Tokenisation — MPGS

Generated page — source of truth is schema/mpgs.yaml and templates/mpgs-uat.j2. Do not edit this file directly.


What is Tokenisation in This Context?

Astral uses a Secure Token Service (STS) to store and manage payment tokens. When a cardholder's payment details are captured — via the MPGS hosted payment page (HPP) or a card-present transaction — the result can be stored as a token in the STS rather than as raw card data.

The STS is configured separately from the payment gateway. An MPGS merchant that supports token flows (PM1) must have an STS token space and token repository provisioned. Without this, the system has nowhere to store tokens and token-based transactions will fail.


STS Provisioning Order

STS is provisioned after the merchant and MPG array are configured:

Merchant → MPG Array → API User → Terminals → Terminal Configs
                                                       ↓
                                            STS Token Space
                                                       ↓
                                            STS Token Repository
                                                       ↓
                                            STS API User + Permissions

STS Token Space

A token space (tokenspace) groups repositories together. Merchants typically share a space with other merchants in the same integration context.

Field Var MGMT Field Required Default Notes
Space Name sts_space_name spaceName Conditional mcli Also written to spaceDesc

STS Token Repository

A token repository (tokenrepo) holds the actual tokens for a merchant or group of merchants. The repository must exist within the token space.

Field Var MGMT Field Required Default Notes
Repository Name sts_repo_name repositoryName Conditional mcli Also written to repositoryDesc

Fixed values set by the template:

MGMT Field Value Notes
tokenType 1
autoDelete 1 Tokens are automatically deleted when the associated merchant record is removed

STS API User

The STS API user authenticates Astral's access to the token space.

Field Var MGMT Field Required Notes
Operator Email user_email partnerEmail Conditional The email address of the provisioning operator or service account.

Fixed values:

MGMT Field Value
adminFlag 0
encAlgorithm 1
encFlag 1

STS Token Channel Config

The STS token channel config grants the token channel access to the token space. The provisioning template sets one channel config entry with fixed permissions.

MGMT Field Value Notes
channelId 1
groupId 13
isDefault 0
permissionType 1,2,3,6,16,17,18,20 Permission set for this channel's access

These are fixed values from templates/mpgs-uat.j2. The meaning of individual permission type codes is not documented in the repository. See Open Item below.


Relationship to the MPG Array

The STS is not configured in the MPG array itself — it is a separate MGMT object. However, the MPG PM1 Token entries depend on the STS being provisioned. If the STS token space or repository does not exist, token transactions cannot be stored and PM1 flows will fail.

See MPG Configuration for the PM1 token entries.


Open Items

# Item Impact
OI (sts) STS permissionType code meanings not documented in repository Cannot explain what individual permissions allow
OI (sts) user_email default in template is admin@shijigroup.com — confirm correct default for production Incorrect operator email may block STS API access

See Also