If you decrypt Google Pay tokens outside of Finix, use the passthrough path to send the wallet authentication fields including the Electronic Commerce Indicator (ECI) directly to Finix.
The ECI is a one-or-two-digit value that card networks and issuers factor into liability and risk decisions on the authorization.
The passthrough path transmits raw PAN (DPAN) data. Only customers that are PCI Level 1 compliant are permitted to use it. Sending number without PCI Level 1 approval returns a 422 error.
There are two ways to submit Google Pay data to POST /payment_instruments:
| Path | How it works |
|---|---|
| Encrypted token (default) | Send the encrypted third_party_token. Finix decrypts it and extracts all fields, including ECI. |
| Passthrough | Decrypt the token yourself and send the individual fields (number, cryptogram, expiration_month, expiration_year, electronic_commerce_indicator_code) directly. |
You cannot send both number and third_party_token in the same request. Doing so returns a 422 error.
| Field | Type | Required | Description |
|---|---|---|---|
number | string | Yes | Network token PAN (DPAN) from the decrypted token. May be a raw PAN for Google Pay. |
cryptogram | string | No | Wallet-generated cryptogram from the decrypted token. Optional for Google Pay — PAN_ONLY tokens do not produce a cryptogram. |
expiration_month | integer | No | Card expiration month (1–12). |
expiration_year | integer | No | Card expiration year (4-digit). |
electronic_commerce_indicator_code | string | No | One-or-two-digit value indicating the authentication method. The card network and issuer factor this into liability and risk decisions on the authorization. |
When your server receives the decrypted fields from the Google Pay token, pass them directly in the POST /payment_instruments request body instead of third_party_token.
- Sandbox serverhttps://finix.sandbox-payments-api.com/payment_instruments
curl -i -X POST \
-u USfdccsr1Z5iVbXDyYt7hjZZ:313636f3-fac2-45a7-bff7-a334b93e7bda \
https://finix.sandbox-payments-api.com/payment_instruments \
-H 'Content-Type: application/json' \
-H 'Finix-Version: 2022-02-01' \
-d '{
"address": {
"city": "San Francisco",
"country": "USA",
"line1": "900 Metro Center Blv",
"line2": "APT 200",
"postal_code": "94404",
"region": "CA"
},
"cryptogram": "abc",
"electronic_commerce_indicator_code": "07",
"expiration_month": 11,
"expiration_year": 2026,
"identity": "IDmj1yA97RS4rMjiQgvK3Vio",
"merchant_identity": "IDwhCCvPwCDEmiFd8Be7pDzN",
"name": "Finix Sandbox",
"number": "5200828282828210",
"type": "GOOGLE_PAY"
}'{
"id": "PIrBNkBnJMThRHLGKHbfpYkF",
"created_at": "2025-05-08T18:44:58.56Z",
"updated_at": "2025-05-08T18:44:58.56Z",
"application": "APc9vhYcPsRuTSpKD9KpMtPe",
"created_via": "API",
"currency": "USD",
"disabled_code": null,
"disabled_message": null,
"enabled": true,
"fingerprint": "FPRrBNkBnJMThRHLGKHbfpYkF",
"identity": "ID78Fh8mcnnzukVzbdoyex5y",
"instrument_type": "GOOGLE_PAY",
"address": {
"line1": "900 Metro Center Blv",
"line2": "APT 200",
"city": "San Francisco",
"region": "CA",
"postal_code": "94404",
"country": "USA"
},
"bin": "411111",
"brand": "VISA",
"card_type": "CREDIT",
"expiration_month": 11,
"expiration_year": 2026,
"issuer_country": "USA",
"last_four": "1234",
"name": "Finix Sandbox",
"tags": {},
"third_party": null,
"third_party_token": null,
"type": "GOOGLE_PAY",
"_links": {
"self": {
"href": "https://finix.sandbox-payments-api.com/payment_instruments/PIrBNkBnJMThRHLGKHbfpYkF"
},
"authorizations": {
"href": "https://finix.sandbox-payments-api.com/payment_instruments/PIrBNkBnJMThRHLGKHbfpYkF/authorizations"
},
"transfers": {
"href": "https://finix.sandbox-payments-api.com/payment_instruments/PIrBNkBnJMThRHLGKHbfpYkF/transfers"
},
"verifications": {
"href": "https://finix.sandbox-payments-api.com/payment_instruments/PIrBNkBnJMThRHLGKHbfpYkF/verifications"
},
"application": {
"href": "https://finix.sandbox-payments-api.com/applications/APc9vhYcPsRuTSpKD9KpMtPe"
},
"identity": {
"href": "https://finix.sandbox-payments-api.com/identities/ID78Fh8mcnnzukVzbdoyex5y"
}
}
}The response shape is identical to the standard Google Pay path. The electronic_commerce_indicator_code value is not echoed back in the response.
| Scenario | Status | Error code | Message |
|---|---|---|---|
number and third_party_token both sent | 422 | INVALID_FIELD | Only one of number or third_party_token is allowed in a request. |
Neither number nor third_party_token sent | 422 | INVALID_FIELD | Either number or third_party_token must be provided |
electronic_commerce_indicator_code is not 1 or 2 numeric digits | 422 | INVALID_FIELD | electronic_commerce_indicator_code must be 1 or 2 numeric digits |
| Customer is not PCI Level 1 compliant | 422 | UNPROCESSABLE_ENTITY | Unless you are PCI Level 1 compliant, you must send the encrypted GOOGLE_PAY token in the third_party_token field. |