Skip to main content

Activate

POST /pos/activate

The final step in the POS activation flow. The device reports that encryption keys are installed, EMV is ready, and the network connection is stable. After successful activation, the device status changes to activated and it can begin processing payments. This is the eighth and final step in the POS activation flow.

MSK encryption: Both the request and response use MSK-encrypted envelopes (TR31-DATA). Encrypt the activation JSON with MSK before sending; decrypt the response with MSK to read status and activated_at.

Purpose

  • Confirm that the device has successfully installed encryption keys
  • Confirm that EMV configuration is loaded and ready
  • Confirm that the network connection is stable
  • Transition the device status from claimed to activated
  • Record the activation timestamp

Authentication

POS Attestation Auth — requires the attestation token received from POST /pos/attest.

HeaderRequiredFormatDescription
AuthorizationYesAttestation {token}The attestation token from the attest step. Uses the Attestation scheme (not Bearer). The token starts with att_, is cached in Redis, and is valid for 5 minutes from issuance. Example: Attestation att_f83kLmP9s2ab
X-Device-IdYesPOS-{8_HEX_CHARS}The same device ID used during attestation. The server verifies that this device ID matches the one bound to the attestation token. Example: POS-8F3A2C91

See the Headers Reference for complete details.

Request — MSK-encrypted envelope

Encrypt the activation payload below with MSK (AES-256-CBC) and send the envelope:

{
  "format": "TR31-DATA",
  "ciphertext": "A1B2C3...",
  "initialization_vector": "000102030405060708090A0B0C0D0E0F",
  "mode": "CBC"
}

Plaintext (before MSK encrypt)

{
  "emv_ready": true,
  "keys_installed": true,
  "network_ok": true
}
FieldTypeRequiredDescription
emv_readybooleanYesWhether EMV configuration has been loaded
keys_installedbooleanYesWhether encryption keys have been installed and verified
network_okbooleanYesWhether the network connection is stable
tip

All three fields should be true for successful activation. The device should verify these conditions locally before calling this endpoint.

Response

200 OK — MSK-encrypted envelope

Decrypt with MSK to obtain:

{
  "status": "activated",
  "activated_at": "2025-12-13T14:30:00Z"
}

Wire format:

{
  "format": "TR31-DATA",
  "ciphertext": "D4E5F6...",
  "initialization_vector": "101112131415161718191A1B1C1D1E1F",
  "mode": "CBC",
  "key_kcv": "ABCD12"
}
FieldTypeDescription
statusstringAlways "activated" on success (after decrypt)
activated_atstringActivation timestamp in RFC3339 format (after decrypt)

400 Bad Request

{
  "error": {
    "code": "4000",
    "message": "Invalid request body",
    "details": {
      "message": "Key: 'POSActivateRequest.EMVReady' Error:Field validation..."
    },
    "trace_id": "abc123..."
  }
}

401 Unauthorized

{
  "error": {
    "code": "4001",
    "message": "Invalid or expired attestation token",
    "trace_id": "abc123..."
  }
}

404 Not Found

{
  "error": {
    "code": "4004",
    "message": "Device not found",
    "details": {
      "device_id": "POS-UNKNOWN"
    },
    "trace_id": "abc123..."
  }
}

Code Examples

MSK required

Encrypt the activation JSON with MSK before sending; decrypt the response envelope. Samples below show plaintext for clarity — wrap in TR31-DATA on the wire. See End-to-End Example.

curl -X POST https://api.viopay.io/pos/activate \
  -H "Authorization: Attestation att_f83kLmP9s2ab" \
  -H "X-Device-Id: POS-8F3A2C91" \
  -H "Content-Type: application/json" \
  -d '{
    "emv_ready": true,
    "keys_installed": true,
    "network_ok": true
  }'

What's Next?

The device is now activated and ready to process payments using HMAC signature authentication and MSK-encrypted charge payloads:

See the POS Device Overview for a recap of the complete activation flow.