# Encrypted PIN Change

## Retrieve latest public key

 - [GET /v1/cards/pin_keys/latest](https://docs.solarisgroup.com/api-reference/digital-banking/cards/encrypted-pin-change/solaris_cards_pin_service_get_pin_keys_aa.md): Returns the latest Solaris public RSA key in JWK format. Call this method every time before you call the  method to ensure you have the latest key. See RFC7517 for more information on JWKs.

## Change card PIN

 - [POST /v1/cards/{card_account_id}/pin_update_requests](https://docs.solarisgroup.com/api-reference/digital-banking/cards/encrypted-pin-change/solaris_cards_pin_service_save_pin.md): Changes the PIN of the card specified in the request URL. Follow these instructions to use this endpoint: 
  1. In your backend, retrieve the encryption key in JWK format with the  method and make it available to the customer's device.
  2. On the customer's device, collect the customer's desired PIN through a text input in your frontend and store it as string containing a JSON-formatted object .
  3. On the customer's device, parse the received encryption key JWK from the first step (you may want to use a suitable library of your choice, e.g. JOSESwift for iOS or Nimbus JOSE for Android).
  4. On the customer's device, encrypt the string containing the new PIN from step 2 into a JWE using the previously received encryption key and the following properties: 
     1. Algorithm: 
     2. Encryption method: 
     3. Key ID:  property from the encryption key JWK
  5. On the customer's device, generate the compact serialization of the JWE created in the previous step—this will be used as the  parameter.
  6. On the customer's device, sign the serialized JWE of the previous step using the cardholder's private key from their bound device — this is the  parameter. Note that you must use the  key.
  7. Transfer the values generated in the previous two steps (serialized JWE and created signature) to your backend.
  8. Call this endpoint from your backend.

## Change card PIN with Change Request

 - [POST /v1/cards/{card_account_id}/sca_pin_update_requests](https://docs.solarisgroup.com/api-reference/digital-banking/cards/encrypted-pin-change/solaris_cards_sca_pin_service_save_pin.md): Changes the PIN of the card specified in the request URL using the Change Request process. Follow these instructions to use this endpoint: 
  1. Retrieve the encryption key in JWK format with the  method and make it available.
  2. Collect the customer's desired PIN through a text input in your frontend and store it as string containing a JSON-formatted object .
  3. Parse the received encryption key JWK from the first step (you may want to use a suitable library of your choice, e.g. JOSESwift for iOS or Nimbus JOSE for Android).
  4. Encrypt the string containing the new PIN from step 2 into a JWE using the previously received encryption key and the following properties: 
     1. Algorithm: 
     2. Encryption method: 
     3. Key ID:  property from the encryption key JWK
  5. On the customer's device, generate the compact serialization of the JWE created in the previous step—this will be used as the  parameter.
  6. Call this endpoint from your backend.

## (Deprecated) Retrieve latest public key (deprecated)

 - [GET /v1/cards/{card_account_id}/pin_keys/latest](https://docs.solarisgroup.com/api-reference/digital-banking/cards/encrypted-pin-change/solaris_cards_pin_service_get_pin_keys.md): Deprecated endpoint.  Returns the latest Solaris public RSA key in JWK format. Call this method every time before you call the  method to ensure you have the latest key. See RFC7517 for more information on JWKs.