Mobile Wallet Push Provisioning: Integration Guide
Enable an in-app "Add to Apple Pay / Google Pay / Samsung Pay" button, so a cardholder can add their card to a wallet with one tap.
Push vs. manual provisioning
- Manual / in-wallet provisioning: the cardholder opens the Wallet app and types the card in themselves. No app integration required; available once your BIN is live (or BIN go-live date identified) and all required integration steps have been completed with Spidr.
- Push provisioning (this guide): your app pushes the card credentials directly into the wallet via the wallet SDK plus the Spidr Mobile Wallet Provisioning endpoint. Requires a native app (see Prerequisites) and the steps below.
In-app vs. web provisioning
This guide covers in-app provisioning, where the cardholder taps a control inside your native mobile app. If your app is web-based, contact Spidr to scope your provisioning options.
Prerequisites
- A native mobile app (iOS and/or Android). Cross-platform frameworks like React Native or Flutter qualify as long as they bridge to the native wallet SDKs. If your app is web-based, contact Spidr to scope your provisioning options.
- Manual wallet provisioning already enabled for your BIN (push provisioning builds on it).
- Sponsor-bank Google setup complete for Google Pay (see Sponsor-bank requirement). Spidr will help coordinate this piece.
Step 1: Get developer access from the wallet providers
Request developer-program access and pull the documentation for each wallet you intend to support:
- Apple: PassKit In-App Provisioning. Demo and reference: https://applepaydemo.apple.com/in-app-provisioning · entitlement reference:
com.apple.developer.payment-pass-provisioning(in the Apple Pay & PassKit entitlements doc: https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/ApplePayandPassKitEntitlements/ApplePayandPassKitEntitlements.html) - Google: Google Wallet Push Provisioning API for Android: https://developers.google.com/pay/issuers/apis/push-provisioning/android (access is granted through your sponsor bank's issuer console)
- Samsung: Samsung Pay SDK (if in scope): https://developer.samsung.com/pay
Step 2: Integrate the wallet SDKs
Integrate each wallet's SDK in your native app:
- Apple: PassKit In-App Provisioning.
- Google: Google Pay Push Provisioning API.
- Samsung: Samsung Pay SDK.
Step 3: Obtain certificates from the wallet providers
Register your app and pull the push-provisioning certificates and keys directly in the wallet providers' developer consoles (Apple Developer, Google Pay & Wallet Console, Samsung partner dashboard). These are issued by the wallet providers; Spidr does not supply them.
Step 4: Provide your App Identifiers
So your app can be registered with the card network as an authorized token requestor, send Spidr the following per wallet:
| Wallet | Identifiers |
|---|---|
| Apple | App ID (Bundle ID); Store ID (Adam ID, from App Store Connect); App Launch URL |
| Google / Samsung | App / Package Name; Activation Action (android.intent.action.MAIN); App Launch URL |
- Identifiers must come from your production app.
- In the Samsung partner dashboard, list the Issuer as your sponsor bank, not your program.
- Allow time for an overnight network refresh after identifiers are registered.
Step 5: Call the Mobile Wallet Provisioning endpoint
At provisioning time, your app collects the values returned by the wallet SDK and posts them to:
POST /v1/card/{cardId}/mobileWalletProvisioning (reference: https://docs.gospidr.com/reference/postv1cardcardidmobilewalletprovision)
Request fields
| Field | Wallet(s) | Source |
|---|---|---|
cardId (path) | all | the card to provision |
walletType (apple / google / samsung) | all | your flow |
cert1, cert2, nonce, nonceSignature | Apple | Apple PassKit SDK |
clientWalletAccountID, clientDeviceAccountID | Google / Samsung | Google / Samsung SDK |
sessionKey (optional) | all | risk/verification workflow |
Required-field rules: Apple needs cert1 + cert2 + nonce + nonceSignature; Google / Samsung need clientWalletAccountID + clientDeviceAccountID.
Response is provisioning_request_data; hand this back to the wallet SDK to complete the add:
- Apple:
activationData,encryptedPassData,ephemeralPublicKey - Google:
opaquePaymentCard - Samsung:
payload
The flow: your app gathers the wallet-provider data from the device SDK → calls the endpoint → Spidr returns the encrypted payload → your app passes it to the wallet SDK to finish provisioning → the card network creates the token and activates it on the device.
Step 6: Test, then go live
Validate the full flow in the CV (client validation) environment first; see the Getting Started with Spidr guide for a breakdown of Spidr environments. Because the entitlement and certificates apply only to your production app, end-to-end testing happens on a TestFlight/App Store (iOS) or production (Android) build.
Sponsor-bank requirement (Google Pay)
Google scopes push provisioning to the card issuer, so Google Pay requires your sponsor bank to set up an issuer profile and grant your developers access before your app can provision under it. Apple and Samsung have no equivalent bank-console step. This is a separate workstream from your app build; Spidr helps coordinate it with you and the bank.
Cardholder verification (one-time passcode)
Depending on risk, provisioning may require an extra identity verification step (a one-time passcode sent by SMS or email) before the card is added. Ensure cardholder contact details are on file so this can be delivered.
Supported card networks
Spidr supports push provisioning for Visa and Mastercard programs. (Discover support is in progress and not yet available.) The request and response fields above are supplied by the wallet SDKs and are the same regardless of your card network. A couple of network notes that apply across the board:
- Your App Identifiers are registered with the card network as the token requestor. The Bundle ID / Adam ID / Package Name and launch URL you send in Step 4 are what the network uses to recognize your app as authorized to request tokens. Provisioning requests will fail until this registration is in place, and any change to your identifiers takes time for a network refresh (typically overnight) before it's live.
- The wallet request fields are SDK-driven, not network-specific.
clientWalletAccountIDandclientDeviceAccountID(Google/Samsung) andcert1/cert2/nonce/nonceSignature(Apple) come straight from the wallet SDK. There are no additional network-side fields to collect beyond what each wallet's SDK hands you.
Updated 1 day ago