JavaScript is disabled. Some features may not work. You can also read the static version: View text version

Client Auth Token Authentication

What is a client auth token?

Client auth token (CAT) is an authentication mechanism which gives a short lived token which can be used by any client to validate themselves as an authenticated entity.

How is it generated?

In this flow, the merchant does a server to server api call (create or get customer api call in VISA VIC API use cases) which gives a CAT and an expiry for the same. The client auth token is given after validating the api key of the merchant

Get customer: https://juspay.io/in/docs/api-reference/docs/express-checkout/getcustomer
Create customer: https://juspay.io/in/docs/api-reference/docs/express-checkout/createcustomer

During the allowed time-period, the client can call backend apis with this client auth token and the backend validates that the API is being called for the customer with whom the client auth token is created against.

How is it scoped?

Juspay scopes a client auth token in 2 variations:

1. OrderId based
2. CustomerId based

In #1, every api call related to an order needs to be sent along with a client auth token created against that order ID

In #2, every api call related to an customer needs to be sent along with a client auth token created against that customerid

How is it safe?

Tightly scoped: Given that the token is scoped tightly against a specific entity’s value, there is no scope for misusing the token to capture details of a different customer
Short Lived: The token is also short lived and also comes with a specific number of requests against which it can be used. This reduces the possibility of continued misuse in case the token is compromised