n    \n    - client_id: Required, issued during onboarding.\n        \n    - client_secret: Required, secure key.\n        \n- **Response:** JSON with access_token (opaque string, Bearer type), expires_in (1800 seconds). Expired token in 401 error.\n    \n- **Usage:** Include Authorization: Bearer {{access_token}} in all subsequent headers.\n    \n- **Security Notes:** Tokens are reference-based (validated server-side). Use HTTPS/TLS 1.2. No session cookies; stateless.\n    \n- **Best Practices:** Cache tokens per client_id to reduce calls. Handle expiry with auto-refresh logic.\n    \n- **Security Notes:** Our API does not handle or store PANs; use of enrol_token for Priority Pass keeps integrations out of PCI scope.\n    \n\n## Rate and Usage Limits\n\nTo ensure fair usage and system stability, we enforce the following limits:\n\n- **Rate Limiting:** 100 requests per minute per IP. And 1 minute blocked traffic from same IP after exceed rate limit. Exceeded: HTTP 429 Too Many Requests.\n    \n- **Error Handling:** Limits reset minute. Can retry after reset period.\n    \n- **Monitoring:** We log usage; contact us if higher limits needed (e.g., for campaigns).\n    \n\n## Common Response\n\nSuccessful responses (200 OK) return JSON.\n\n## Error Handle\n\nErrors are returned with standard HTTP status codes and JSON bodies for easy parsing. Implement retry logic for transient issues (e.g., 5xx) and backoff on 429.\n\n#### Common Errors:\n\n- **400 Bad Request:** Invalid or missing parameters (e.g., wrong grant_type).  \n    Example:  \n    `{ \"error\": \"invalid_enrol_token\", \"error_description\": \"Provided enrol_token is invalid or expired\", \"code\": 400 }`\n    \n- **401 Unauthorized:** Invalid client_id or client_secret.  \n    Example:  \n    `{ \"error\": \"invalid_client\", \"error_description\": \"Client authentication failed.\", \"code\": 401}`  \n    (mapped from Priority Pass/LoungeKey auth failures).\n    \n- **401 Unauthorized (Bearer Token)**: Missing, empty, or expired Bearer token on any protected endpoint.  \n    Examples:  \n    `{ \"error\": \"unauthorized\", \"error_description\": \"Missing or invalid Authorization header.\", \"code\": 401 } { \"error\": \"invalid_token\", \"error_description\": \"Access token is invalid or expired.\", \"code\": 401 }`\n    \n- **404 Not Found:** Invalid pass ID.  \n    Example:  \n    `{ \"error\": \"invalid_pass_id\", \"error_description\": \"Invalid pass ID\", \"code\": 404}`\n    \n- **409 Already Cancelled**: Pass is already cancelled.  \n    Example:  \n    `{ \"error\": \"already_cancelled\", \"error_description\": \"Pass {pass_id} is already cancelled.\", \"code\": 409 }`\n    \n- **429 Too Many Requests:** Rate limit exceeded.  \n    Example:  \n    `{ \"error\": \"rate_limit_exceeded\", \"error_description\": \"Retry after 60 seconds\", \"code\": 429, \"retry_after\": 60 }`\n    \n- **500 Internal Server Error:** Rare server issues (we retry calls internally).  \n    Example:  \n    `{ \"error\": \"server_error\", \"error_description\": \"Unexpected error; try again\", \"code\": 500 }`\n    \n- **502 Provider Unavailable**: Upstream provider returned an error.  \n    Example:  \n    `{ \"error\": \"server_error\", \"error_description\": \"Provider operation failed.\", \"code\": 502 }`\n    \n- **504 Provider Timeout**: Upstream provider did not respond in time.  \n    Example:  \n    `{ \"error\": \"provider_timeout\", \"error_description\": \"Provider operation failed.\", \"code\": 504 }`","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","isPublicCollection":false,"owner":"24716230","team":9726335,"collectionId":"0ab88c71-8825-4cc6-bdc9-681c3fefa345","publishedId":"2sB3WttzLP","public":true,"publicUrl":"https://apidoc.loyaltylayer.xyz","privateUrl":"https://go.postman.co/documentation/24716230-0ab88c71-8825-4cc6-bdc9-681c3fefa345","customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF6C37"},"documentationLayout":"classic-single-column","customisation":{"metaTags":[{"name":"description","value":"Plug-and-play API platform that brings global airport lounge access to your credit cards, debit cards, and Web3 wallets. No infrastructure. No operations. Just revenue."},{"name":"title","value":"API Document of LoyaltyLayer"}],"appearance":{"default":"system_default","themes":[{"name":"dark","logo":null,"colors":{"top-bar":"212121","right-sidebar":"303030","highlight":"FF6C37"}},{"name":"light","logo":null,"colors":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF6C37"}}]}},"version":"8.10.1","publishDate":"2025-11-25T05:01:51.000Z","activeVersionTag":"latest","documentationTheme":"light","metaTags":{"title":"API Document of LoyaltyLayer","description":"Plug-and-play API platform that brings global airport lounge access to your credit cards, debit cards, and Web3 wallets. No infrastructure. No operations. Just revenue."},"logos":{"logoLight":null,"logoDark":null}},"statusCode":200},"environments":[{"name":"UAT","id":"46ecdc17-3a44-454d-8130-52e4d40186f1","owner":"24716230","values":[{"key":"base_url","value":"","enabled":true,"type":"default"},{"key":"api_base_url","value":"","enabled":true,"type":"default"},{"key":"client_id","value":"","enabled":true,"type":"default"},{"key":"client_secret","value":"","enabled":true,"type":"default"},{"key":"access_token","value":"","enabled":true,"type":"default"},{"key":"plan_id","value":"","enabled":true,"type":"default"},{"key":"pass_id","value":"","enabled":true,"type":"default"},{"key":"deail_id","value":"","enabled":true,"type":"default"},{"key":"token_expires_at","value":"","enabled":true,"type":"any"}],"published":true}],"user":{"authenticated":false,"permissions":{"publish":false}},"run":{"button":{"js":"https://run.pstmn.io/button.js","css":"https://run.pstmn.io/button.css"}},"web":"https://www.getpostman.com/","team":{"logo":"https://res.cloudinary.com/postman/image/upload/t_team_logo_pubdoc/v1/team/b5c90b947cacb5b51edc68cbf93c159bff25674aba8e06643ceb4fb558df26a1","favicon":"https://loyaltylayer.xyz/favicon.ico"},"isEnvFetchError":false,"languages":"[{\"key\":\"csharp\",\"label\":\"C#\",\"variant\":\"HttpClient\"},{\"key\":\"csharp\",\"label\":\"C#\",\"variant\":\"RestSharp\"},{\"key\":\"curl\",\"label\":\"cURL\",\"variant\":\"cURL\"},{\"key\":\"dart\",\"label\":\"Dart\",\"variant\":\"http\"},{\"key\":\"go\",\"label\":\"Go\",\"variant\":\"Native\"},{\"key\":\"http\",\"label\":\"HTTP\",\"variant\":\"HTTP\"},{\"key\":\"java\",\"label\":\"Java\",\"variant\":\"OkHttp\"},{\"key\":\"java\",\"label\":\"Java\",\"variant\":\"Unirest\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"Fetch\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"jQuery\"},{\"key\":\"javascript\",\"label\":\"JavaScript\",\"variant\":\"XHR\"},{\"key\":\"c\",\"label\":\"C\",\"variant\":\"libcurl\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Axios\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Native\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Request\"},{\"key\":\"nodejs\",\"label\":\"NodeJs\",\"variant\":\"Unirest\"},{\"key\":\"objective-c\",\"label\":\"Objective-C\",\"variant\":\"NSURLSession\"},{\"key\":\"ocaml\",\"label\":\"OCaml\",\"variant\":\"Cohttp\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"cURL\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"Guzzle\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"HTTP_Request2\"},{\"key\":\"php\",\"label\":\"PHP\",\"variant\":\"pecl_http\"},{\"key\":\"powershell\",\"label\":\"PowerShell\",\"variant\":\"RestMethod\"},{\"key\":\"python\",\"label\":\"Python\",\"variant\":\"http.client\"},{\"key\":\"python\",\"label\":\"Python\",\"variant\":\"Requests\"},{\"key\":\"r\",\"label\":\"R\",\"variant\":\"httr\"},{\"key\":\"r\",\"label\":\"R\",\"variant\":\"RCurl\"},{\"key\":\"ruby\",\"label\":\"Ruby\",\"variant\":\"Net::HTTP\"},{\"key\":\"shell\",\"label\":\"Shell\",\"variant\":\"Httpie\"},{\"key\":\"shell\",\"label\":\"Shell\",\"variant\":\"wget\"},{\"key\":\"swift\",\"label\":\"Swift\",\"variant\":\"URLSession\"}]","languageSettings":[{"key":"csharp","label":"C#","variant":"HttpClient"},{"key":"csharp","label":"C#","variant":"RestSharp"},{"key":"curl","label":"cURL","variant":"cURL"},{"key":"dart","label":"Dart","variant":"http"},{"key":"go","label":"Go","variant":"Native"},{"key":"http","label":"HTTP","variant":"HTTP"},{"key":"java","label":"Java","variant":"OkHttp"},{"key":"java","label":"Java","variant":"Unirest"},{"key":"javascript","label":"JavaScript","variant":"Fetch"},{"key":"javascript","label":"JavaScript","variant":"jQuery"},{"key":"javascript","label":"JavaScript","variant":"XHR"},{"key":"c","label":"C","variant":"libcurl"},{"key":"nodejs","label":"NodeJs","variant":"Axios"},{"key":"nodejs","label":"NodeJs","variant":"Native"},{"key":"nodejs","label":"NodeJs","variant":"Request"},{"key":"nodejs","label":"NodeJs","variant":"Unirest"},{"key":"objective-c","label":"Objective-C","variant":"NSURLSession"},{"key":"ocaml","label":"OCaml","variant":"Cohttp"},{"key":"php","label":"PHP","variant":"cURL"},{"key":"php","label":"PHP","variant":"Guzzle"},{"key":"php","label":"PHP","variant":"HTTP_Request2"},{"key":"php","label":"PHP","variant":"pecl_http"},{"key":"powershell","label":"PowerShell","variant":"RestMethod"},{"key":"python","label":"Python","variant":"http.client"},{"key":"python","label":"Python","variant":"Requests"},{"key":"r","label":"R","variant":"httr"},{"key":"r","label":"R","variant":"RCurl"},{"key":"ruby","label":"Ruby","variant":"Net::HTTP"},{"key":"shell","label":"Shell","variant":"Httpie"},{"key":"shell","label":"Shell","variant":"wget"},{"key":"swift","label":"Swift","variant":"URLSession"}],"languageOptions":[{"label":"C# - HttpClient","value":"csharp - HttpClient - C#"},{"label":"C# - RestSharp","value":"csharp - RestSharp - C#"},{"label":"cURL - cURL","value":"curl - cURL - cURL"},{"label":"Dart - http","value":"dart - http - Dart"},{"label":"Go - Native","value":"go - Native - Go"},{"label":"HTTP - HTTP","value":"http - HTTP - HTTP"},{"label":"Java - OkHttp","value":"java - OkHttp - Java"},{"label":"Java - Unirest","value":"java - Unirest - Java"},{"label":"JavaScript - Fetch","value":"javascript - Fetch - JavaScript"},{"label":"JavaScript - jQuery","value":"javascript - jQuery - JavaScript"},{"label":"JavaScript - XHR","value":"javascript - XHR - JavaScript"},{"label":"C - libcurl","value":"c - libcurl - C"},{"label":"NodeJs - Axios","value":"nodejs - Axios - NodeJs"},{"label":"NodeJs - Native","value":"nodejs - Native - NodeJs"},{"label":"NodeJs - Request","value":"nodejs - Request - NodeJs"},{"label":"NodeJs - Unirest","value":"nodejs - Unirest - NodeJs"},{"label":"Objective-C - NSURLSession","value":"objective-c - NSURLSession - Objective-C"},{"label":"OCaml - Cohttp","value":"ocaml - Cohttp - OCaml"},{"label":"PHP - cURL","value":"php - cURL - PHP"},{"label":"PHP - Guzzle","value":"php - Guzzle - PHP"},{"label":"PHP - HTTP_Request2","value":"php - HTTP_Request2 - PHP"},{"label":"PHP - pecl_http","value":"php - pecl_http - PHP"},{"label":"PowerShell - RestMethod","value":"powershell - RestMethod - PowerShell"},{"label":"Python - http.client","value":"python - http.client - Python"},{"label":"Python - Requests","value":"python - Requests - Python"},{"label":"R - httr","value":"r - httr - R"},{"label":"R - RCurl","value":"r - RCurl - R"},{"label":"Ruby - Net::HTTP","value":"ruby - Net::HTTP - Ruby"},{"label":"Shell - Httpie","value":"shell - Httpie - Shell"},{"label":"Shell - wget","value":"shell - wget - Shell"},{"label":"Swift - URLSession","value":"swift - URLSession - Swift"}],"layoutOptions":[{"value":"classic-single-column","label":"Single Column"},{"value":"classic-double-column","label":"Double Column"}],"versionOptions":[],"environmentOptions":[{"value":"0","label":"No Environment"},{"label":"UAT","value":"24716230-46ecdc17-3a44-454d-8130-52e4d40186f1"}],"canonicalUrl":"https://apidoc.loyaltylayer.xyz/view/metadata/2sB3WttzLP"}