Rye uses Spreedly as its credit card vault, and when you register a Rye developer account we automatically create a Spreedly account for you as well. This guide steps you through the process of acquiring your Spreedly account credentials and then using them to tokenize a credit cart for future use.

Tutorial

1

Get payment gateway headers

Navigate to the Rye Console and navigate to the “Account” section. Make a note of the payment gateway headers.

2

Gather card details

For testing and development purposes, you can use a variety of test cards to simulate different scenarios. Select one that is most appropriate for what you are trying to do.

For production use cases, you should only be following this guide in cases where you are trying to implement backend ordering. In this case, you would use a card that belongs to your business.

Under no circumstances should you handle a customer’s card details directly, as this would require you to be PCI DSS compliant.

3

Create a payment method token

With the payment gateway headers and a card in hand, you can now create a payment method token. This token can be used in future transactions to charge the card. Documentation for this Spreedly endpoint can be found here.

The Spreedly API uses the same URL for both staging and production. Whether you are in staging or production is determined by the credentials you use in the Authorization header.

The following cURL command demonstrates how to make this request:

# Be sure to update the Authorization header with your actual credentials from the Rye Console
curl --location 'https://core.spreedly.com/v1/payment_methods.json' \
--header 'Authorization: Basic YOUR_CREDENTIALS_HERE' \
--header 'Content-Type: application/json' \
--data '{
  "payment_method": {
    "credit_card": {
      "first_name": "John",
      "last_name": "Doe",
      "number": "4242424242424242",
      "verification_value": "553",
      "month": "12",
      "year": "2024"
    }
  }
}'

Good to know: Spreedly tokens expire after 5-10 minutes by default as a security measure. You can opt out of this behavior when creating your production token by following the instructions in the next section.

4

Retrieve the payment method token

Spreedly will return a JSON object in response which contains the payment method token. Note that the payment method token is wrapped inside a transaction object, and the transaction object contains a token of its own. The transaction token is different from the payment_method token. Be careful to use the correct value.

{
  "transaction": {
    "token": "SOME_TRANSACTION_TOKEN", // !! not this one
    // ...
    "payment_method": {
      "token": "SOME_PAYMENT_METHOD_TOKEN", // !! this is the one we want!
      // ...
    }
  }
}
5

You're done!

The payment method token can now be used to pay for orders via the submitCart mutation.

Retaining a payment method

Spreedly payment method tokens will expire 5-10 minutes after they are created. This is a security feature to prevent unauthorized use of the token, and we recommend this behavior while you are testing.

For production use cases it is not recommended to retokenize for every order, as it would require you to store credit card details in plain text. To get around this, you can create a permanent payment token for use with Rye by passing "retained": true inside the credit_card object when making your Spreedly call:

# Be sure to update the Authorization header with your actual credentials from the Rye Console
curl --location 'https://core.spreedly.com/v1/payment_methods.json' \
--header 'Authorization: Basic YOUR_CREDENTIALS_HERE' \
--header 'Content-Type: application/json' \
--data '{
  "payment_method": {
    "credit_card": {
      "first_name": "John",
      "last_name": "Doe",
      "number": "4242424242424242",
      "verification_value": "553",
      "month": "12",
      "year": "2024",
      "retained": true
    }
  }
}'

Be careful to store the returned payment method token in a secure location, as someone with access to your token will be able to make charges to it via Spreedly. If you are worried that your token might have leaked you can redact it by calling their redact endpoint.

Was this page helpful?

Sell Anything APIJWT Authentication