# Card Verification Authorization The second two-phase commit flow is a card verification authorization, and it actually involves three requests: 1. An initial authorization request for a small amount that only serves to save the card details. This is normally done upon customer registration, and there's no follow-up capture request after this. 2. A second authorization request that is performed when the customer is ready to make an actual purchase. This step must be performed on a terminal that does not require CVV entry. 3. A capture request that is a follow-up to (2) that charges the customer. This flow is best explained with an example. Imagine that you are an Airbnb-like service. When a new user signs up for your service, you ask them to enter their credit card details. You do this to ensure that their credit card is valid and, more importantly, to save their credit card details that you can use to charge them later when they're ready to make a booking. ## Card verification request During registration, you request a Hyp payment page configured for authorization and a small total — let's say, ₪1. To do this, you need to send a [payment page request](/creditguard/payment-page-integration/integrating-hyps-payment-page-and-accepting-payment.md#create-a-payment-page-request) where inside the `doDeal` command, `mpiValidation` is set to `Verify`: ```xml 2000 ENG doDeal {terminalNumber} CGMPI 100 Debit RegularCredit ILS Internet TxnSetup {mid} {uniqueId} Verify {successUrl} {errorUrl} ``` Extract and handle the returned payment page URL as usual. When Hyp performs a [payment completion redirect](/creditguard/payment-page-integration/integrating-hyps-payment-page-and-accepting-payment.md#handle-payment-completion-redirect), save the values of the following URL parameters: 1. `cardToken`: the credit card token that Hyp generates and that you can use in further requests. 2. `cardExp`: the credit card expiration date. {% hint style="info" %} Some terminals also require the cardholder's Israeli ID number (תעודת זהות). In this case, you must save the ID number along with the token and expiration date. You receive the ID from the payment completion redirect as the `personalId` URL parameter and then use it in payment requests as the `id` parameter. Note that the Israeli ID number is considered sensitive personal data under privacy regulations such as the GDPR and the Israeli Privacy Law. As a merchant, you are responsible for ensuring the secure storage and handling of this information. {% endhint %} These are all the values you need to perform authorization requests at a later time. You don't need to perform a capture request for this authorization. ## Authorization request for a purchase amount At some point later, which can be days or months after the customer registers, they are ready to make their first booking. They've selected an apartment and booking dates, and they click **Book**. At this point, you need to send an authorization request for the cost of the booking for the selected dates. Although you know the customer has a valid credit card, you need to make sure it currently has sufficient funds to cover the booking. The authorization request is a [standard Hyp API request](/creditguard/introduction/request-and-response-general-structure.md) where the `int_in` parameter contains the `doDeal` command payload with `validation` set to `Verify`: ```xml 2000 ENG doDeal {terminalNumber} {cardToken} {cardExp} {totalAmount} Debit RegularCredit ILS Phone Verify ``` Variable parameters of the `doDeal` command in an authorization request are: * `terminalNumber`: a unique number assigned to you as a merchant during [registration](/creditguard/introduction/prerequisites-and-requirements.md). * `cardId`: the card token you saved from the `cardToken` URL parameter in the payment completion redirect following card verification. * `cardExpiration`: the card expiration date you saved from the `cardExp` URL parameter in the payment completion redirect following card verification. * `total`: the total amount to charge, which should be equal to or greater than the cost of the customer's booking. * `id`: the customer's Israeli ID, if required by the terminal, saved in the previous step from the `personalId` parameter. Here's a sample response for a successful authorization request:

Show response

```xml doDeal 2025-08-19 21:24 119566148 000 Permitted transaction Permitted transaction Host Result Remote 00-SUCCESS 2000 Eng 000 Permitted transaction 0882819014 1092880571131111 411111 411111******1111 16 xxxxxxxxxxxx1111 0328 Foreign Credit Foreign Visa Alphacard RegularDebit RegularCredit ILS Phone 100000 Verify Absent NotValidated CreditCompany 1493217 300012 119566148 AshraitEmv 01 4121 618285345996 Absent 50 25081921240108828191487 CreditCompanyAuthorized 0 CGD 0 001101 x 0 00 1111000000 TIKRA, BAKASHA_LEISHUR_LELO_ISKA NoAuthNumber 0 100 ```

Save the `cgUid` value from the response, as you'll need it later for the capture request. ## Capture request If the apartment owner confirms each booking manually, your service gives them a 24-hour window to approve or decline the booking. If the owner rejects the booking, you simply don't perform a follow-up capture request. If the owner confirms the booking, that's when you're ready to perform the capture request to charge the customer. A capture request is a [standard Hyp API request](/creditguard/introduction/request-and-response-general-structure.md) with the `doDeal` command payload in the `int_in` parameter: ```xml 2000 ENG doDeal {terminalNumber} {cardToken} {cardExp} {total} Debit RegularCredit ILS Phone AutoComm {cgUid} ``` Variable parameters of the `doDeal` command in a capture request are: * `terminalNumber`: a unique number assigned to you as a merchant during [registration](/creditguard/introduction/prerequisites-and-requirements.md). * `cardId`: the card token saved from the `cardToken` URL parameter in the payment completion redirect following card verification. Alternatively, you can use the `cardId` from the authorization response. * `cardExpiration`: the card expiration date saved from the `cardExp` URL parameter in the payment completion redirect following card verification. Alternatively, you can use the `cardExpiration` from the authorization response. * `total`: the total amount to charge, which can be equal to or less than the authorized amount. * `cgUid`: the ID that Hyp returned in the authorization response. Here's a sample response for a successful capture request:

Show response

```xml doDeal 2025-08-19 21:34 119566257 000 Permitted transaction Permitted transaction Host Result Local 00-SUCCESS 2000 Eng 000 Permitted transaction 0882819014 1092880571131111 411111 411111******1111 16 xxxxxxxxxxxx1111 0328 Foreign Credit Foreign Visa Alphacard RegularDebit RegularCredit ILS Phone 100000 AutoComm VoiceMail 1493217 63 086 452 300012 119566148 AshraitEmv 618285345996 4121 01 50 25081921240108828191487 1 0 1493217 100000 0819 0 212401 CreditCompanyPreAuthorized 25081921240108828191487 0 CGD 0 0 001101 x 0 1111000000 NoAuthNumber 0 100 ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/creditguard/two-phase-commits/card-verification-auth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.