On This Page

Introduction to REST

To get started using Cybersource APIs, you must first set up your system to be REST compliant. Cybersource uses REST for developing web services. REST enables communication between a client and server using HTTP protocols.

This guide explains how to set up secure communications between your client and server using one of these methods:

JSON Web Token Messaging: JSON Web Tokens (JWTs) are digitally signed JSON objects based on the open standard RFC 7519. These tokens provide a compact, self-contained method for securely transmitting information between parties. The tokens are signed with an RSA-encoded public and private key pair. The signature is calculated using the header and body, which enables the receiver to validate that the content has not been tampered with.

WARNING

As of February 2026
, there are new requirements for constructing JWTs. This update also requires you to encrypt and decrypt messages using Message-Level Encryption (MLE). To remain compliant, you must update how your system constructs JWTs with MLE by September 2026
. If you do not update your system before the September deadline, you risk transaction failure. Use this guide to update your system.
HTTP Signature Messaging: Each request is digitally signed, or the entire request is digitally hashed using a private key. Both the client and server have the same shared secret, which enables each request to be validated on either end. If the request transmission is compromised, the attacker cannot change the request or act as a user without the secret. HTTP signatures can be used only with API requests. They cannot be used in browser or mobile applications.

WARNING

By September 2026
, all merchants using HTTP signature messaging must migrate to JSON Web Token (JWT) messaging in order to support message-level encryption (MLE). You risk transaction failures if you do not implement this update. If you are setting up your system to be REST-compliant for the first time, Cybersource recommends using JWT messaging.

IMPORTANT

When setting up your connection to the Cybersource gateway, verify that you have implemented controls to prevent card testing or card enumeration attacks on your platform.

For more information, see the best practices guide.

When Cybersource detects suspicious transaction activity associated with your merchant ID, including a card testing or card enumeration attack, Cybersource reserves the right to enable fraud management tools on your behalf in order to mitigate the attack. The fraud team might also implement internal controls to mitigate attack activity. These controls block traffic that is perceived as fraudulent. Additionally, if you are using one of the Cybersource fraud tools and experience a significant attack, Cybersource internal teams might modify or add rules to your configuration to help prevent the attack and minimize the threat to the Cybersource infrastructure. However, any actions taken by Cybersource do not replace the need for you to follow industry standard best practices to protect your systems, servers, and platforms.