Register as a token requestor with Mastercard and obtain a Token Requestor ID; Mastercard provides sandbox and production onboarding documentation through their developer portal
Initiate tokenization by submitting a Tokenize request to MDES with the PAN, expiry, cardholder billing address, and your TRID; MDES performs a risk assessment and may require ID&V
On successful provisioning, MDES returns a token (DPAN), token expiry, and a token unique reference (TUR) that can be used to manage the token lifecycle
For each transaction, request a token cryptogram (DSRP — Digital Secure Remote Payments cryptogram) from MDES using the token and transaction-specific data (amount, currency, date); include this in the authorization as the UCAF/AAV field
Token lifecycle management operations (suspend, resume, delete, get token status) are performed via dedicated MDES API endpoints using the TUR as the identifier
MDES sends lifecycle notifications to the token requestor's registered notification URL when token status changes occur (e.g., issuer-initiated suspension)
Known gotchas
Each DSRP cryptogram is tied to the specific transaction details used to generate it; any mismatch in amount or other fields at authorization will cause a decline
MDES tokenization requires your server to have approved network connectivity to Mastercard endpoints and proper mutual TLS certificates; this setup takes time and must be completed before integration testing
Token requestor domains (payment, commerce, secure element) have different provisioning rules and capabilities; choose the correct domain type for your use case during registration
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp