CheckoutCheckout Security

Tokenize Checkout Parameters

This guide explains how to securely tokenize your checkout parameters with a JWT to prevent tampering and protect your users during payment.

Why Tokenize Your Checkout Parameters

To protect your users and business from fraud, Coinflow strongly recommends merchants to tokenize their checkout parameters. This ensures that sensitive payment data is encrypted before it ever reaches a payer’s browser.

What is Tokenization?

Tokenization converts your checkout parameters into a signed JWT (jwtToken). This secure token contains all relevant data for a transaction, and is safe to share with the frontend or directly with our API.

When a payer makes a payment, this token is passed into the CoinflowPurchase component (if using our SDK) or to the jwtToken parameter in any of our checkout API endpoints. This protects against tampering or parameter injection by malicious actors.

How to Tokenize

  1. Generate a JWT Token
    This encrypts the checkout parameters so bad actors cannot tamper with the checkout args.
Request
1curl --request POST \
2        --url https://api-sandbox.coinflow.cash/api/checkout/jwt-token \
3        --header 'Authorization: YOUR_API_KEY' \
4        --header 'accept: application/json' \
5        --header 'content-type: application/json' \
6        --data '
7   {
8     "webhookInfo": {
9       "example": "{\"description\":\"asdF\"}"
10     },
11     "subtotal": {
12       "currency": "USD",
13       "cents": 500
14     },
15     "email": "iamapayer@gmail.com",
16     "blockchain": "solana",
17     "chargebackProtectionData": [
18       {
19         "productType": "inGameProduct",
20         "rawProductData": {
21           "example": "{\"deposit amount\": 5}"
22         },
23         "productName": "deposit",
24         "quantity": 1
25       }
26     ],
27     "settlementType": "USDC"
28   }
29   '
Response
 {
     "checkoutJwtToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjoi456C4oKW26LXguCjgOKYgueAleiAnN2j5IGM4LGn46CD5oOb4LCF44CQ7Iqy4YCF6KSz4KCI7KaczLDGkOuhgNqE44iA7rWwybDgp6DHgOCumeawgOSQqeSio0LgsJ3njaPmoYXItOa1ku6AjOyFieKmlOiTke67iOWCguWxiOmroOSNuO65suOou-mUremsreWZqOSytueBrOeBpOGgqOSZiOaxrOKhiOiRpOmitOGxiOG7vuuYnOeDmOeBjOChhuCglOuTiOunuOyYlOawmOqXtuujvuSyuuuSnOy7mOqglOSZqOahpOeVrOiwmOShsOKglOaphuGhjOuXjeiRhuaStOSZjFx1ZGQxY-K7k-uQlFx1ZDg2NO-kqOmUq-qHg-6Xqu-pmuySoeGxhuSVhueDquqYiOmHlOShmuGzmOKgnOaikeSuuFx1ZGExOOebvuKisuuguOiSqdOD4LCy4Y6B7IqZ5LO045Cb6qeM4o2D6Iyc7KOR4ZKt4ZyC6I2h6oCy44SMzZPSheyHmeixmOOyhsyE5IWC7oCo5LCO46uJ0rfvg6Dos6jMmOWqguiMi-qSjOu4nOqdkuivsuerpeWljOGmlemCi-6ZmeyFsOuItOCouuKDpeqCoeuAnOiImeGciuyNqeaIiuSxseWkrtek64S4XHVkODRi4YiN6LqnwqDngLjojJrhnIzsrYLpm43rqI3jjKbotoztmJjigYLlkoTihILoloXpi5HtkafijJHolZTogYLosoHnlZvmmonohYDnhbHooLTrjIXcr-mWou2GsOSwsuGchOm6g-qrmOGBmeieoOyfoemhiOWBsOGSqeWohOyzkO6rm-yhmeOQrOaAq-STqeGnpuSxteCoquWSgO6JkuqwnuGBmtys6Yax4rGQ5JS46rSH6ICF74iAIiwibWVyY2hhbnRJZCI6InRlc3R0ZXN0IiwiaWRlbXBvdGVuY3lLZXkiOiJJSzVlZWE3YzI3LWEyMjgtNDcyMC1iYTVkLWI1ZDA0ZDUzMzA3MCIsInN1YnRvdGFsIjp7ImN1cnJlbmN5IjoiVVNEIiwiY2VudHMiOjUwMH0sImlhdCI6MTc0Mjg1NTY3OCwiZXhwIjoxNzQyOTQyMDc4fQ.2dGfWnazfyHaz_uEWKM9RU-jh-tXUSMPFZJdNvmMPwo"
   }
  1. Complete the payment with the jwtToken
CoinflowPurchase
1// Example implementation of what to pass to the Purchase component if implementing with our SDK
2<CoinflowPurchase
3  sessionKey={'YOUR_SESSION_KEY'}
4  merchantId={'mello'} // Replace with your merchantId
5  env={'sandbox'}
6  subtotal={{cents: 300, currency: Currency.USD}}
7  jwtToken = {'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'} //Jwt from step 1
8  />
Checkout API
//Example of how to complete a purchase using JWT to the card checkout.
// Change the endpoint if you are using another checkout method (ie- ACH, SEPA, PIX)
curl --request POST \
     --url https://api-sandbox.coinflow.cash/api/checkout/card/mello \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-coinflow-auth-session-key: YOUR_SESSION_KEY' \
     --data '
{
  "subtotal": {
    "currency": "USD",
    "cents": 300
  },
  "card": {
    "cardToken": "411111YJM5TX1111",
    "expYear": "30",
    "expMonth": "10",
    "email": "djohnson72@gmail.com",
    "firstName": "Dwayne",
    "lastName": "Johnson",
    "address1": "201 E Randolph St",
    "city": "Chicago",
    "zip": "60602",
    "state": "IL",
    "country": "US"
  },
  "jwtToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." // Jwt from step 1
}
'

🚧 You do not need to use jwtTokens when implementing checkout with our Checkout Link API—this API already securely tokenizes all checkout parameters.