I'm building an app that uses Braintree for processing payments. According to the documentation, I need a server-side endpoint that returns the clientToken, which is then used to manage a user's vault and process payments, so I'm trying to make sure I understand the security implications of exposing this token but I can't find anything useful in the documentation. Is it supposed to be public and accessible to all users authenticated and unauthenticated? What sort of access does it have?
Asked
Active
Viewed 120 times
0
David Bryant
- 1
- 2
1 Answers
0
Yes, Braintree calls it the "client token" because it needs to be sent to the client and used by the client SDK, so it can easily be picked up by users, e.g. from web browser developer tools.
This is in contrast to your API credentials, which include your private key for example, and should be kept on the server, not on the client.
I assume therefore that Braintree will have a secure design such that the client token can only be used for limited purposes, such as rendering a payment form, and only in conjunction with API calls you make from your server.
Chris Denning
- 271
- 1
- 3