Generate a client access token

post

https://api.cert.zerohash.com/client_auth_token

Generates a temporary JWT access token used to initialize zerohash SDK modules on behalf of one of your end users. The platform authenticates to this endpoint with its own HMAC credentials; the returned JWT is then handed to the end-user client. Either participant_code or email must be provided to identify the end user the token is issued for.

Recent Requests

Time	Status	User Agent
Retrieving recent requests…

Loading…

Body Params

Client auth token parameters. Select the schema variant that matches the SDK experience being requested; each variant lists the fields that variant accepts.

Schema containing ALL optional fields and ALL permission types.

participant_code

string

length between 6 and 6

The participant_code for whom the SDK token is created. Either participant_code or email must be provided.

string

The email address of the user the SDK token is created for. Used for pre-onboarding flows. Either participant_code or email must be provided.

phone_number

string

Phone number of the user the SDK token is created for. Used for pre-onboarding flows.

otp_verified

string

enum

Indicates which channel the end user verified via OTP before this token was requested.

Allowed:

reference_id

string

length ≤ 50

Optional platform-defined ID to link downstream events

merchant_participant_code

string

length between 1 and 50

Optional merchant participant code associated with the transaction. When omitted, the platform itself is treated as the merchant.

permissions

array of strings

required

One or more SDK experiences requested for this token. The following permissions are supported.

permissions*

withdrawal_details

object

Details for crypto withdrawals and payouts.

deposit_details

object

Account deposit details.

payment_details

object

Details for crypto payments.

client_device_info

object

Metadata about the client environment where the SDK is initialized.

custom_fees_and_spreads

object

Custom fees and spreads for crypto buy/sell.

Headers

X-SCX-SIGNED

string

required

HMAC-SHA256 signature of the request, base64-encoded. See the Authentication guide for the exact signing formula.

X-SCX-TIMESTAMP

string

required

Current Unix timestamp in seconds. Must be within 60 seconds of server time or the request is rejected.

Responses

201Client access token successfully generated.

400Bad Request

404Not Found

409Shopper KYC requirements are not met for this transaction.

422The transaction could not be authorized. The {"error": ...} body is either "Participant is not authorized to transact" (the participant/merchant relationship or state precludes authorization) or "Transaction not authorized" (the authorizer returned an unrecognized status).

500Internal Server Error

503Service Unavailable