Home / Clientside & SDKs
Client Tokens are a short-lived credential used to pass sensitive information from your client (such as a web application) to Highnote. Some use cases require Client Tokens, while other use cases offer them for enhanced security.
The mutations to generate client tokens must be called with an API key and therefore should be done from your server and then sent to your client.
To use client tokens, you will need to:
Client tokens are valid for 10 minutes. Once a token has expired, you will need to generate a new one.
Use Case | Generate Token | Utilize Token | Requires Token |
---|---|---|---|
Card Viewer SDK | Generate Token | Utilize Token | Yes |
Secure Inputs SDK | Generate Token | Utilize Token | Yes |
Tokenize Business Account Holder | Generate Token | Utilize Token | Yes |
Tokenize Person Account Holder | Generate Token | Utilize Token | Yes |
Create Business Account Holder | Generate Token | Utilize Token | No |
Create Person Account Holder | Generate Token | Utilize Token | No |
Create Document Upload Session | Generate Token | Utilize Token | No |
Set Payment Card PIN | Generate Token | Utilize Token | Yes |
View Account & Routing Number | Generate Token | Yes | |
View Payment Card Details | Generate Token | Yes | |
View External Bank Account Details | Generate Token | Yes |
Each action that utilizes a client token has a unique mutation to generate the token. These mutations use the ID of the object you're looking to tokenize as well as the requested permissions as inputs.
This example mutation generates a Client Token to set a PIN on a payment card.
Now that we have a Client Token to set a PIN on a payment card, we can set the authorization header in your GraphQL client with the Token.
eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiJwcm9kLnRlc3QuYXBpLmJheTEuY29tIiwib3JnIjoib2dfYnMwMWQ3ODNhY2U5NzBiZjRiMGE5ZDQxNGNmNzRjMzIyZjZkIiwicmVnIjoiVVNBIiwiYXBwaWQiOiJhcF9iYXkxOmNsaWVudHNkazowMDAwMDAwMDAwMDAwMDAwMCIsImlzcyI6InByb2QuYXV0aC5iYXkxLmNvbSIsInJ0X2FjY291bnRfaG9sZGVyX3Rva2VuaXplX3ciOltdLCJ0biI6InRuXzIzdXN0M3ByM2FlOGRmODE1NDdkNGM3MDhjZjVmYTI2YzJkZGVjNDUiLCJleHAiOjE2NDIwMTUzNzksImVudiI6InRlc3QiLCJpYXQiOjE2NDIwMTQ0Nzl9
curl -X POST \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <base64_encoded_client_token>' \ --data '{"query":"mutation SetPinForPaymentCard($input: SetPinForPaymentCardInput!) {\n setPinForPaymentCard(input: $input) {\n __typename\n ...on PaymentCard {\n id\n bin\n last4\n }\n ... on UserError {\n errors {\n path\n code\n }\n }\n }\n}", "variables": {"input":"{\n\t\"paymentCardId\": \"some-payment-card-id\",\n\t\"newPin\": \"12ssss34\"\n}"}}' \ https://api.us.test.highnote.com/graphql
With the Authorization Header set with the Client Token, you can now make the request to the API. The Client Token is valid for only 10 minutes.