Client-side Vaulting

3 min read

Footprint's unified onboarding and vaulting platform makes it simple to vault sensitive user data directly from client-side contexts like a mobile app or a web app.

Prequisites

Please read our Server-side API Authentication guide.

Step 1: Use an existing vault or create a new one (server-side)

For each user in your system you should create a single Footprint user vault (server side). If your user doesn't have an fp_id yet, create a new user using the POST /users API.

Example request

bash
curl https://api.onefootprint.com/users \
    -X POST \
    -u sk_test_CXUsbCR8j2kH6e5GeEl8eSBnQTIPCUaKpv:

Example response

json
{
  "id": "fp_id_K0q6Eh6Rr3WOOfFBLPiHsr"
}

If you're migrating other sensitive data, read our guide here Make sure to store the fp_id on your user record to access and vault data.

Step 2: Create a client token (server-side)

In order to vault data directly from client code, you need to generate a short-lived client token.

Footprint's vault supports several types of structured data like identity data, card-holder data, and custom data for arbitrary key-value records. For structured data Footprint can validate that data is in the right format to ensure that you can reliably use this data in various applications and reporting/compliance needs. For unstructured data, you can store any other sensitive user data that may not fit the mold.

Learn more about how to namespace and vault identity, card, and custom data. Note that card objects can be named, i.e. card.primary or card.secondary. This lets you store arbitrarily many cards in a user vault and control the naming scheme for each card.

Example request

bash
curl https://api.onefootprint.com/users/fp_id_K0q6Eh6Rr3WOOfFBLPiHsr/client_token \
    -X POST \
    -u sk_test_CXUsbCR8j2kH6e5GeEl8eSBnQTIPCUaKpv: \
    -d '{
          "fields": [
            "card.primary.number",
            "card.primary.cvc",
            "card.primary.expiration",
            "card.primary.name"
          ],
          "scopes": [
            "vault"
          ],
          "ttl": 180
      }'

Be sure to specify the exact list of fields that you plan to vault.

Example response

json
{
  "expires_at": "2023-05-24T14:15:22Z",
  "token": "tok_vJK5Ze2N5fQ1GtE5V770BH8CZtQwXHF1hxowB9Nowh0"
}

Now that you have this client token, you can transmit it to your client code and use it to vault data directly from the client.

Step 3: Use the client token store data in the vault (client-side)

From your client-side app, vault the data directly to footprint:

Example request

bash
curl https://api.onefootprint.com/users/vault \
    -X PATCH \
    -H 'x-fp-authorization: tok_vJK5Ze2N5fQ1GtE5V770BH8CZtQwXHF1hxowB9Nowh0' \
    -d '{
            "card.primary.number": "4242424242424242",
            "card.primary.cvc": "424",
            "card.primary.expiration": "10/25",
            "card.primary.name": "Whitfield Diffie"
      }'

You will only have permissions to vault the exact fields specifically requested in Step 2.

Example response

A successful response will return status 200 and an empty object.