Home / Clientside & SDKs

Client Tokens

Using Tokens

Client Tokens are a short-lived credential used to pass sensitive information from your client (such as a web application) to Highnote. Some use cases require Client Tokens, while other use cases offer them for enhanced security.

The mutations to generate client tokens must be called with an API key and therefore should be done from your server and then sent to your client.

To use client tokens, you will need to:

  1. Generate a Client Token scoped to your use case
  2. Set your Authorization Header
  3. Call the API with the Client Token in the Authorization Header

Client tokens are valid for 10 minutes. Once a token has expired, you will need to generate a new one.

Supported Use Cases

Use CaseGenerate TokenUtilize TokenRequires Token
Card Viewer SDKGenerate TokenUtilize TokenYes
Secure Inputs SDKGenerate TokenUtilize TokenYes
Tokenize Business Account HolderGenerate TokenUtilize TokenYes
Tokenize Person Account HolderGenerate TokenUtilize TokenYes
Create Business Account Holder Generate TokenUtilize TokenNo
Create Person Account Holder Generate TokenUtilize TokenNo
Create Document Upload Session Generate TokenUtilize TokenNo
Set Payment Card PIN Generate TokenUtilize TokenYes
View Account & Routing Number Generate TokenYes
View Payment Card Details Generate TokenYes
View External Bank Account Details Generate TokenYes

Generate a Client Token

Each action that utilizes a client token has a unique mutation to generate the token. These mutations use the ID of the object you're looking to tokenize as well as the requested permissions as inputs.

This example mutation generates a Client Token to set a PIN on a payment card.

Set Your Authorization Header

Now that we have a Client Token to set a PIN on a payment card, we can set the authorization header in your GraphQL client with the Token.

Example base64 encoded Client Token
eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiJwcm9kLnRlc3QuYXBpLmJheTEuY29tIiwib3JnIjoib2dfYnMwMWQ3ODNhY2U5NzBiZjRiMGE5ZDQxNGNmNzRjMzIyZjZkIiwicmVnIjoiVVNBIiwiYXBwaWQiOiJhcF9iYXkxOmNsaWVudHNkazowMDAwMDAwMDAwMDAwMDAwMCIsImlzcyI6InByb2QuYXV0aC5iYXkxLmNvbSIsInJ0X2FjY291bnRfaG9sZGVyX3Rva2VuaXplX3ciOltdLCJ0biI6InRuXzIzdXN0M3ByM2FlOGRmODE1NDdkNGM3MDhjZjVmYTI2YzJkZGVjNDUiLCJleHAiOjE2NDIwMTUzNzksImVudiI6InRlc3QiLCJpYXQiOjE2NDIwMTQ0Nzl9
Example Authorization Header when calling the API
curl -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <base64_encoded_client_token>' \
--data '{"query":"mutation SetPinForPaymentCard($input: SetPinForPaymentCardInput!) {\n  setPinForPaymentCard(input: $input) {\n    __typename\n    ...on PaymentCard {\n      id\n      bin\n      last4\n    }\n    ... on UserError {\n        errors {\n          path\n          code\n        }\n      }\n    }\n}", "variables": {"input":"{\n\t\"paymentCardId\": \"some-payment-card-id\",\n\t\"newPin\": \"12ssss34\"\n}"}}' \
https://api.us.test.highnote.com/graphql

Call the API with a Client Token

With the Authorization Header set with the Client Token, you can now make the request to the API. The Client Token is valid for only 10 minutes.

Provide Feedback

Was this content helpful?