Card Holder API Tokens
Performing sensitive card actions like showing card details or managing the pin requires two-factor authentication. For individual customers, the cardholder is the customer themselves, so using the customer token is sufficient. For business customers, the cardholder may not necessarily be the business contact or an authorized user. In this case, you should use the cardholder token. This token will allow you to provide a user with access to just one specific card.
Create a bearer token for a specific card.
A Cardholder Token can only interact with one card.
When using a Cardholder Bearer Token, API calls should be made directly from your front-end (browser or app).
| Verb | POST |
| Url | https://api.s.unit.sh/cards/:cardId/cardholder/token |
| Required Scope | cards-write |
| Data Type | cardholderToken |
| Timeout (Seconds) | 5 |
curl -X POST 'https://api.s.unit.sh/cards/123/cardholder/token'
-H 'Content-Type: application/vnd.api+json'
-H 'Authorization: Bearer ${TOKEN}'
--data-raw '{
"data": {
"type": "cardholderToken",
"attributes": {
"scope": "cards"
}
}
}'
Attributes
| Name | Type | Description |
|---|---|---|
| scope | string | list of Scopes separated by spaces. Only cards (cards cards-sensitive cards-write cards-sensitive-write) scopes are allowed. |
| verificationToken | string | Required if scope includes a scope which requires two-factor authentication. Received as a response from Create Cardholder Token Verification. |
| verificationCode | string | Required if scope includes a scope which requires two-factor authentication. 6 digit code sent to the card holder through the desired channel. |
| expiresIn | integer | Optional. The lifetime of the token (in seconds). Maximum value is 86400 (24 hours). Default value is also 24 hours. |
| upgradableScope | string | Optional. list of Scopes separated by spaces. The card holder will be able to upgrade the token to the scopes you provide here. |
Response
Response is a JSON:API document.
201 Created
| Field | Type | Description |
|---|---|---|
| data.attributes.token | string | The token issued for the card. |
| data.attributes.expiresIn | integer | The lifetime of the token (in seconds). |
{
"data": {
"type": "cardholderBearerToken",
"attributes": {
"token": "v2.public.eyJyb2xlIjoiY3VzdG9tZX...",
"expiresIn": 86400
}
}
}
When creating a cardholder token that contains a scope which requires two-factor authentication (see Scopes), it is required to first create a verification challenge that will be sent to the customer.
The challenge is a six digit code and is valid for 10 minutes after its creation.
The phone number that is used for the verification process is the one defined on the card. An alternative phone number (authorized user / business contact) can be provided for Business Customers via the phone attribute (see below).
In Sandbox, Unit will not send a text message, in order to avoid breaching the electronic communications consent requirements. In order to create a cardholder token that has access to scopes that require two factor authentication, please use the passcode 000001
The rate limit for verifying a customer is 5 attempts per 10 minutes.
| Verb | POST |
| Url | https://api.s.unit.sh/cards/:cardId/cardholder/token/verification |
| Data Type | cardholderTokenVerification |
| Timeout (Seconds) | 5 |
Attributes
| Name | Type | Description |
|---|---|---|
| channel | string | Send a verification code to the card holder through one of the following channels - sms or call. |
| phone | Phone | Optional. This allows providing the phone number of one of the customer's authorized users. The provided phone must match an authorized user phone and will be used in the One Time Password (OTP) authentication process instead of the business customer contact's phone. |
| appHash | string | Optional. For sms verifications only, 11-character hash string that identifies your app. Appended at the end of your verification SMS body the way that client-side SMS Retriever API expects. |
| language | string | Optional. Select the verification language using a 2-letter code. Default is English. See Localization Options bellow for the support languages and their 2-letter code. |
curl -X POST 'https://api.s.unit.sh/cards/123/cardholder/token/verification'
-H 'Content-Type: application/vnd.api+json'
-H 'Authorization: Bearer ${TOKEN}'
--data-raw '{
"data": {
"type": "cardholderTokenVerification",
"attributes": {
"channel": "sms"
}
}
}'
201 Created
| Field | Type | Description |
|---|---|---|
| verificationToken | string | The generated verification token. It should be passed back to Create Cardholder Bearer Token along with the verification code the customer received on the specified channel |
Localization Options
English-en, Afrikaans-af, Arabic-ar, Catalan-ca, Chinese-zh, Chinese (Mandarin)-zh-CN, Chinese
(Cantonese)-zh-HK, Croatian-hr, Czech-cs, Danish-da, Dutch-nl, English (British)-en-GB, Estonian-et,
Finnish-fi, French-fr, German-de, Greek-el, Hebrew-he, Hindi-hi, Hungarian-hu, Indonesian-id,
Italian-it, Japanese-ja, Kannada-kn, Korean-ko, Malay-ms, Marathi-mr, Norwegian-nb, Polish-pl,
Portuguese - Brazil-pt-BR, Portuguese-pt, Romanian-ro, Russian-ru, Slovak-sk, Spanish-es, Swedish-sv,
Tagalog-tl, Telegu-te, Thai-th, Turkish-tr, Vietnamese-vi
{
"data": {
"type": "cardholderTokenVerification",
"attributes": {
"verificationToken": "i8FWKLBjXEg3TdeK93G3K9PKLzhbT6CRhn/VKkTsm...."
}
}
}