Client Authorization

Tokenization Keysanchor

Tokenization key sequence diagram

A tokenization key authorizes clients to tokenize payment information.

Unlike a client token, a tokenization key is both static and reduced privilege. It can be shipped with your apps without generating a new key for each session. To ensure your tokenization key functions seamlessly, you may need to acquire the Account Admin role permission if you encounter an insufficient privileges error message.

The following payment methods can be tokenized using a tokenization key: credit cards, PayPal, Venmo, Apple Pay, and Google Pay.


A single tokenization key may be reused indefinitely across many client apps.

You may have multiple active tokenization keys. For example, you may wish to use a unique key per platform. Each tokenization key can be given a label to track its intended purpose.

If you decide you no longer want a specific tokenization key to be used, it can be revoked. Doing so will deauthorize any clients using that key.

Reduced privilegeanchor

Tokenization keys authorize only a subset of PayPal Braintree's client API capabilities. The SDK should function as with a client token, with some limitations:

  • When using a tokenization key, clients may only tokenize payment information.
  • You may not specify a customer ID, set a specific merchant account ID, or otherwise provide any configuration.
  • Payment methods can't be saved directly from the client to a customer in the Vault using a tokenization key. To save the payment method, you'll need to pass the resulting payment method nonce to your server. Otherwise, generate a client token with a customer ID.
  • Drop-in will not be able to retrieve a customer's saved payment methods. Repeat purchases will show the add payment method UI.
  • You can't use a tokenization key to create a 3D Secure transaction.

Obtaining a tokenization keyanchor

To obtain a tokenization key, follow these steps:

  1. Log into either the production Control Panel or the sandbox Control Panel, depending on which environment you are working in
  2. Select the gear icon in the top right corner
  3. Select API from the drop-down menu
  4. Scroll to the Tokenization Keys section

If no key appears, select the Generate New Tokenization Key button.

Adding a tokenization key to your appanchor

Because of their reduced authorization, tokenization keys are publishable, meaning safe to include in your app. They are not sensitive information and can be exposed in an insecure client.


Tokenization keys specify a single environment they will use. The environment is the first part of a tokenization key:

  • Sandbox: sandbox_tokenization_key
  • Production: production_tokenization_key

Take precautions to avoid shipping a live app with a sandbox tokenization key. Conversely, be mindful that a production tokenization key will always communicate with PayPal Braintree's live environment regardless of any environment variables or debug modes that may be set.

Initializing the SDKanchor

Tokenization keys can be used with any version of the Android and iOS SDKs and JavaScript SDK v2.17 or higher.

Initialize the SDK with your tokenization key before you want to display the payment UI. The SDK will fetch configuration information from PayPal Braintree.

  1. Callback
  2. Promise
// For Drop-in...
  authorization: tokenizationKey
}, function (err, dropinInstance) {
  // ...

// For custom...
  authorization: tokenizationKey
}, function (err, clientInstance) {
  // ...