Home / Clientside and SDKs
Client Tokens
Client Tokens are short-lived credentials that pass sensitive information from your client to Highnote. Some use cases require Client Tokens, while other use cases offer them for enhanced security.
The mutations to generate client tokens must be called with an API key. Therefore, these mutations should be done from your server and sent to your client.
To use client tokens, you will need to:
- Generate a Client Token scoped to your use case.
- Set your Authorization Header.
- Call the API with the Client Token in the Authorization Header.
Client tokens are valid for 10 minutes. Once a token has expired, you must generate a new one.
Supported Use Cases
| Use Case | Generate Token | Utilize Token | Requires Token |
|---|---|---|---|
| Card Viewer SDK | Generate Token | Utilize Token | Yes |
| Secure Inputs SDK | Generate Token | Utilize Token | Yes |
| Risk Application SDK | Generate Token | Utilize Token | Yes |
| Tokenize Business Account Holder | Generate Token | Utilize Token | Yes |
| Tokenize Person Account Holder | Generate Token | Utilize Token | Yes |
| Tokenize Authorized User | Generate Token | Utilize Token | Yes |
| Create Business Account Holder | Generate Token | Utilize Token | No |
| Create Person Account Holder | Generate Token | Utilize Token | No |
| Create Authorized User | Coming Soon | Utilize Token | No |
| Create Document Upload Session | Generate Token | Utilize Token | No |
| Set Payment Card PIN | Generate Token | Utilize Token | Yes |
| View Account & Routing Number | Generate Token | Yes | |
| View Payment Card Details | Generate Token | Yes | |
| View External Bank Account Details | Generate Token | Yes |
Each action that utilizes a client token uses a unique mutation to generate the token. These mutations use the ID of the object you are tokenizing and requested permissions as inputs.
The following example mutation generates a Client Token to set a PIN on a payment card:
Now that we have a Client Token to set a PIN on a payment card, we can set the authorization header in your GraphQL client with the Token.
- Example base64 encoded Client Token
eyJraWQiOiIxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiJwcm9kLnRlc3QuYXBpLmJheTEuY29tIiwib3JnIjoib2dfYnMwMWQ3ODNhY2U5NzBiZjRiMGE5ZDQxNGNmNzRjMzIyZjZkIiwicmVnIjoiVVNBIiwiYXBwaWQiOiJhcF9iYXkxOmNsaWVudHNkazowMDAwMDAwMDAwMDAwMDAwMCIsImlzcyI6InByb2QuYXV0aC5iYXkxLmNvbSIsInJ0X2FjY291bnRfaG9sZGVyX3Rva2VuaXplX3ciOltdLCJ0biI6InRuXzIzdXN0M3ByM2FlOGRmODE1NDdkNGM3MDhjZjVmYTI2YzJkZGVjNDUiLCJleHAiOjE2NDIwMTUzNzksImVudiI6InRlc3QiLCJpYXQiOjE2NDIwMTQ0Nzl9- Example Authorization Header when calling the API
curl -X POST \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <base64_encoded_client_token>' \ --data '{"query":"mutation SetPinForPaymentCard($input: SetPinForPaymentCardInput!) {\n setPinForPaymentCard(input: $input) {\n __typename\n ...on PaymentCard {\n id\n bin\n last4\n }\n ... on UserError {\n errors {\n path\n code\n }\n }\n }\n}", "variables": {"input":"{\n\t\"paymentCardId\": \"some-payment-card-id\",\n\t\"newPin\": \"12ssss34\"\n}"}}' \ https://api.us.test.highnote.com/graphql
You can now call the API with the Authorization Header set with the Client Token. The Client Token is valid for only 10 minutes.