Can we use the API_token mentioned here https://docs.clover.com/clover-platform/docs/using-api-tokens in a browser app? Or is the token sensitive and should be hidden from the end user?
Can we use the API_token mentioned here https://docs.clover.com/clover-platform/docs/using-api-tokens in a browser app? Or is the token sensitive and should be hidden from the end user?
Tokens are sensitive. You need to securely store and transmit them. They can be used from the browser but when all possible pass the token in the header to reduce exposure.
OK that makes sense. I will definitely pass it in the header but as we both know that doesnt really make it very secure. Is it possible to create an API key so its only able to create a token (no charges, refunds or anything else)? I did some some auths that could be attached to the API key so perhaps that is the correct approach?
Hmm. OK Based off of this information https://docs.clover.com/clover-platform/docs/ecommerce-app-permissions I am confused.
Is this the correct flow?
1. Generate the API key - The doc above states that you need the PROCESS_CARDS permission but I dont really understand this since no API key is passed to this end point. I guess it's referring to the permission of the app. Please clarify.
2. Now that we have the public API key we use it in creation of the token. I am hoping that this API key can only be used in token generation and not with anything else. How is that set up?
3. Charge the token using a DIFFERENT token which has different auths allowing it to charge the card (secret key). This key is kept secure on the server and never sent to the front end.
Is my understanding correct?
1) Yes, this is referring to the app permissions. You won't be using a merchant token in production, you will be obtaining an OAuth token via - https://docs.clover.com/clover-platform/docs/using-oauth-20. The merchant will install your app (which has card processing permissions) and you will guide them through the OAuth to obtain a token.
2) Once you have an access/oauth token you will obtain the tokenized card data via the Iframe tokenizer (recommended) which is not available yet - https://docs.clover.com/clover-platform/docs/ecommerce-integration-types. My understanding is that if you use the iframe tokenizer we tokenize the card data for you and give you the results. You don't have access to the tokenization keys or methods.
3) The tokenized card data from 2 will be passed in the charge request - https://docs.clover.com/clover-platform/docs/ecommerce-accepting-payments.
1 Person is following this question.