Tokenisation — MPGS
Generated page — source of truth is
schema/mpgs.yamlandtemplates/mpgs-uat.j2. Do not edit this file directly.
What is Tokenisation in This Context?
Astral uses a Secure Token Service (STS) to store and manage payment tokens. When a cardholder's payment details are captured — via the MPGS hosted payment page (HPP) or a card-present transaction — the result can be stored as a token in the STS rather than as raw card data.
The STS is configured separately from the payment gateway. An MPGS merchant that supports token flows (PM1) must have an STS token space and token repository provisioned. Without this, the system has nowhere to store tokens and token-based transactions will fail.
STS Provisioning Order
STS is provisioned after the merchant and MPG array are configured:
Merchant → MPG Array → API User → Terminals → Terminal Configs
↓
STS Token Space
↓
STS Token Repository
↓
STS API User + Permissions
STS Token Space
A token space (tokenspace) groups repositories together. Merchants typically share a
space with other merchants in the same integration context.
| Field | Var | MGMT Field | Required | Default | Notes |
|---|---|---|---|---|---|
| Space Name | sts_space_name |
spaceName | Conditional | mcli |
Also written to spaceDesc |
STS Token Repository
A token repository (tokenrepo) holds the actual tokens for a merchant or group of
merchants. The repository must exist within the token space.
| Field | Var | MGMT Field | Required | Default | Notes |
|---|---|---|---|---|---|
| Repository Name | sts_repo_name |
repositoryName | Conditional | mcli |
Also written to repositoryDesc |
Fixed values set by the template:
| MGMT Field | Value | Notes |
|---|---|---|
tokenType |
1 |
|
autoDelete |
1 |
Tokens are automatically deleted when the associated merchant record is removed |
STS API User
The STS API user authenticates Astral's access to the token space.
| Field | Var | MGMT Field | Required | Notes |
|---|---|---|---|---|
| Operator Email | user_email |
partnerEmail | Conditional | The email address of the provisioning operator or service account. |
Fixed values:
| MGMT Field | Value |
|---|---|
adminFlag |
0 |
encAlgorithm |
1 |
encFlag |
1 |
STS Token Channel Config
The STS token channel config grants the token channel access to the token space. The provisioning template sets one channel config entry with fixed permissions.
| MGMT Field | Value | Notes |
|---|---|---|
channelId |
1 |
|
groupId |
13 |
|
isDefault |
0 |
|
permissionType |
1,2,3,6,16,17,18,20 |
Permission set for this channel's access |
These are fixed values from
templates/mpgs-uat.j2. The meaning of individual permission type codes is not documented in the repository. See Open Item below.
Relationship to the MPG Array
The STS is not configured in the MPG array itself — it is a separate MGMT object. However, the MPG PM1 Token entries depend on the STS being provisioned. If the STS token space or repository does not exist, token transactions cannot be stored and PM1 flows will fail.
See MPG Configuration for the PM1 token entries.
Open Items
| # | Item | Impact |
|---|---|---|
| OI (sts) | STS permissionType code meanings not documented in repository |
Cannot explain what individual permissions allow |
| OI (sts) | user_email default in template is admin@shijigroup.com — confirm correct default for production |
Incorrect operator email may block STS API access |
See Also
- MPG Configuration — PM1 Token entries that depend on STS
- Merchant Configuration
- Terminal Configuration
- Field Catalog