Home / SDKs / Client Tokens and SDKs

Client Tokens

Using Tokens

Client Tokens are short-lived credentials that pass sensitive information from your client to Highnote. Some use cases require Client Tokens, while other use cases offer them for enhanced security.

The mutations to generate client tokens must be called with an API key. Therefore, these mutations should be done from your server and sent to your client.

To use client tokens, you will need to:

  1. Generate a Client Token scoped to your use case.
  2. Set your Authorization Header.
  3. Call the API with the Client Token in the Authorization Header.

Client tokens are valid for 10 minutes. Once a token has expired, you must generate a new one.

Supported Use Cases

Use CaseGenerate TokenUtilize TokenRequires Token
Card Viewer SDKGenerate TokenUtilize TokenYes
Secure Inputs SDKGenerate TokenUtilize TokenYes
Tokenize Business Account HolderGenerate TokenUtilize TokenYes
Tokenize Person Account HolderGenerate TokenUtilize TokenYes
Tokenize Authorized UserGenerate TokenUtilize TokenYes
Create Business Account Holder Generate TokenUtilize TokenNo
Create Person Account Holder Generate TokenUtilize TokenNo
Create Authorized UserGenerate TokenUtilize TokenNo
Create Document Upload Session Generate TokenUtilize TokenNo
Set Payment Card PIN Generate TokenUtilize TokenYes
View Account & Routing Number Generate TokenYes
View Payment Card Details Generate TokenYes
View External Bank Account Details Generate TokenYes

Generate a Client Token

Each action that utilizes a client token uses a unique mutation to generate the token. These mutations use the ID of the object you are tokenizing and requested permissions as inputs.

The following example mutation generates a Client Token to set a PIN on a payment card:

Set Your Authorization Header

Now that we have a Client Token to set a PIN on a payment card, we can set the authorization header in your GraphQL client with the Token.

Example base64 encoded Client Token
Example Authorization Header when calling the API
curl -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <base64_encoded_client_token>' \
--data '{"query":"mutation SetPinForPaymentCard($input: SetPinForPaymentCardInput!) {\n  setPinForPaymentCard(input: $input) {\n    __typename\n    ...on PaymentCard {\n      id\n      bin\n      last4\n    }\n    ... on UserError {\n        errors {\n          path\n          code\n        }\n      }\n    }\n}", "variables": {"input":"{\n\t\"paymentCardId\": \"some-payment-card-id\",\n\t\"newPin\": \"12ssss34\"\n}"}}' \

Call the API with a Client Token

You can now call the API with the Authorization Header set with the Client Token. The Client Token is valid for only 10 minutes.

Provide Feedback

Was this content helpful?