Merge pull request #196 from CyberSource/release/15-MAY-2026

Automated release commit on 15-MAY-2026

Author: gnongsie

MLE.md

@@ -11,6 +11,17 @@ MLE supports both **Request Encryption** (encrypting outgoing request payloads)
 - **Request MLE**: Only supported with `JWT (JSON Web Token)` authentication type
 - **Response MLE**: Only supported with `JWT (JSON Web Token)` authentication type
 
+### MLE with JWT Key Types
+
+MLE works with both JWT key types:
+
+| JWT Key Type | MLE Support | Request MLE Certificate Source |
+|---|---|---|
+| `P12` (default) | Supported | Auto-extracted from the P12 file (using `requestMleKeyAlias`), or from a separate file via `mleForRequestPublicCertPath` |
+| `SHARED_SECRET` | Supported | **Must** be provided via `mleForRequestPublicCertPath` (since there is no P12 file to extract from) |
+
+> **Important:** When using `jwtKeyType=SHARED_SECRET` with MLE, the `mleForRequestPublicCertPath` property is **required** for request MLE. The SDK cannot auto-extract the MLE certificate from a P12 file because shared secret authentication does not use one. The request MLE public certificate can be downloaded from the CyberSource Business Center ([Test](https://businesscentertest.cybersource.com/ebc2) | [Production](https://businesscenter.cybersource.com/ebc2)).
+
 <br/>
 
 ## Configuration
@@ -292,6 +303,58 @@ var merchantConfig = {
 };
 ```
 
+### (ix) Request MLE with Shared Secret (JWT Symmetric Key) Authentication
+
+```javascript
+// MLE with JWT SHARED_SECRET authentication — requires mleForRequestPublicCertPath
+var merchantConfig = {
+  // JWT authentication with SHARED_SECRET key type
+  authenticationType: 'jwt',
+  jwtKeyType: 'SHARED_SECRET',
+  merchantID: 'your_merchant_id',
+  runEnvironment: 'apitest.cybersource.com',
+  merchantKeyId: 'your_key_id',
+  merchantsecretKey: 'your_base64_encoded_shared_secret',
+
+  // Request MLE settings
+  enableRequestMLEForOptionalApisGlobally: true,
+  // mleForRequestPublicCertPath is REQUIRED for SHARED_SECRET since there is no P12 file
+  mleForRequestPublicCertPath: '/path/to/mle/public/cert.pem',
+  requestMleKeyAlias: 'CyberSource_SJC_US'  // Optional, defaults to CyberSource_SJC_US
+};
+```
+
+> **Note:** When using `jwtKeyType=SHARED_SECRET`, the MLE certificate cannot be auto-extracted from a P12 file. You **must** provide the certificate via `mleForRequestPublicCertPath`. The request MLE public certificate can be downloaded from the CyberSource Business Center ([Test](https://businesscentertest.cybersource.com/ebc2) | [Production](https://businesscenter.cybersource.com/ebc2)).
+
+### (x) Response MLE with MetaKey
+
+When using MetaKey (`useMetaKey: true`) with Response MLE, the response MLE private key and KID must belong to the **portfolio (parent account)**, not the transacting merchant.
+
+```javascript
+// MetaKey + Response MLE — portfolio's response MLE key is required
+var merchantConfig = {
+  // JWT authentication with MetaKey
+  authenticationType: 'jwt',
+  jwtKeyType: 'SHARED_SECRET',
+  merchantID: 'your_transacting_merchant_id',
+  merchantKeyId: 'your_metakey_portfolio_KeyId',
+  merchantsecretKey: 'your_metakey_portfolio_shared_secret_key',
+  portfolioID: 'your_portfolio_id',
+  useMetaKey: true,
+  runEnvironment: 'apitest.cybersource.com',
+
+  // Response MLE — use the portfolio's response MLE key, not the transacting merchant's
+  enableResponseMleGlobally: true,
+  responseMlePrivateKeyFilePath: '/path/to/portfolio/response/mle/private/key.p12',
+  responseMlePrivateKeyFilePassword: 'portfolio_private_key_password'
+  // responseMleKID is optional when using a CyberSource-generated P12 file (auto-fetched from P12)
+  // Required when using PEM files or responseMlePrivateKey object
+  // responseMleKID: 'your_portfolio_response_mle_kid'
+};
+```
+
+> **Important:** In MetaKey mode, the portfolio is the transaction submitter. The response is encrypted using the portfolio's MLE certificate, so the decryption key must also be the portfolio's.
+
 <br/>
 
 ## 5. Common Pitfalls
@@ -612,7 +675,8 @@ For Response MLE private key files, the following formats are supported:
 - If `enableRequestMLEForOptionalApisGlobally` is set to `true`, it enables request MLE for all APIs that have optional MLE support
 - APIs with mandatory MLE requirements are enabled by default unless `disableRequestMLEForMandatoryApisGlobally` is set to `true`
 - If `mapToControlMLEonAPI` doesn't contain a specific API, the global setting applies
-- For HTTP Signature authentication, request MLE will fall back to non-encrypted requests with a warning
+- When using `jwtKeyType=SHARED_SECRET`, the `mleForRequestPublicCertPath` parameter is **required** because the SDK cannot auto-extract the MLE certificate from a P12 file. See [Example (ix)](#ix-request-mle-with-shared-secret-jwt-symmetric-key-authentication) for a complete configuration.
+- For HTTP Signature authentication, request MLE will fall back to non-encrypted requests with a warning. **Note:** HTTP Signature is being deprecated — migrate to JWT with Shared Secret (`jwtKeyType=SHARED_SECRET`) to enable full MLE support using the same credentials. See [Example (ix)](#ix-request-mle-with-shared-secret-jwt-symmetric-key-authentication) for details.
 
 ### (ii) Response MLE
 - Response MLE requires either `responseMlePrivateKey` object OR `responseMlePrivateKeyFilePath` (not both)
@@ -622,6 +686,7 @@ For Response MLE private key files, the following formats are supported:
   - **Required** when using PEM format files (`.pem`, `.key`, `.p8`)
   - **Required** when using `responseMlePrivateKey` object directly
   - When both auto-fetched and user-provided values exist, the user-provided value takes precedence
+- **MetaKey (`useMetaKey=true`):** When Response MLE is used with MetaKey, the `responseMlePrivateKeyFilePath` (or `responseMlePrivateKey` object) and `responseMleKID` must belong to the **portfolio (parent account)** — not the transacting merchant. This is because in MetaKey mode the portfolio is the transaction submitter, and the response is encrypted using the portfolio's MLE certificate.
 - If an API expects a mandatory MLE response but the map specifies non-MLE response, the API might return an error
 - Both the private key object and file path approaches are mutually exclusive
 

README.md

@@ -25,6 +25,130 @@ Follow the first step mentioned in [Getting Started with CyberSource REST SDKs](
 
 Follow the second step mentioned in [Getting Started with CyberSource REST SDKs](https://developer.cybersource.com/hello-world/rest-api-sdks.html#gettingstarted) to configure the SDK by inputting your credentials.
 
+> **⚠️ HTTP Signature Deprecation Notice:** HTTP Signature authentication is being deprecated. **JWT with Shared Secret** is the recommended migration path — it uses the same `merchantKeyId` and `merchantsecretKey` credentials, requires only two property changes, and enables MLE (Message Level Encryption) support that HTTP Signature does not provide.
+
+## Authentication Configuration
+
+To set your API credentials for an API request, configure the following information in your configuration object:
+
+### For HTTP Signature authentication (⚠️ Deprecated — migrate to JWT with Shared Secret)
+
+```javascript
+var merchantConfig = {
+    authenticationType: 'http_signature',
+    merchantID: 'testrest',
+    runEnvironment: 'apitest.cybersource.com',
+    merchantKeyId: 'your_merchant_key_id',
+    merchantsecretKey: 'your_merchant_secret_key',
+    enableLog: true,
+    logDirectory: './log',
+    logFilename: 'cybs'
+};
+```
+
+### For JWT authentication (with P12 certificate)
+
+```javascript
+var merchantConfig = {
+    authenticationType: 'jwt',
+    merchantID: 'testrest',
+    runEnvironment: 'apitest.cybersource.com',
+    keyAlias: 'testrest',
+    keyPass: 'testrest',
+    keyFileName: 'testrest',
+    keysDirectory: './resource',
+    enableLog: true,
+    logDirectory: './log',
+    logFilename: 'cybs'
+};
+```
+
+### For JWT authentication with Shared Secret (Recommended migration from HTTP Signature)
+
+Uses the **same** `merchantKeyId` and `merchantsecretKey` credentials as HTTP Signature. Only two properties change:
+
+```javascript
+var merchantConfig = {
+    authenticationType: 'jwt',
+    jwtKeyType: 'SHARED_SECRET',
+    merchantID: 'testrest',
+    runEnvironment: 'apitest.cybersource.com',
+    merchantKeyId: 'your_merchant_key_id',
+    merchantsecretKey: 'your_merchant_secret_key',
+    enableLog: true,
+    logDirectory: './log',
+    logFilename: 'cybs'
+};
+```
+
+### For using MetaKey
+
+MetaKey can be used for HTTP Signature, JWT (P12), and JWT with Shared Secret authentication.
+
+#### For HTTP Signature Authentication (⚠️ Deprecated)
+
+```javascript
+var merchantConfig = {
+    authenticationType: 'http_signature',
+    merchantID: '<transacting merchantID>',
+    merchantKeyId: '<MetaKey Portfolio KeyId>',
+    merchantsecretKey: '<MetaKey Portfolio Shared Secret Key>',
+    useMetaKey: true,
+    portfolioID: '<Portfolio ID>'
+};
+```
+
+#### For JWT Authentication (P12)
+
+```javascript
+var merchantConfig = {
+    authenticationType: 'jwt',
+    merchantID: '<transacting merchantID>',
+    keyAlias: '<Portfolio ID>',
+    keyPass: '<MetaKey Portfolio P12 File Password>',
+    keyFileName: '<MetaKey Portfolio P12 File Name>',
+    keysDirectory: '<keysDirectory>',
+    useMetaKey: true
+};
+```
+
+#### For JWT Authentication with Shared Secret (Recommended)
+
+```javascript
+var merchantConfig = {
+    authenticationType: 'jwt',
+    jwtKeyType: 'SHARED_SECRET',
+    merchantID: '<transacting merchantID>',
+    merchantKeyId: '<MetaKey Portfolio KeyId>',
+    merchantsecretKey: '<MetaKey Portfolio Shared Secret Key>',
+    useMetaKey: true,
+    portfolioID: '<Portfolio ID>'
+};
+```
+
+#### Response MLE with MetaKey
+
+When Response MLE is enabled (`enableResponseMleGlobally: true`) and MetaKey is in use (`useMetaKey: true`), the Response MLE configuration must use the **portfolio's** response MLE key — not the transacting merchant's. Specifically:
+
+- `responseMlePrivateKeyFilePath` (or the `responseMlePrivateKey` object) must point to the **portfolio's** response MLE private key.
+- `responseMleKID` — the KID value associated with the **portfolio's** response MLE certificate.
+  - **Optional** when `responseMlePrivateKeyFilePath` points to a CyberSource-generated P12 file (SDK auto-fetches from P12).
+  - **Required** when using PEM format files (`.pem`, `.key`, `.p8`) or when providing `responseMlePrivateKey` object directly.
+
+```javascript
+var merchantConfig = {
+    // ... other MetaKey configuration ...
+    enableResponseMleGlobally: true,
+    responseMlePrivateKeyFilePath: '/path/to/portfolio/response/mle/private/key.p12',
+    responseMlePrivateKeyFilePassword: 'portfolio_private_key_password'
+    // responseMleKID is optional when using a CyberSource-generated P12 file (auto-fetched from P12)
+    // Required when using PEM files or responseMlePrivateKey object
+    // responseMleKID: '<Portfolio Response MLE KID>'
+};
+```
+
+> **Important:** The response MLE private key (and KID, if applicable) must belong to the portfolio (parent account), since in MetaKey mode the portfolio is the transaction submitter and the response is encrypted using the portfolio's MLE certificate.
+
 ## How to Use
 
 To get started using this SDK, it's highly recommended to download our sample code repository:

docs/AccountValidationsRequest.md

@@ -6,5 +6,6 @@ Name | Type | Description | Notes
 **clientReferenceInformation** | [**Bavsv1accountvalidationsClientReferenceInformation**](Bavsv1accountvalidationsClientReferenceInformation.md) |  | [optional] 
 **processingInformation** | [**Bavsv1accountvalidationsProcessingInformation**](Bavsv1accountvalidationsProcessingInformation.md) |  | 
 **paymentInformation** | [**Bavsv1accountvalidationsPaymentInformation**](Bavsv1accountvalidationsPaymentInformation.md) |  | 
+**tokenInformation** | [**Bavsv1accountvalidationsTokenInformation**](Bavsv1accountvalidationsTokenInformation.md) |  | [optional] 
 
 

docs/Acpv1mppcredentialsChallenge.md

@@ -0,0 +1,15 @@
+# CyberSource.Acpv1mppcredentialsChallenge
+
+## Properties
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**id** | **String** | Unique challenge identifier issued by the merchant server. | 
+**realm** | **String** | Merchant realm (typically the API domain). | 
+**amount** | **String** | Amount in the smallest currency unit (e.g., '4999' = $49.99). | 
+**currency** | **String** | Three-letter ISO 4217 currency code, lowercase (e.g., 'usd'). | 
+**acceptedNetworks** | **[String]** | Card networks accepted by the merchant (e.g., ['visa', 'mastercard']). | 
+**merchantId** | **String** | Merchant identifier (maps to 'recipient' in MPP spec request object). | 
+**merchantName** | **String** | Human-readable merchant name. | 
+**encryptionJwk** | [**Acpv1mppcredentialsChallengeEncryptionJwk**](Acpv1mppcredentialsChallengeEncryptionJwk.md) |  | 
+
+

docs/Acpv1mppcredentialsChallengeEncryptionJwk.md

@@ -0,0 +1,13 @@
+# CyberSource.Acpv1mppcredentialsChallengeEncryptionJwk
+
+## Properties
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**kty** | **String** | Key type. MUST be 'RSA'. | 
+**kid** | **String** | Key ID. Identifies the key within a JWKS. | 
+**use** | **String** | Public key use. MUST be 'enc'. | 
+**alg** | **String** | Algorithm. MUST be 'RSA-OAEP-256'. | 
+**n** | **String** | RSA modulus (Base64urlUInt-encoded per RFC 7518 Section 6.3.1.1). | 
+**e** | **String** | RSA public exponent (Base64urlUInt-encoded per RFC 7518 Section 6.3.1.2). | 
+
+

docs/Acpv1tokensAssuranceData.md

@@ -3,12 +3,12 @@
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
-**verificationType** | **String** | Type of the verification data.   Possible values:   - `CARDHOLDER` (Default)   - `DEVICE`  | [optional] 
-**verificationEntity** | **String** | Entity performing the verification.   Possible value:     - `10` - VISA (Default)  | [optional] 
-**verificationEvents** | **[String]** | Event where the verification occurred.   Possible values:     - `01` - Payment transaction   - `02` - Add card/Card enrollment   - `03` - Profile access   - `04` - Account verification  | [optional] 
-**verificationMethod** | **String** | Method of the verification.   Possible values:     - `02` - App-based authentication   - `04` - One-time passcode   - `21` - Visa Token Service step-up: Device binding   - `22` - Visa Token Service step-up: Cardholder verification   - `23` - FIDO2  | 
-**verificationResults** | **String** | Result of the verification.   Possible values:     - `01` - Verified   - `02` - Not Verified   - `03` - Not performed   - `04` - Not required   - `21` - Not allowed  | 
-**verificationTimestamp** | **String** | Date and time the verification occurred. UTC time in Unix epoch format. | 
+**verificationType** | **String** | Optional. Type of the verification data.   Possible values:   - `CARDHOLDER` (Default)   - `DEVICE`  | [optional] 
+**verificationEntity** | **String** | Optional. Entity performing the verification.   Possible value:     - `10` - VISA (Default)  | [optional] 
+**verificationEvents** | **[String]** | Optional. Event where the verification occurred.   Possible values:     - `01` - Payment transaction   - `02` - Add card/Card enrollment   - `03` - Profile access   - `04` - Account verification  | [optional] 
+**verificationMethod** | **String** | Required. Method of the verification.   Possible values:     - `02` - App-based authentication   - `04` - One-time passcode   - `21` - Visa Token Service step-up: Device binding   - `22` - Visa Token Service step-up: Cardholder verification   - `23` - FIDO2  | 
+**verificationResults** | **String** | Required. Result of the verification.   Possible values:     - `01` - Verified   - `02` - Not Verified   - `03` - Not performed   - `04` - Not required   - `21` - Not allowed  | 
+**verificationTimestamp** | **String** | Required. Date and time the verification occurred. UTC time in Unix epoch format. | 
 **authenticationContext** | [**Acpv1tokensAuthenticationContext**](Acpv1tokensAuthenticationContext.md) |  | [optional] 
 **authenticatedIdentities** | [**Acpv1tokensAuthenticatedIdentities**](Acpv1tokensAuthenticatedIdentities.md) |  | [optional] 
 **additionalData** | **String** | Additional data related to assurance. | [optional] 

docs/AuthReversalRequest.md

@@ -9,6 +9,7 @@ Name | Type | Description | Notes
 **orderInformation** | [**Ptsv2paymentsidreversalsOrderInformation**](Ptsv2paymentsidreversalsOrderInformation.md) |  | [optional] 
 **pointOfSaleInformation** | [**Ptsv2paymentsidreversalsPointOfSaleInformation**](Ptsv2paymentsidreversalsPointOfSaleInformation.md) |  | [optional] 
 **paymentInformation** | [**Ptsv2paymentsidreversalsPaymentInformation**](Ptsv2paymentsidreversalsPaymentInformation.md) |  | [optional] 
+**deviceInformation** | [**Ptsv2paymentsidreversalsDeviceInformation**](Ptsv2paymentsidreversalsDeviceInformation.md) |  | [optional] 
 **processorInformation** | [**Ptsv2paymentsProcessorInformationReversal**](Ptsv2paymentsProcessorInformationReversal.md) |  | [optional] 
 
 

docs/BatchesApi.md

@@ -153,7 +153,7 @@ No authorization required
 ### HTTP request headers
 
  - **Content-Type**: application/json;charset=utf-8
- - **Accept**: application/json;charset=utf-8
+ - **Accept**: application/json, application/json;charset=utf-8
 
 <a name="postBatch"></a>
 # **postBatch**

docs/Bavsv1accountvalidationsPaymentInformation.md

@@ -3,6 +3,9 @@
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
-**bank** | [**Bavsv1accountvalidationsPaymentInformationBank**](Bavsv1accountvalidationsPaymentInformationBank.md) |  | 
+**customer** | [**Bavsv1accountvalidationsPaymentInformationCustomer**](Bavsv1accountvalidationsPaymentInformationCustomer.md) |  | [optional] 
+**paymentInstrument** | [**Bavsv1accountvalidationsPaymentInformationPaymentInstrument**](Bavsv1accountvalidationsPaymentInformationPaymentInstrument.md) |  | [optional] 
+**instrumentIdentifier** | [**Bavsv1accountvalidationsPaymentInformationInstrumentIdentifier**](Bavsv1accountvalidationsPaymentInformationInstrumentIdentifier.md) |  | [optional] 
+**bank** | [**Bavsv1accountvalidationsPaymentInformationBank**](Bavsv1accountvalidationsPaymentInformationBank.md) |  | [optional] 
 
 

docs/Bavsv1accountvalidationsPaymentInformationBank.md

@@ -3,7 +3,7 @@
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
-**routingNumber** | **String** | Bank routing number. This is also called the transit number.  Non-Negative Integer  | 
+**routingNumber** | **String** | Bank routing number. This is also called the transit number.  Non-Negative String, containing only digits.  | 
 **account** | [**Bavsv1accountvalidationsPaymentInformationBankAccount**](Bavsv1accountvalidationsPaymentInformationBankAccount.md) |  |