Authentication
Token lifecycle management and security best practices
The Plug & Pay SDK uses JWT tokens for authentication. This guide explains how tokens work and best practices for managing them in your application.
How Authentication Works
- Your mobile app requests a token from your backend
- Your backend calls the Create Token API with your API credentials
- Oobit returns a JWT token
- Your backend forwards the token to your mobile app
- Your app initializes the
WidgetSDKwith the token
Important: Token generation must happen on your server to keep your API credentials secure. Never expose your API key in client-side code.
Token Expiration
Tokens expire 60 minutes after creation, regardless of user activity. When the token expires, the widget shows a 'Session Expired' modal with a button to return to the app.
See Also
- Create Token API - API reference for token generation
Updated about 1 month ago