Transient Tokens
The response to a successful customer interaction with
Unified Checkout
is
a transient token. The transient token is a reference to the payment data collected on
your behalf. Tokens allow secure card payments to occur without risk of exposure to
sensitive payment information. The transient token is a short-term token that expires
after 15 minutes. This reduces your PCI burden/responsibility and ensures that sensitive
information is not exposed to your back-end systems. Transient Token Format
The transient token is issued as a JSON Web Token (JWT) (RFC 7519).
For information on JSON Web Tokens, see JSON Web Tokens.
The payload portion of the token is a Base64-encoded JSON string and contains various
claims. This example shows a payload:
{ "iss" : "Flex/00", "exp" : 1706910242, "type" : "gda-0.9.0", "iat" : 1706909347, "jti" : "1D1I2O2CSTMW3UIXOKEQFI4OQX1L7CMSKDE3LJ8B5DVZ6WBJGKLQ65BD6222D426", "content" : { "orderInformation" : { "billTo" : { // Empty fields present within this node indicate which fields were captured by // the application without exposing you to personally identifiable information // directly. }, "amountDetails" : { // Empty fields present within this node indicate which fields were captured by // the application without exposing you to personally identifiable information // directly. }, "shipTo" : { // Empty fields present within this node indicate which fields were captured by // the application without exposing you to personally identifiable information // directly. } }, "paymentInformation" : { "card" : { "expirationYear" : { "value" : "2028" }, "number" : { "maskedValue" : "XXXXXXXXXXXX1111", "bin" : "411111" }, "securityCode" : { }, "expirationMonth" : { "value" : "06" }, "type" : { "value" : "001" } } } } }
Token Verification
When you receive the transient token, you should cryptographically verify its integrity
using the public key embedded within the capture context. Doing so verifies that
Cybersource
issued the token and that the data has not been tampered
with in transit. Verifying the transient token JWT involves verifying the signature and
various claims within the token. Programming languages each have their own specific
libraries to assist. For an example in Java, see: Java Example in Github.