surfboard_white
Sign in →Book a demo
Developers Guides Client Auth Tokens

Client Auth Tokens

Generate client-side authentication tokens for secure API access from browsers and mobile apps without exposing your API key or secret.

Online API Authentication Security

Overview

Client auth tokens let client-side applications (web browsers, mobile apps) authenticate with the Surfboard API without exposing your API-KEY or API-SECRET. Use them for customer-facing operations where you need to call the API directly from the frontend.

What You Can Do With Client Tokens

Client tokens support operational API requests:

  • Orders
  • Payments
  • Transactions
  • Tips
  • Reporting
  • Branding
  • Receipts

Note: Client tokens cannot perform administrative tasks like creating merchants, managing stores, or other backend operations. Those still require full API credentials.

Create a Token

Generate a token by sending a POST request with your auth provider credentials.

POST /partners/:partnerId/token

Request

{
  "providerId": "YOUR_PROVIDER_ID",
  "providerCertificate": "YOUR_PROVIDER_CERTIFICATE",
  "externalUserId": "user_12345"
}
ParameterTypeRequiredDescription
providerIdstringYesProvider ID of the auth provider
providerCertificatestringYesCertificate of the auth provider
externalUserIdstringYesUnique identifier for the user (e.g., a customer ID from your system)
emailstringNoEmail address of the user

Note: To get your providerId and providerCertificate, contact integrations@surfboard.se or reach out via Slack.

Response

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "validUntil": "3600",
  "status": "SUCCESS",
  "message": "Token created successfully"
}

The validUntil field indicates the token’s validity period in seconds. When a token expires, generate a new one.

Using Client Tokens

Include the token in the Authorization header as a Bearer token:

Authorization: Bearer <YOUR_TOKEN>

Example: Initiate a Payment

curl -X POST YOUR_API_URL/payments \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <YOUR_TOKEN>' \
  -d '{
    "orderId": "o_RelSnor1A6gqgKzZxrbM7",
    "paymentMethod": "CARD"
  }'

Token Lifecycle

  1. Generate a token from your backend using full API credentials
  2. Pass the token to your frontend application
  3. Use the token for client-side API calls
  4. Refresh the token when it expires by generating a new one from your backend

Keep your API-KEY and API-SECRET on the server side. Only the generated token should reach the client.

Previous

Payment Methods

Next

Partner Branding

Ready to get started?

Create a sandbox account and start building your integration today.

Create Sandbox Account All Guides