In several previous articles we have described the embedded finance model and some of the key embedded payments features. In this article we would like to address the importance of support for web tokens within embedded payment solutions.
Nowadays, platforms become more and more dependent on each other. APIs are used more and more often. This trend is especially relevant for payment industry. At the same time, “purely” API-based solutions are not always sufficient.
Indeed, platforms integrate with gateways mostly through APIs. However, many of the features and functions are related to user interface. These features do not always require separate integration. The integrator only needs an opportunity to provide merchants with seamless access to existing user interface of the gateway.
This, in turn, requires an ability to authenticate the user within the gateway. One of the ways to achieve that is by using web tokens.
Let us consider an example.
Example: Why We Need Web Tokens
A shopping cart provider services multiple e-commerce web-sites. A cardholder places an order in one of the online stores that uses this shopping cart software. He needs to pay for ordered products or services. The shopping cart sends the payment to the gateway for processing using either the API or a payment page. For this purpose, the shopping cart provider uses a standard integration with the gateway. This integration involves a single account for the shopping cart within the gateway’s system.
As we can see, the integration between the shopping cart and the gateway meets consumers’ needs. At the same time, the shopping cart also has to meet the needs of its customers. (By customers we denote merchants, that own e-commerce websites and use the shopping cart service for sales).
Beside common operations, such as sales, the shopping cart provider might want to allow its customers to lookup processed transactions. Merchants might also need to perform refund operations and generate reports. The shopping cart might implement some part of these functions within its system. However, sometimes the shopping cart software owner might be reluctant to create special separate pages and logic for that. In such cases, a smarter solution would be to use the ready-made logic and interface, already available within the gateway.
External access to gateway’s user interface forms is, usually, restricted. In order for respective forms to work properly, it is necessary to authenticate each employee of a merchant that sells using the shopping cart under their respective user records within the gateway. Authenticating that many physical users within a gateway system presents a challenge. A traditional stateless API (that does not support session management) would not help. As we’ve mentioned, a traditional integration through an API involves just a single account for the shopping cart provider within the gateway.
So, the shopping cart needs a mechanism allowing to authenticate different merchants’ users right within the gateway’s interface. All these people have different roles and access rights. Web token technology provides the basis for this authentication mechanism.
So, what is a Web Token?
In general, a JSON Web Token (JWT) is an Internet standard for creating data whose payload (meaningful part) holds JSON that asserts one or several claims. Digital signature and encryption of the data are, in the general case, optional.
One party (usually, the server, or the gateway) signs the token with a private key, so that the other party is able to check the token’s legitimacy. Web tokens are commonly used to pass identity of authorized users between an identity holder and a service provider. They also allow users to pass various claims, required by respective business processes. JSON web token approach relies on common JSON-based standards, such as JSON Web Encryption and JSON Web Signature.
In essence, a web token is a special protocol. Through this protocol and key exchange, “trusted” connection is established. Like we said, one of the keys is private, the other is public. Encrypted information sent by the platform might, for example, include the username of the customer to be authorized.
Smooth Gateway Access for Merchants
The trusted connection channel between the integrator and the payment platform will allow the platform to transmit enough information to either create or/and authenticate necessary user accounts for each merchant of the shopping cart system. This way, the employees of the merchants will be able to seamlessly work with the gateway’s user interface. That is, they won’t have to explicitly setup new accounts and enter login details separate from the credentials they already use to access the shopping cart software.
Web Tokens: Summary
As we can see, a web token allows you to authenticate the user, registered within one system (such as a software platform), in another system (such as a payment gateway). Such a function can be used for API authentication, but, primarily, to authenticate users that interact with the gateway’s user interface.
For integrations, when a software platform needs to invoke a certain functionality within the gateway, standard authentication mechanism, based on single username and password, would not work. However, if you want users, registered in one system (software platform), to use the interface of another system (gateway), then you need a mechanism allowing to authenticate these users across the systems.
Web token-based authentication provides an extremely important embedded finance component. They provide a smooth interaction and cross-platform authorization mechanism. So, if you decide to implement embedded payment solution within your business model, make sure that it supports web tokens. Moreover, it makes sense to study your payment gateway’s user and merchant authorization logic. Under the best-case scenario, user authorization within the payment system will require minimum efforts from you. Contact our payment experts at UniPay Gateway to learn more about how you can benefit from web token-based authentication as part of your integration process.