Skip to main content

Card Consent Tokens

Card consent tokens are provisioned by Stitch to facilitate recurring payments. A token represents a card that a user has saved on your platform.

Card details need to be captured from a user to create a card consent token. Various methods exist at Stitch to be able to capture this data:

  • The Stitch-Hosted UI is a simple way to securely capture card details without requiring your business to be PCI-DSS compliant.

  • The Secure Fields SDK integration allows you to build and customize your own UI, using secure elements provided by Stitch. This approach does not require PCI-DSS compliance, and provides encrypted card inputs to be able to tokenize.

  • The Secure API allows you to securely specify card details in the clear to Stitch, should your business be able to process card details as a PCI-DSS compliant entity.

Following a consent request being completed with any of these methods, a webhook is dispatched to indicate consent being granted by the user. This means you are able to proceed with initiating payments with the consent token.

An initial charge on the user's card can be optionally initiated during card consent token creation. In this case, an additional transaction status will be returned along with the consent status, to indicate that the authorization transaction has been successfully completed.

Saved cards that a user elects to delete should be unlinked and deactivated at Stitch (such that no further payments can be initiated with the token). Stitch exposes an API to revoke the token and deactivate its charge function.