Secure Form (Radial) Versus Secure Fields (Radial/Gr4vy)
Radial’s secure form iframe and the Radial/Gr4vy Secure Fields integration both keep card data out of your app, but they differ in authentication (how JWTs are used), where payment data flows, and how much control you get over the UI and orchestration.
High-level difference
-
Radial Secure Form iframe:
- Radial-hosted card and CVV iframes inject into your checkout.
- You initialize Radial JS using an access token (JWT) and use
createSecureForm()to render fields. - On submit, you call
getEncryptedPaymentData()and then your backend calls Radial Payment APIs directly with the encrypted payload.
-
Radial/Gr4vy Secure Fields:
- Gr4vy-hosted field iframes (card number, expiry, CVV, etc.) embed into your own form layout.
- You authenticate with Gr4vy using a signed JWT from your backend, create a checkout session, and then initialize Secure Fields for that session.
- On submit, Secure Fields sends card data directly to Gr4vy, which returns a vaulted payment method or token that your backend uses with Gr4vy’s Payments API; Gr4vy then routes to configured PSPs.
Authentication and JWT usage
Radial Secure Form
- You must obtain a Radial access token (JWT) from Radial auth before using Radial JS.
- The secure iframe docs show that if the token is invalid or expired, you see an
Invalid Authentication Errorwith errorCode40001, indicating “provided JWT is either invalid or expired, please try with valid Access Token.” - Flow from your perspective:
- Backend calls Radial auth to get an access token.
- Frontend includes that token when initializing Radial JS.
radial.createSecureForm(customConfig)uses this token to authorize card collection and encryption.- Later, your backend uses Radial APIs (with its own auth) to submit the encrypted card data received from
getEncryptedPaymentData().
JWT scope: authorizes the secure form JS to operate and encrypt card data for a given merchant/context; errors show up at iframe creation time if it’s expired or invalid.
Radial/Gr4vy Secure Fields
- Gr4vy’s Secure Fields documents a Gr4vy JWT signed by your backend as the primary auth mechanism.
- Typical pattern:
- Your backend signs a JWT for Gr4vy containing merchant/tenant info and permissions (e.g., which buyer/checkout this session is for), using your Gr4vy private key.
- Your backend creates a checkout session with Gr4vy’s API using that JWT.
- Frontend initializes Secure Fields using the Gr4vy instance details and the session information returned from Gr4vy.
- On submit, Secure Fields uses that session context to vault the card and returns a token/paymentMethodId via callbacks in your frontend.
JWT scope: authorizes the creation of a checkout session and access to Gr4vy’s vault/transaction APIs, and scopes Secure Fields to that session and buyer context.
UI integration and field behavior
Radial Secure Form iframe
- You configure Radial’s secure form with a
customConfigobject that includescard,code, and optionalsavedWallet. - Each of these maps to a secure iframe; you specify
iframeConfig,style,attributes, andconfigto place and style them. - Validation and events:
- Radial JS performs real-time validation (Luhn, CVV length, card type).
- It emits
RadialSecureFormEventwith types likecardValidationSuccess,cardValidationFailed,secureCodeValidationFailed,cardEncrypted, etc., which you handle via a window event listener.
- Saved wallet:
- If
savedWallet: true, Radial only renders the CVV field and returns just the encrypted security code. - Multi-card: you can call
createSecureFormmultiple times and identify each pair viacardPairId.
- If
Front-end implication: you mostly treat the Radial iframe as a pre-built card input widget with styling hooks and window events, and you only control outer layout and error presentation.
Radial/Gr4vy Secure Fields
- Secure Fields exposes field-level iframes for card number, expiry, CVV, and extra fields like postal code, which you place within your own markup.
- Your Secure Fields quick-start overview describes:
- A container initialization (e.g., a Secure Fields root object).
- Per-field configuration and mounting into DOM elements you choose.
- Events and validation:
- Secure Fields emits per-field validity, completeness, and metadata (e.g., scheme, card brand), and you wire that into your own validation UI.
- Stored cards:
- You can initialize Secure Fields against an existing vaulted payment method, collecting only CVV (or other required verification fields) and getting back a token suitable for reuse.
Front-end implication: you retain more layout and UX control, assembling multiple field iframes into your own form, while Gr4vy handles PCI and vaulting under the hood.
Data flow and where the payment happens
Radial Secure Form iframe
- Shopper enters card data inside Radial’s iframes.
- Radial JS validates and encrypts card and CVV.
- On submit, you call
radial.getEncryptedPaymentData(isSavedWallet, cardPairId)to retrieve encrypted values. - Your backend calls Radial Payment APIs with:
- Encrypted card number and CVV, plus order and tender details.
- Radial processes authorization/capture as your payment provider.
Key point: Radial is both card capture and processor; the encrypted data is only useful within Radial’s payment environment.
Radial/Gr4vy Secure Fields
- Backend signs a JWT and creates a checkout session with Gr4vy.
- Frontend initializes Secure Fields using the session (and any configuration provided by Radial/Gr4vy).
- Shopper enters card data in Gr4vy’s hosted fields.
- On submit, Secure Fields:
- Sends card data directly to Gr4vy, which vaults it and returns a token or paymentMethodId via your configured callbacks.
- Backend calls Gr4vy’s Payments API with that token and order details.
- Gr4vy routes the transaction to the configured PSP or gateway according to your routing/orchestration rules.
Key point: Gr4vy is the capture and orchestration layer; the token from Secure Fields is a Gr4vy vault identifier, not a Radial-specific encryption blob.
JWT and error handling differences
-
Radial Secure Form
- If the JWT (access token) is invalid or expired,
createSecureForm()fails and returns an error witherrorCode: "40001"and message “Invalid Authentication Error.” - Other errors (missing options, JS load errors) use separate codes like
40006or40007.
- If the JWT (access token) is invalid or expired,
-
Radial/Gr4vy Secure Fields
- If your Gr4vy JWT is invalid or expired, the error surfaces when creating the checkout session or when initializing Secure Fields for that session.
- Errors typically indicate bad signature, invalid claims, or insufficient permissions, and your docs recommend regenerating a JWT and retrying session creation.
Gr4vy Secure Fields Events
Events you can expect from Gr4vy’s Secure Fields integration when using addEventListener on the Secure Fields instance or on individual fields.
Reference: Gr4vy Secure Fields events
Global events
Attach handlers to the SecureFields instance with addEventListener.
| Event | Description |
|---|---|
READY | Fired when Secure Fields is loaded and ready. Callback receives an object with environment, gr4vyId, sessionId, and version (SDK version). |
CARD_VAULT_SUCCESS | Fired when the card is successfully vaulted. Callback can receive scheme (e.g. "visa"). |
CARD_VAULT_FAILURE | Fired when card vaulting fails. Callback receives code, message, status, and other failure details. |
FORM_CHANGE | Fired when any card form value changes. Callback receives an object with fields (per-field validation) and complete (true when number and expiry are valid and security code is empty or valid). |
Field-level events
Attach handlers to individual fields (returned by addCardNumberField, addExpiryDateField, addSecurityCodeField, or addField).
| Event | Description |
|---|---|
blur | Fired when the field loses focus. Callback receives e.g. { id: 'number' }. |
focus | Fired when the field gains focus. Callback receives e.g. { id: 'number' }. |
input | Fired when the field value changes. Callback can include id, schema, codeLabel, valid, etc. (e.g. card number: { id: 'number', schema: 'visa', codeLabel: 'CVV', valid: true }). |
Documentation links
Radial Documentation
https://docs.radial.com/Content/js-integration/secure-iframe.htm
Radial / Gr4vy Documentation
https://radial.mintlify.app/guides/payments/secure-fields/quick-start/overview