Verify display sensitive data OTP

Verifies the OTP from the initiation flow and returns the card's sensitive data.

Response Fields:

pan - Primary Account Number (16 digits)

cvv - Card Verification Value (3 digits)

expiry - Expiry date in MM/YY format

pin - PIN digits (4 digits, optional - present when available, null when not set)

Security:

OTP must be valid and not expired

Maximum 5 invalid OTP attempts allowed

Sensitive data is retrieved from Paymentology's secure vault

Error Responses:

400 INVALID_OTP_FORMAT - OTP format is invalid (must be 4-8 digits)

400 OTP_EXPIRED - OTP has expired. Please initiate a new operation.

400 OTP_MAX_ATTEMPTS_REACHED - Maximum OTP verification attempts reached. Please initiate a new operation.

400 OTP_VERIFICATION_FAILED - OTP verification failed (generic error)

400 OTP_INVALID - Invalid OTP provided. Please try again.

404 CARD_NOT_FOUND - The card is invalid. Please use a valid card.

404 OTP_OPERATION_NOT_FOUND - The operation ID is invalid. Please use a valid operation.

412 INVALID_CARD_STATUS - The card is not ACTIVE. Only ACTIVE cards can access sensitive data.

412 OTP_OPERATION_WRONG_STATUS - OTP operation is not in correct state (already completed or failed)

503 SERVICE_UNAVAILABLE - The service is currently unavailable. Please try again later.

Responses

🟢200OK

application/json

Default Response

Body

🟠400Bad Request

🟠401Unauthorized

🟠403Forbidden

🟠404Not Found

🟠405Method Not Allowed

🟠409Conflict

🟠410Gone

🟠412Precondition Failed

🟠422Unprocessable Entity

🟠429Too Many Requests

🔴500Internal Server Error

🔴501Not Implemented

🔴503Service Unavailable

🔴504Gateway Timeout

🔴505HTTP Version Not Supported

curl --location --request POST 'https://api.staging.vrtx.sa/cards/sensitive-data/verify-otp' \ --header 'Content-Type: application/json' \ --data-raw '{ "session_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "otp": "1234" }'