Skip to main content

Tap to Pay on iPhone (2023-12-12)

Download OpenAPI specification:Download


The Tap to Pay on iPhone API is RESTful, using HTTP response codes to convey status, including successful responses and errors. Additionally, it accepts and returns JSON in the HTTP body.


For a detailed step-by-step guide on how to integrate the Tap to Pay on iPhone API in your SDK, see the Tap to Pay on iPhone SDK documentation.

Base URLs

Use the following base URL when making requests to the API:


The Tap to Pay on iPhone API uses Basic HTTP authentication. You can generate API keys in the Developer Portal. Secret keys for the test environment use the prefix sk_sandbox_. Production keys use the prefix sk_prod_.

You must include your secret API key in the header of all requests, for example:

  --header 'content-type: application/json' \
  --header 'Authorization: Basic sk_prod_your_key' \

API requests without authentication will fail.

Sandbox keys

You can test the Tap to Pay on iPhone API using the sandbox environment. Here's a sample test key:


HTTP Responses

The API returns standard HTTP response codes RFC 7231 on each request to indicate the success or otherwise of API requests. Summaries for each HTTP code are listed below:

  • 200 OK—The request was successful.

  • 201 Created—The request was successful, and a new resource was created as a result.

  • 204 No Content—The request was successful, but there is no content to send.

  • 400 Bad Request—Bad request, probably due to a syntax error.

  • 401 Unauthorized—Authentication required.

  • 403 Forbidden—The API key doesn't have permissions.

  • 404 Not Found—The resource doesn't exist.

  • 405 Method Not Allowed—The request method is known by the server but isn't supported by the target resource.

  • 409 Conflict—The request couldn't be completed because it conflicted with another request or the server's configuration.

  • 500, 502, 503, 504 Server Errors—An error occurred with our API.


Dojo follows the error response format proposed in RFC 7807, also known as Problem Details for HTTP APIs. All errors are returned in the form of JSON.

Error Schema

In case of an error, the response object contains the following fields:

  • errors [object]—A human-readable explanation of errors.

  • type [string]— A URI reference RFC 3986 that identifies the problem type.

  • title [string]—A short, human-readable summary of the error.

  • status [integer]—The HTTP status code.

  • detail [string]—A human-readable message giving more details about the error. Not always present.

  • traceId [string]—The unique identifier of the failing request.

The following example shows a possible error response:

    "errors": {
        "Reference": [
            "The Reference field is required."
    "type": "",
    "title": "One or more validation errors occurred.",
    "status": 400,
    "traceId": "00-a405f077df056a498323ffbcec05923f-aa63e6f4dbbc734a-01",


Dojo API uses the yyyy-mm-dd API version-naming scheme. You have to pass the version as the version header in all API calls, for example:

  --header 'content-type: application/json' \
  --header 'Authorization: Basic sk_prod_your_key' \
  --header 'version: Pre-release' \

When we make breaking changes to the API, we release new dated versions.

The current version is 2023-12-12.

Tap to Pay on iPhone

Allows you to create a terminal secret value.

Create a terminal secret

Creates a secret value that you'll use to initialize the SDK.

header Parameters

The API version with format yyyy-mm-dd. The current version is 2023-12-12.


Response Schema: application/json

Secret value to initialize the SDK.

string <date-time>

The expiry date of secret in the format yyyy-mm-dd.

The timestamp and date of when the secret will be voided, in ISO 8601 UTC format. This occurs when you have not yet authenticated the SDK. The secret is short-lived and will expire after 6 hours.

Request samples

import http.client

conn = http.client.HTTPSConnection("")

headers = {
    'version': "SOME_STRING_VALUE",
    'Authorization': "REPLACE_KEY_VALUE"

conn.request("POST", "/tap/apple-terminal/secret", headers=headers)

res = conn.getresponse()
data =


Response samples

Content type
  • "secret": "ts_prod_2dDKpmwtqzOq3qYYA9zU9wQEKoxHg-qRnu6AGpVxAAtoUpP2SGOaiq_A0JoPAr787Ae2k_4vjJDYQFDnIVZz3vK5qpNyY7vVmzM9i-s9dAY",
  • "expirationDate": "2024-02-21T14:39:21.6050276Z"