Token expiration
Learn how to configure token expiration settings to manage submission limits and handle errors in Payment Pages 2.0.
Access and configure this feature by completing the following steps:
- When creating or editing a Payment Page 2.0, navigate to the Security Information > Token Expiration section.
- Enter a positive integer in the Limit the number of submissions before blocking submission field. Details about the allowed value are available in the UI tooltip.
When the value of the Limit the number of submissions before blocking submission field is exceeded, the Submit button is not disabled. However, subsequent requests are not sent to the gateway even if end users click Submit . Zuora directly responds with an error message and error code to inform end-users that they have tried too many times. When the submission threshold is reached, you need to regenerate a signature and provide end customers with a way to re-render the page.
If the number of page submissions exceeds the configured thresholds, an Attempt_Exceed_Limitation error occurs. You can customize how you want to display the message for this error. See Error Handling for Payment Pages 2.0 and Customize error messages for Payment Pages 2.0 for more information.
Note that 3DS2 authentication exceptions also cause token expiration. On the next submission after a 3DS2 authentication exception occurs, the Attempt_Exceed_Limitation error occurs.
For more information about token generation, management, and usage analysis, see Generate and manage the Digital Signature and Token for Payment Pages 2.0.
Since 8 November 2022, Zuora has automatically enabled the Token Expiration feature on tenants that have not yet implemented this anti-fraud measure. The Limit the number of submissions before blocking submission field is set to a default value if your previous value is out of the range 1 - 10. If you previously had a value of 0 for this setting, you must implement a token refresh function in your code to handle the token expiration scenario (see related sample code for reference in Generate and manage the Digital Signature and Token for Payment Pages 2.0). If you have any questions about this auto-enablement, contact Zuora Global Support.
For the Inline Button Outside integration mode, if Google reCAPTCHA is not enabled, the RSA Signature Token Expiration feature is not supported. When a Payment Page submission fails, the end-user is redirected to the callback page that you configured on Payment Page configuration page. If both Google reCAPTCHA and Token Expiration are enabled, the Token Expiration feature takes effect and the configured callback URL will not be triggered until the token expiration limit is reached. If you want to ignore the token expiration setting to redirect end-users to the callback page the first time when the page submission fails, contact Zuora Global Support.