Card Holder API Tokens APIs

Create Cardholder Token

Create a bearer token for a specific card.

A Cardholder Token can only interact with one card.

Note

When using a Cardholder Bearer Token, API calls should be made directly from your front-end (browser or app).

Verb	POST
URL	https://api.s.unit.sh/cards/:cardId/cardholder/token
Required Scope	cards-write
Data Type	cardholderToken
Timeout (Seconds)	5

Example Request (two-factor authentication not required):

curl -X POST 'https://api.s.unit.sh/cards/123/cardholder/token'
-H 'Content-Type: application/vnd.api+json'
-H 'Authorization: Bearer ${TOKEN}'
--data-raw '{
  "data": {
    "type": "cardholderToken",
    "attributes": {
      "scope": "cards"
    }
  }
}'

Attributes

scope

string

list of Scopes separated by spaces. Only cards (cards cards-sensitive cards-write cards-sensitive-write) scopes are allowed.

verificationTokenRequired

string

Required if scope includes a scope which requires two-factor authentication. Received as a response from Create Cardholder Token Verification.

verificationCodeRequired

string

Required if scope includes a scope which requires two-factor authentication. 6 digit code sent to the card holder through the desired channel.

expiresInOptional

integer

Optional. The lifetime of the token (in seconds). Maximum value is 86400 (24 hours). Default value is also 24 hours.

upgradableScopeOptional

string

Optional. list of Scopes separated by spaces. The card holder will be able to upgrade the token to the scopes you provide here.

Response

Response is a JSON:API document.

201 Created

data.attributes.token

string

The token issued for the card.

data.attributes.expiresIn

integer

The lifetime of the token (in seconds).

Example Response:

{
  "data": {
    "type": "cardholderBearerToken",
    "attributes": {
      "token": "v2.public.eyJyb2xlIjoiY3VzdG9tZX...",
      "expiresIn": 86400
    }
  }
}

Create Cardholder Token Verification

When creating a cardholder token that contains a scope which requires two-factor authentication (see Scopes), it is required to first create a verification challenge that will be sent to the customer.

The challenge is a six digit code and is valid for 10 minutes after its creation.

Note

The phone number that is used for the verification process is the one defined on the card. An alternative phone number (authorized user / business contact) can be provided for Business Customers via the phone attribute (see below).

Note

In Sandbox, Unit will not send a text message, in order to avoid breaching the electronic communications consent requirements. In order to create a cardholder token that has access to scopes that require two factor authentication, please use the passcode 000001

Suggestion

The rate limit for verifying a customer is 5 attempts per 10 minutes.

Verb	POST
URL	https://api.s.unit.sh/cards/:cardId/cardholder/token/verification
Data Type	cardholderTokenVerification
Timeout (Seconds)	5

Attributes

channel

string

Send a verification code to the card holder through one of the following channels - sms or call.

phoneOptional

Phone

Optional. This allows providing the phone number of one of the customer's authorized users. The provided phone must match an authorized user phone and will be used in the One Time Password (OTP) authentication process instead of the business customer contact's phone.

appHashOptional

string

Optional. For sms verifications only, 11-character hash string that identifies your app. Appended at the end of your verification SMS body the way that client-side SMS Retriever API expects.

languageOptional

string

Optional. Select the verification language using a 2-letter code.
Default is English.
See Localization Options bellow for the support languages and their 2-letter code.

Create a cardholder verification:

curl -X POST 'https://api.s.unit.sh/cards/123/cardholder/token/verification'
-H 'Content-Type: application/vnd.api+json'
-H 'Authorization: Bearer ${TOKEN}'
--data-raw '{
  "data": {
    "type": "cardholderTokenVerification",
    "attributes": {
      "channel": "sms"
    }
  }
}'

201 Created

verificationToken

string

The generated verification token. It should be passed back to Create Cardholder Bearer Token along with the verification code the customer received on the specified channel

Localization Options

English-en, Afrikaans-af, Arabic-ar, Catalan-ca, Chinese-zh, Chinese (Mandarin)-zh-CN, Chinese (Cantonese)-zh-HK, Croatian-hr, Czech-cs, Danish-da, Dutch-nl, English (British)-en-GB, Estonian-et, Finnish-fi, French-fr, German-de, Greek-el, Hebrew-he, Hindi-hi, Hungarian-hu, Indonesian-id, Italian-it, Japanese-ja, Kannada-kn, Korean-ko, Malay-ms, Marathi-mr, Norwegian-nb, Polish-pl, Portuguese - Brazil-pt-BR, Portuguese-pt, Romanian-ro, Russian-ru, Slovak-sk, Spanish-es, Swedish-sv, Tagalog-tl, Telegu-te, Thai-th, Turkish-tr, Vietnamese-vi

Example Response:

{
  "data": {
    "type": "cardholderTokenVerification",
    "attributes": {
      "verificationToken": "i8FWKLBjXEg3TdeK93G3K9PKLzhbT6CRhn/VKkTsm...."
    }
  }
}