# Token Life Cycle Management
source: https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md

Token Life Cycle Management involves performing various actions on tokens including:

* [Suspending a Token](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#suspending-a-token)
* [Unsuspending a Token](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#unsuspending-a-token)
* [Deleting a Token](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#deleting-a-token)
* [Updating a Token](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#updating-a-token)
  * [Funding Account Update](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#funding-account-update)
  * [Alternate Account Identifier Suffix + Funding Account Update](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#alternate-account-identifier-suffix--funding-account-update)

## Suspending a Token {#suspending-a-token}

A cardholder notifies their bank that a phone has been lost or stolen. The cardholder provides the last four digits of the PAN of all the physical cards provisioned to the phone.

The Token Suspend API allows tokens provisioned against that device to be suspended preventing further transactions from being performed and, therefore, reducing the risk of fraud.
Diagram suspend

### Steps: {#steps}

1. A cardholder contacts the issuer's Customer Service Representative (CSR) and provides the last four digits of the PAN to block the lost or stolen card.
2. The CSR uses the last four digits of the PAN in the `/{id}/search` endpoint to find the token.
3. The `/{id}/search` response returns the TUR for all tokens mapped to the PAN.
4. The CSR sends the TUR on the `/{id}/token/suspend` endpoint to suspend the requested token.
5. Once the token is suspended, MDES sends a success response to the issuer.
6. The cardholder is notified of the digital card suspension.

### Endpoint {#endpoint}


API Reference: `GET /{id}/search`


API Reference: `GET /{id}/token/suspend`

<br />

Refer to the [integration tutorial](https://developer.mastercard.com/mdes-customer-service/documentation/tutorials/tutorial-5/index.md) for details on how to use these endpoints for suspending a token.

## Unsuspending a Token {#unsuspending-a-token}

After losing their mobile phone and notifying their bank, finally, a cardholder finds the device again. The cardholder calls their bank to resume their digital cards and provides the last four digits of the PAN of all the physical cards that need to be resumed.

The Token Unsuspend API enables tokens provisioned against that device to be resumed and re-used for payment transactions (given that the risk of fraud has been eliminated).
Diagram unsuspend

### Steps: {#steps-1}

1. A cardholder contacts the issuer's Customer Service Representative (CSR) and provides the last four digits of the PAN to unblock the blocked lost or stolen card.
2. The CSR uses the last four digits of the PAN in the `/{id}/search` endpoint to find the suspended token.
3. The `/{id}/search` response returns the TUR of the suspended token.
4. The CSR sends the TUR on the `/{id}/token/unsuspend` endpoint to unsuspend the requested token.
5. Once the token is unsuspended, MDES sends a success response to the issuer.
6. The cardholder is notified of the digital card resumption.

### Endpoint {#endpoint-1}


API Reference: `GET /{id}/search`


API Reference: `GET /{id}/token/unsuspend`

<br />

## Deleting a Token {#deleting-a-token}

A cardholder has lost his mobile phone. To avoid any risk of fraud, the cardholder contacts their bank to get rid of all the digital cards provisioned to the device wallets on that phone.

The Token Delete API deletes all tokens associated with a physical card.
Diagram delete

### Steps: {#steps-2}

1. A cardholder contacts the issuer's Customer Service Representative (CSR) and provides the last four digits of the PAN to delete the digital card.
2. The CSR uses the `/{id}/search` request to find the token mapped to the PAN.
3. The `/{id}/search` response returns the TUR of all tokens mapped to the PAN.
4. The CSR sends the TUR on the `/{id}/token/delete` endpoint to delete the requested token.

Note: if `DeleteFromConsumerApp`

* is set to true, then the token will be removed only from the cardholder device but will remain active on the MDES platform.
* if set to false, then the token will be deleted from the cardholder device and the MDES platform.

5. Once the token is deleted, MDES sends a success response to the issuer.
6. The cardholder is notified of the token deletion.

### Endpoint {#endpoint-2}


API Reference: `GET /{id}/search`


API Reference: `GET /{id}/token/delete`

<br />

Refer to the [integration tutorial](https://developer.mastercard.com/mdes-customer-service/documentation/tutorials/tutorial-6/index.md) for details on how to use these endpoints for deleting a token.

## Updating a Token {#updating-a-token}

* [Funding Account Update](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#funding-account-update)
* [Alternate Account Identifier Suffix + Funding Account Update](https://developer.mastercard.com/mdes-customer-service/documentation/use-cases/tokensuspend-use-case/index.md#alternate-account-identifier-suffix--funding-account-update)

### Funding Account Update {#funding-account-update}

The cardholder receives a new card to replace their existing card for which the expiry date is coming to an end. They want to keep all digital cards active by doing a 'PAN swap' (existing -\> new). The cardholder then calls the issuer's customer service to provide the existing and new PAN.

The Token Update API enables issuers to update all tokens associated with one set of PAN credentials (PAN, PSN, and/or Expiry Date) with new PAN data (PAN, PSN and/or Expiry Date). A new product configuration ID can also be associated with one or all tokens associated with a PAN.
Diagram update

#### Steps: {#steps-3}

1. An issuer sends a funding PAN update to MDES Customer Service API. The `/{id}/search` and `/{id}/token/update` endpoints retrieve and update the data belonging to one or more tokens.
2. MDES updates the PAN mapping information.
3. MDES sends a Notify Token Updated (NTU) response per token to the wallet.
4. For the device tokens:
   * Wallet initiates the redigitize request.
   * MDES redigitize each token.
   * When the device is available, MDES will initiate the reprovisioning flow.
   * The device will update the card profile on the device.
   * The device will send a success response to the payment app server.
   * The payment app server will send a reprovisioning complete response to MDES.
   * The server tokens are updated automatically based on the details in the NTU.
5. For the server tokens:
   * The payment app server will send a redigitize request to MDES.
   * MDES redigitize each token.
6. MDES will send an NTU per token updated to the payment app server.
7. MDES will send an NTU per token updated to the issuer.

The NTU received by the issuer concludes this process for an issuer. The detailed process for device tokens is available in the [MDES Use Cases](https://trc-techresource.mastercard.com/r/bundle/m_mdes_usecases_en-us/page/d/en-US/rsa1743676773385.html) document.

### Endpoint {#endpoint-3}


API Reference: `GET /{id}/search`


API Reference: `GET /{id}/token/update`

<br />

### Alternate Account Identifier Suffix + Funding Account Update {#alternate-account-identifier-suffix--funding-account-update}

An issuer has previously associated an Alternate Account Identifier with a token as part of the provisioning process and as a result, the Alternate Account Identifier Suffix is shown in the digital wallet. In advance of performing a migration (FPAN swap) from Maestro to Debit Mastercard, the Alternate Account Identifier must be removed so that the correct identifier is shown in the digital wallet.

The Token Update API enables issuers to remove the existing alternate account identifier suffix (associated with the previous Maestro account) for existing tokens to ensure the funding PAN suffix is shown. In this scenario, removal of the Alternate Account Identifier does not need to be informed to the wallet. Only when there is an FPAN update as a result of migration from Maestro to Debit Mastercard, the wallet should be informed.
Diagram delete-aaid2

#### Steps: {#steps-4}

1. An issuer sends a request to remove the existing alternate account identifier suffix for existing tokens. The `/{id}/search` and `/{id}/token/update` endpoints retrieve and update the data belonging to one or more tokens. The wallet should not informed about this update. Only after the FPAN is updated, the wallet should be informed of the change.
2. MDES updates the PAN mapping information.
3. Issuer sends the FPAN swap (migratration from Maestro to Debit Mastercard) after a 3-second delay. The wallet should be informed about the update request.
4. MDES updates the PAN mapping information.
5. MDES sends a Notify Token Updated (NTU) response per token to the wallet.
6. For the device tokens:
   * Wallet initiates the redigitize request.
   * MDES redigitize each token.
   * When the device is available, MDES will initiate the reprovisioning flow.
   * The device will update the card profile on the device.
   * The device will send a success response to the payment app server.
   * The payment app server will send a reprovisioning complete response to MDES.
   * The server tokens are updated automatically based on the details in the NTU.
7. For the server tokens:
   * The payment app server will send a redigitize request to MDES.
   * MDES redigitize each token.
8. MDES will send an NTU, per token updated, to the payment app server.
9. MDES will send an NTU, per token updated, to the issuer.
10. The FPAN suffix is displayed on the consumer device instead of alternate account identifier suffix.

The NTU received by the issuer concludes this process for an issuer. The detailed process for device tokens is available in the [MCBP use cases document](https://techdocs.mastercard.com/bundle/p_MDESCP/page/jtu1586189058780.html).

### Endpoint {#endpoint-4}


API Reference: `GET /{id}/search`


API Reference: `GET /{id}/token/update`

<br />