# Enable a Card for Click to Pay in Issuer's Mobile App (through MDES Token Connect API)
source: https://developer.mastercard.com/mastercard-processing-digital/documentation/use-cases/enable-card-click-to-pay-issuer-mobile-app-mdes/index.md

## Overview {#overview}

The use case describes the process for a cardholder to enable a card for Click to Pay using push provisioning in the issuer's mobile application. The process is applicable if you are de-scoped from the PCI DSS regulation (you are a PAN-less issuer) and you have integrated with the [MDES Token Connect API](https://developer.mastercard.com/mdes-token-connect/documentation/#overview) and optionally [Enroll API](https://developer.mastercard.com/issuer-enrollment/documentation/use-cases/auto-enrollment/enroll_api_async/).

## Sequence diagram {#sequence-diagram}

Diagram enable-card-click-to-pay

### Explanation {#explanation}

Note: To ensure your database of available Token Requestors (including Click to Pay) and their assets is current, steps 1--4 should be repeated by your server regularly, ideally bi-weekly. The outcomes should be saved in your database. For more details about the Token Connect API, refer to [MDES Token Connect](https://developer.mastercard.com/mdes-token-connect/documentation/api-reference/).

1. The issuer server sends the request to the MDES Token Connect `getEligibleTokenRequestors` endpoint to retrieve information about Token Requestors that have been enabled for your card ranges.
2. The MDES Token Connect returns the list of available token requestors to the issuer server.
3. The issuer server sends the request to the MDES Token Connect `getAsset` endpoint to retrieve static assets from the MDES repository, such as Token Requestors' logos.
4. The MDES Token Connect returns digital assets, and the issuer server saves it together with the data received in step 2.  
   Tip: Additionally, you can use the Mastercard Processing Digital API to check if the cardholder's cards are already enabled for Click to Pay. If that is the case, the `getTokensByClient` API will return card contracts where `walletName` = `MDES for Merchants` and `tokenRequestorId` = `50123197928`
5. The cardholder logs into a mobile application or website and is presented with an option to enroll their card in Click to Pay. They choose to proceed with the enrollment.
6. The mobile application sends a request to the issuer server to enroll the card in Click to Pay. Tip: Refer to the [MDES Token Connect implementation guide](https://developer.mastercard.com/mdes-token-connect/documentation/tutorials-and-guides/issuer-implementation-guide/) to learn how to integrate with the MDES Token Connect.
7. The issuer server sends the `POST` request to the Mastercard Processing Digital `/clients/{client_id}/funding-accounts/searches` endpoint with the following properties:
   * `Token-Connect-Client-Encryption-Key` header: It contains the Client Encryption Key, which you generated when requesting access to the MDES Token Connect API in Mastercard Developers.
   * `client_id`: It is the cardholder's client ID stored in the CMS that is generated during the Mastercard Processing Core `createClient` API call.
   * `cardContractId`: It is the card contract's ID stored in the CMS that is generated during the Mastercard Processing Core `createCardContract` API call.
   * `tokenRequestorId`: For Click to Pay, it is represented by the value `50123197928`.
   * `signatureData.callbackUrl`: It is to be used in the last step 25. Note: The Mastercard Processing Digital `/clients/{client_id}/funding-accounts/searches` endpoint has the same request body as the MDES Token Connect `pushMultipleAccounts` with only one change where full PANs have been replaced with technical card contract IDs to support PAN-less issuers. Refer to the [MDES Token Connect API Reference](https://developer.mastercard.com/mdes-token-connect/documentation/api-reference/) to get to know more about other optional properties in the API.
8. The Mastercard Processing API fetches PAN from the CMS for the card contract ID sent in step 7 and checks if the card is active in the system.
9. The Mastercard Processing API generates an encrypted with `Token-Connect-Client-Encryption-Key` request body as required by the MDES Token Connect `pushMultipleAccounts` API and sends it back to the issuer server. Note: The use case supports only one card per provisioning. If cardholders have multiple cards, issuers should pre-select one or allow them to select a preferred card before initiating the process. Alternatively, refer to [Auto-enable single or multiple cardholders in Click to Pay](https://developer.mastercard.com/mastercard-processing-digital/documentation/use-cases/auto-enable-cardholders-click-to-pay/index.md) if you want to enable Click to Pay for multiple cards in a single request.
10. The issuer server takes the encrypted `pushMultipleAccounts` object from the step 9 together with `tokenRequestorId` and `signatureData` including `callbackUrl` and sends it to the MDES Token Connect `pushMultipleAccounts` endpoint to enable the card for Click to Pay.
11. The MDES Token Connect API returns to the issuer server `pushAccountReceipts` together with signature data and Click to Pay URL to redirect the cardholder.
12. The issuer server passes the data received from the MDES Token Connect to the mobile application.
13. The mobile application redirects the cardholder to the Click to Pay URL received in step 12, passing the signature data and a callback URL.
14. The Click to Pay initiates the tokenization process.
15. The MDES sends the pre-digitization message, Tokenization Authorization Request (TAR), to Mastercard Processing for tokenization decision.
16. After internal checks (that is, card product tokenization eligibility, card status, and expiry date) are done by the Mastercard Processing CMS, the Mastercard Processing sends the TAR response to the MDES with the response code = 00, which means that the card can be tokenized without any additional authentication.
17. The Mastercard Processing concurrently sends the TAR notification to the issuer server.
18. The MDES returns Tokenization Complete Notification (TCN) to Click to Pay confirming successful tokenization.
19. With step 16, the MDES concurrently sends the Tokenization Complete Notification (TCN) to Mastercard Processing.
20. The Mastercard Processing sends the TCN acknowledgment to MDES.
21. The Mastercard Processing concurrently sends a TCN notification to the issuer server.
22. The Click to Pay verifies signature data and displays Terms and Conditions to the cardholder.
23. The cardholder accepts the Terms and Conditions.
24. The Click to Pay displays to the cardholder confirmation that their card has been successfully enrolled.
25. The cardholder is redirected back to the issuer mobile application.

Note: Optionally, Mastercard Processing may send an SMS to inform the cardholder that their card has been added to Click to Pay.

Refer to [Sandbox testing](https://developer.mastercard.com/mastercard-processing-digital/documentation/sandbox-testing/enable-card-for-click-to-pay-mdes/index.md) for more information on how to execute the use case in the Sandbox environment.

## Endpoint {#endpoint}

##### MDES Token Connect {#mdes-token-connect}

[POST /connect/{maj}/getEligibleTokenRequestors](https://developer.mastercard.com/mdes-token-connect/documentation/api-reference/)   

[GET /issuer-assets/{maj}/asset/tokenrequestor/{AssetId}](https://developer.mastercard.com/mdes-token-connect/documentation/api-reference/)   

[POST /connect/{maj}/pushMultipleAccounts](https://developer.mastercard.com/mdes-token-connect/documentation/api-reference/)

<br />

##### Mastercard Processing {#mastercard-processing}


API Reference: `GET /clients/{client_id}/tokens`


API Reference: `POST /clients/{client_id}/funding-accounts/searches`