Overview
The tokens resource is how Blink users are able to create authenticated requests to the Blink API.
Security
Authentication is a critical part of securing any API, ensuring that only authorized users and systems can access sensitive resources. In our system, authentication is managed through the use of tokens, which grant access to different resources. Blink tokens are temporary bearer tokens that allow you to make requests to the API on behalf of a merchant. Without authentication tokens, access to the API is restricted, preventing unauthorized users from interacting with payment systems. Additionally, all Blink requests cannot be made directly through the browser, making sure that keys and tokens will not be inputted through the browser.
API credentials
To begin to interact with the Blink API, you must first obtain an access_token. This token is required to authorize requests and interact with resources like payments, transactions, and more. Authentication involves sending your API credentials (api_key and secret_key) in a POST request to the Blink server, which returns an access token that can be used in subsequent API calls. Your credentials can be found on your blink account.
Secure your keys!
The API and secret key must be stored securely (env files, secure internal databases) and should never be accessible to the client.
Token features
Access token
When you send a tokens request with valid credentials, Blink will generate a unique, encrypted string that you will use as a bearer token in subsequent requests.
Expiry
The access_token is designed with a 30-minute expiration period as a security measure. This limited lifespan mitigates the risk of unauthorized access to sensitive information, ensuring that even if a bearer token is compromised, it can only be used for a short duration. This approach enhances the overall security by reducing the window of opportunity for potential misuse by malicious actors.
Payment types
The token creation will show you what payment types are available on your account. They can be one of three:
Credit card (including Apple Pay and Google Pay)
Open banking
Direct debit
Currencies
The token creation will show you which currencies are enabled on the account. To enable more currencies, please reach out to our support team.
Additional options
Blink receipts
When creating a token, you can choose to enable or disable Blink Receipts. Enabling them means that when a transaction is completed through the API, both the customer and the merchant will receive a receipt confirming the transaction. The receipt can be customised to contain your company logo. If you are integrating into a system that already has receipt generators, or are handling it yourself, then you can disable receipts to not send any from blink.
Address and Post code
Enabling the address and postcode, will add address and postcode inputs to your card elements for users to enter the billing address associated with the card. Paying with the correct billing details will increase the chance of successful transaction succeeding AVS security checks and reduce the chances of chargebacks.
Enabling MOTO Payments
If you wish to take transactions via MOTO (Mail Order? Telephone Order), then you can enable MOTO at the token creation. This will mean that when you are creating an intent, you will receive a card element that is set up for MOTO payments, without needing any of the 3DS parameters (only required for ECOM).
Tracking options
When creating a token, you can enter fields for the application, site name and description. You can use this to track the website Ip address, application version, language version etc…
The information can be seen in the blink portal under API Transactions..png "image(19).png")
Endpoints Overview
POST tokens: This endpoint allows the creation of a new authentication bearer token; required fields are api_key and secret_key.