question

araskin avatar image
araskin asked David Marginian Deactivated edited

API_Token protection

Can we use the API_token mentioned here https://docs.clover.com/clover-platform/docs/using-api-tokens in a browser app? Or is the token sensitive and should be hidden from the end user?

semi-integrations
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian Deactivated answered David Marginian Deactivated edited

Tokens are sensitive. You need to securely store and transmit them. They can be used from the browser but when all possible pass the token in the header to reduce exposure.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

araskin avatar image
araskin answered

OK that makes sense. I will definitely pass it in the header but as we both know that doesnt really make it very secure. Is it possible to create an API key so its only able to create a token (no charges, refunds or anything else)? I did some some auths that could be attached to the API key so perhaps that is the correct approach?

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

araskin avatar image
araskin answered David Marginian Deactivated edited

Hmm. OK Based off of this information https://docs.clover.com/clover-platform/docs/ecommerce-app-permissions I am confused.

Is this the correct flow?

1. Generate the API key - The doc above states that you need the PROCESS_CARDS permission but I dont really understand this since no API key is passed to this end point. I guess it's referring to the permission of the app. Please clarify.

2. Now that we have the public API key we use it in creation of the token. I am hoping that this API key can only be used in token generation and not with anything else. How is that set up?

3. Charge the token using a DIFFERENT token which has different auths allowing it to charge the card (secret key). This key is kept secure on the server and never sent to the front end.

Is my understanding correct?


1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image David Marginian ♦♦ commented ·

1) Yes, this is referring to the app permissions. You won't be using a merchant token in production, you will be obtaining an OAuth token via - https://docs.clover.com/clover-platform/docs/using-oauth-20. The merchant will install your app (which has card processing permissions) and you will guide them through the OAuth to obtain a token.

2) Once you have an access/oauth token you will obtain the tokenized card data via the Iframe tokenizer (recommended) which is not available yet - https://docs.clover.com/clover-platform/docs/ecommerce-integration-types. My understanding is that if you use the iframe tokenizer we tokenize the card data for you and give you the results. You don't have access to the tokenization keys or methods.

3) The tokenized card data from 2 will be passed in the charge request - https://docs.clover.com/clover-platform/docs/ecommerce-accepting-payments.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community