Home

Client Tokens

Overview

Client tokens are valid for 10 minutes. Once a token has expired, you must generate a new one. The Risk Application SDK returns its own dedicated client token which lasts 30 minutes.

Client tokens are short-lived credentials that pass sensitive information from your client to Highnote. Some use cases require client tokens, while others can use them for enhanced security. Client tokens are valid for 10 minutes. When a token expires, you must generate a new one.

Generating client tokens requires an API key. The token generation mutation should be done from your server and sent to your client.

To use client tokens:

  1. Generate a client token scoped to your use case.
  2. Set your authorization header.
  3. Call the API with the client token in the authorization header.

Supported use cases

The following use cases are supported for client tokens:

Use CaseGenerate TokenUtilize TokenRequires Token
Card viewer SDKGenerate tokenUtilize tokenYes
Secure inputs SDK for PINsGenerate tokenUtilize tokenYes
Tokenize business account holderGenerate tokenUtilize tokenYes
Tokenize person account holderGenerate tokenUtilize tokenYes
Tokenize authorized userGenerate tokenUtilize tokenYes
Create business account holder Generate tokenUtilize tokenNo
Create person account holder Generate tokenUtilize tokenNo
Create authorized userGenerate tokenUtilize tokenNo
Create document upload session Generate tokenUtilize tokenNo
Set payment card PIN Generate tokenUtilize tokenYes
View account and routing number Generate tokenYes
View payment card details Generate tokenYes
View external bank account details Generate tokenYes

Generate a client token

Every client token has a unique mutation associated with it. These mutations use the ID of the object you are tokenizing and requested permissions as inputs.

The following example mutation generates a payment card client token to set a PIN on a payment card. Refer to the supported use cases reference for the mutation for your use case:

Set authorization header

Once you have generated a client token, you must set the authorization header in your GraphQL client with the token.

The following example shows the base64 encoded client token that we generated using the GeneratePaymentCardClientToken mutation, and the example authorization header for our use case:

Example client token
Example authorization header

Call the API

After setting the authorization header, you can call the API.

The following example uses the SetPinForPaymentCard mutation to call the API and set the PIN for the payment card:

Provide Feedback

Was this content helpful?