Get Token

Token ID is a unique value that is associated with the customer’s credit card information during a transaction. The GET Token method sends the credit card information via Midtrans.min.js to Midtrans server and returns the Token ID to you.

To utilize Midtrans JavaScript library, add the code given below in your payment page inside the <head> tag.

<script id= "midtrans-script" src="" data-environment="<production|sandbox>" data-client-key="<INSERT CLIENT KEY HERE>" type="text/javascript"></script>



The GET Token method and its features are applicable only for card transactions. Read more here for API references on various card features to be used in conjuction with this guide.

Midtrans JavaScript Library

Midtrans JavaScript library consists of two functions as given below.

  1. Get Card Token: Securely sends the customer’s payment card details to Midtrans server, without the merchant handling the credit card details.
  2. Redirect: Redirects the customer to 3DS authentication page.


Secure token only support 3DS 1.0, need to implement 3DS 2.0 refer Card Feature: 3D Secure (3DS)

3D Secure 2.0 is an authentication protocol that aims to reduce fraud and enhance security in online card payments.

data-environmentThe environment which the request is pointing to. Possible values are production and sandbox.
data-client-keyYour Client key. For more details, refer Retrieving API Access Keys.


8 Digit Bin

With the oncoming mandates from Visa and other principals, Midtrans will start supporting 8-digit BIN's for card transaction processing flows.
The 8-digit bin changes on CoreAPI and will impact the length of token_id and format of saved_token_id.

Changes list:

  1. Change on token_id length from 6 first digit + "-" + 4 last digit + "-" + 36 random digit into 8 first digit + "-" + 4 last digit + "-" + 36 random digit (e.g: 481111-1114-7baba36c-5698-47cf-9170-80efd6a2e973 to 48111111-1114-7baba36c-5698-47cf-9170-80efd6a2e973)
  2. Change on saved_token_id length from 6 first digit + 22 random digit + 4 last digit into 8 first digit + 20 random digit + 4 last digit (e.g: 481111sHdcfSakAvHvFQFEjTivUV1114 to 48111111sHfSakAvHvFQFEjTivUV1114)
  3. Masked_card on response, event, log changed from 6 first digit + 4 last digit from card number into 8 first digit + 4 last digit from a card number
  4. Support 8 Digit bin in Midtrans Fraud Detection System (for Aegis's users)
  5. Support 8 digit bin in Bin API

Getting Card Token

GET Card Token Request

The card object attributes are given below. Depending on the token type, some parameters are conditional.

// Create the card object with the required fields
var card = {
  card_number: "4811111111111114",
  card_cvv: "123",
  card_exp_month: "12",
  card_exp_year: "2025",
  bank_one_time_token: "12345678"

var options = {
  onSuccess: function(response) {
      // Implement success handling here
  onFailure: function(response) {
      // Implement error handling here

MidtransNew3ds.getCardToken(card, options);
JSON AttributeDescriptionNormalTwo ClicksRemarks
card_numberThe 16 digits Credit Card number.RequiredConditionalSpace( ) is allowed.
For example, 4111 1111 1111 1111 or 4111111111111111 both are valid.
card_cvvThe CVV number printed on the card.RequiredRequiredFor example, 123.
card_exp_monthThe card expiry month in MM format.RequiredConditionalFor example, 12.
card_exp_yearThe card expiry year in YYYY format.RequiredConditionalFor example, 2022.
token_idThe token ID of credit card saved previously. Its value is same as the saved_token_id retrieved from initial Charge response.ConditionalRequiredFor example, 48111111sHfSakAvHvFQFEjTivUV1114.
bank_one_time_tokenThe one-time token is shown on the customer's phone mobile bankingConditional-For example, 12345678



bank_one_time_token is only required for KKI (Kartu Kredit Indonesia) transactions, where merchants must send CPAN as card number and OTT as bank_one_time_token to get the Midtrans one-time token.

GET Card Token Response

Callback response object attributes are listed below.

JSON AttributeDescriptionRemarks
status_codeStatus code of transaction charge result."200" for success, "400" when validation error.
status_messageStatus message describing the result of the API request."OK, success request new token".
validation_messagesThe message describing the error.“card_exp_year must be greater than this year”, "card_exp_month must be greater than this year's month”.
token_idThe token id of the card."48111111-1114-d3d690db-3e18-4edd-9fee-4d061e4eb6f3"
Note: token_id is required during Card Payment Charge Transaction.
hashProduced from one-way hashing of the given card number. This value is irreversible and will always be consistent for each card number."6d9df2ff-ae9c-3cee-a5ff-a063dc476077"

Available options are given below.

onSuccessThis function is called only when get token responds with status code 200.
onFailureThis function is called for all the other status codes except 200.
Click Try It! to start a request and see the response here!