The following question(s) is for the contract of an REST API-Only (not iFrame) integration for eCommerce.
I understand that in order to generate a token I need to first obtain an apiKey from the endpoint /pakms/apikey. No problems there.
The question I have is as follows:
Can this API token be sent to the browser where it can be used to generate a token using the credit card info entered into the browser? Basically, is this apiKey public?
Our idea scenario is to have a public key used in generating tokens and private keys used for charging and refunding.