Authorization

SDK

Last updated: Apr 24th, 12:47pm

An overview of the clientToken

Understanding Authorization with clientToken

To initialize the SDK securely, a clientToken must be generated server-side and passed to your front-end. This token ensures that all API requests made by the SDK on your behalf are authenticated and protected.

The SDK clientToken is a publicly available universal access token (UAT) to use for the buyer's SDK session. This token is browser safe and is a short-lived token with a TTL of 15 minutes. There is no refresh token, after it expires you must make a new token.

Security Model

We’ve designed the clientToken to prioritize security by leveraging the following safeguards:

Domain Binding: The token is bound to your domain to prevent unauthorized usage elsewhere, minimizing the risk of impersonation attacks.

Cryptographic Security: The payload is cryptographically secured with a digital signature to ensure its integrity.

Create a route handler to return a clientToken to your frontend

This example assumes you're using Node.js with Express. In the future we'll add support for more backend languages.

This route will serve as an endpoint for retrieving a browser-safe clientToken from PayPal.

In upcoming steps, a helper function (e.g. getBrowserSafeClientToken()) will be implemented and invoked here to:

Authenticate with PayPal using secure server-side credentials.

Generate a client token appropriate for frontend usage.

Return the token to the browser without exposing sensitive keys.

This endpoint will eventually be consumed by the frontend to initialize PayPal SDK components such as different payment buttons.

1app.get(
2  "/paypal-api/auth/browser-safe-client-token",
3  async (_req: Request, res: Response) => {
4    // Right now, this block does nothing
5    // In the next step we'll create a helper function to generate our clientToken
6    // And finally we'll call it in this block, and return to the client
7  },
8);

Create a helper function to generate a clientToken

This function securely retrieves a browser-safe `clientToken` from PayPal's OAuth service using your PayPal sandbox credentials.

It performs the following steps:

Encodes your PAYPAL_SANDBOX_CLIENT_ID and PAYPAL_SANDBOX_CLIENT_SECRET into a Base64-encoded string for Basic Auth.

Sends a request to PayPal’s requestToken method (from the Server SDK) to obtain a client token, using the response_type of "client_token".

Returns the parsed JSON response and the HTTP status code.

Handles errors gracefully by checking if the error is a PayPal ApiError, and returns the appropriate response object.

This token can then be safely passed to client-side code to initialize PayPal v6 Web SDKs (e.g. for rendering button), without exposing sensitive credentials in the browser.

1export async function getBrowserSafeClientToken() {
2  try {
3    // Your PAYPAL_SANDBOX_CLIENT_ID & PAYPAL_SANDBOX_CLIENT_SECRET
4    // are env variables that you can get from your developer dashboard.
5    const auth = Buffer.from(
6      `${PAYPAL_SANDBOX_CLIENT_ID}:${PAYPAL_SANDBOX_CLIENT_SECRET}`,
7    ).toString("base64");
8
9    // oAuthAuthorizationController is imported from the PayPal Server SDK
10    // You can find more info here: https://developer.paypal.com/serversdk/typescript/getting-started/how-to-get-started
11    const { body, statusCode } =
12      await oAuthAuthorizationController.requestToken(
13        {
14          authorization: `Basic ${auth}`,
15        },
16        { response_type: "client_token" },
17      );
18
19    return {
20      jsonResponse: JSON.parse(String(body)),
21      httpStatusCode: statusCode,
22    };
23  } catch (error) {
24    if (error instanceof ApiError) {
25      const { statusCode, body } = error;
26      return {
27        jsonResponse: JSON.parse(String(body)),
28        httpStatusCode: statusCode,
29      };
30    } else {
31      throw error;
32    }
33  }
34}

This route handler generates and returns a browser-safe PayPal client token to the frontend.

How It Works:

It calls the getBrowserSafeClientToken() helper to securely request a client token from PayPal's OAuth API using server-side credentials.

On success, it sends the parsed JSON response and status code back to the client.

If the token request fails, it logs the error server-side and responds with a 500 Internal Server Error and a generic error message.

This endpoint is intended for use by client-side PayPal SDKs, allowing them to initialize payment flows without exposing sensitive credentials.

1app.get(
2  "/paypal-api/auth/browser-safe-client-token",
3  async (_req: Request, res: Response) => {
4    try {
5      const { jsonResponse, httpStatusCode } =
6        await getBrowserSafeClientToken();  // <--- The helper you created above
7      res.status(httpStatusCode).json(jsonResponse);
8    } catch (error) {
9      console.error("Failed to create browser safe access token:", error);
10      res
11        .status(500)
12        .json({ error: "Failed to create browser safe access token." });
13    }
14  },
15);

Taking things further

The clientToken helps keep your SDK instance safe and secure. But its just the first step into your integration with PayPal SDKs. Now that you know how to generate your clientToken, you can proceed with completing your integration.

If you'd like to jump straight to the code and see a full E2E example, see our example repo here.