> ## Documentation Index > Fetch the complete documentation index at: https://developers.dwolla.com/llms.txt > Use this file to discover all available pages before exploring further. # Create a client token > Create a client token for secure authentication within Dwolla Drop-in components. Requires a granular permission action and a Customer link to define what operations the end user can perform within the component. Returns a short-lived token for configuring client-side Drop-in components including customer creation, verification, funding source management, and payment processing. Essential for implementing secure, embeddable UI components without exposing application credentials to the frontend. ## OpenAPI ````yaml post /client-tokens openapi: 3.1.0 info: title: Dwolla API description: Dwolla API Documentation contact: name: Dwolla Developer Relations Team url: https://developers.dwolla.com email: api@dwolla.com version: '2.0' termsOfService: https://www.dwolla.com/legal/tos/ license: name: MIT url: https://github.com/Dwolla/dwolla-openapi/blob/master/LICENSE servers: - url: https://api.dwolla.com description: Production server - url: https://api-sandbox.dwolla.com description: Sandbox server security: - clientCredentials: [] tags: - name: tokens description: Operations related to Application Access Tokens - name: root description: Root API operations - name: accounts description: Operations related to Accounts - name: customers description: Operations related to Customers - name: kba description: Operations related to Knowledge-Based Authentication - name: beneficial owners description: Operations related to Beneficial Owners - name: documents description: Operations related to Documents - name: exchanges description: Operations related to Exchanges - name: exchange sessions description: Operations related to Exchange Sessions - name: funding sources description: Operations related to Funding Sources - name: transfers description: Operations related to Transfers - name: labels description: Operations related to Labels - name: mass payments description: Operations related to Mass Payments - name: events description: Operations related to Events - name: webhook subscriptions description: Operations related to Webhook Subscriptions - name: webhooks description: Operations related to Webhooks - name: client tokens description: Operations related to Client Tokens - name: sandbox simulations description: Sandbox-only operations for simulating processing of bank transfers paths: /client-tokens: post: tags: - client tokens summary: Create a client token description: >- Create a client token for secure authentication within Dwolla Drop-in components. Requires a granular permission action and a Customer link to define what operations the end user can perform within the component. Returns a short-lived token for configuring client-side Drop-in components including customer creation, verification, funding source management, and payment processing. Essential for implementing secure, embeddable UI components without exposing application credentials to the frontend. operationId: createClientToken parameters: - $ref: '#/components/parameters/Accept' requestBody: required: true content: application/json: schema: type: object required: - action - _links properties: action: type: string description: >- A granular permission for the Customer performing an action within a drop-in component example: customer.update _links: type: object required: - customer properties: customer: type: object required: - href properties: href: type: string format: uri description: Link to the Customer performing the action example: >- https://api-sandbox.dwolla.com/customers/707177c3-bf15-4e7e-b37c-55c3898d9bf4 responses: '200': description: Client token created successfully content: application/vnd.dwolla.v1.hal+json: schema: type: object required: - token properties: token: type: string description: The client token that can be used with drop-in components example: 4adF858jPeQ9RnojMHdqSD2KwsvmhO7Ti7cI5woOiBGCpH5krY '400': description: Bad Request content: application/vnd.dwolla.v1.hal+json: schema: $ref: '#/components/schemas/BadRequestError' '403': description: Forbidden content: application/vnd.dwolla.v1.hal+json: schema: $ref: '#/components/schemas/ForbiddenError' x-codeSamples: - lang: bash source: | POST https://api-sandbox.dwolla.com/client-tokens Accept: application/vnd.dwolla.v1.hal+json Content-Type: application/json Authorization: Bearer {{token}} { "action": "customer.update", "_links": { "customer": { "href": "https://api-sandbox.dwolla.com/customers/{{customerId}}" } } } - lang: javascript source: > // Using dwolla-v2 - https://github.com/Dwolla/dwolla-v2-node var requestBody = { _links: { customer: { href: "https://api-sandbox.dwolla.com/customers/707177c3-bf15-4e7e-b37c-55c3898d9bf4", }, }, action: "customer.update", }; dwolla.post("/client-tokens", requestBody).then((res) => res.body.token); // => '4adF858jPeQ9RnojMHdqSD2KwsvmhO7Ti7cI5woOiBGCpH5krY' - lang: python source: > # Using dwollav2 - https://github.com/Dwolla/dwolla-v2-python request_body = { '_links': { 'customer': { 'href': 'https://api-sandbox.dwolla.com/customers/707177c3-bf15-4e7e-b37c-55c3898d9bf4' } }, 'action': 'customer.update' } client_token = app_token.post('client-tokens', request_body) client_token.body['token'] # => '4adF858jPeQ9RnojMHdqSD2KwsvmhO7Ti7cI5woOiBGCpH5krY' - lang: php source: > array ( 'customer' => array ( 'href' => 'https://api-sandbox.dwolla.com/customers/8779a1f7-7a98-4a86-921e-83539f6c895e', ), ), 'action' => 'customer.update' ); $clientTokensApi = new DwollaSwagger\TokensApi($apiClient); $clientToken = $clientTokensApi->clientTokens($request_body); ?> - lang: ruby source: > # Using dwolla_v2 - https://github.com/Dwolla/dwolla-v2-ruby request_body = { :_links => { :customer => { :href => "https://api-sandbox.dwolla.com/customers/707177c3-bf15-4e7e-b37c-55c3898d9bf4" } }, :action => "customer.update" } client_token = app_token.post "client-tokens", request_body client_token.token # => "4adF858jPeQ9RnojMHdqSD2KwsvmhO7Ti7cI5woOiBGCpH5krY" components: parameters: Accept: name: Accept in: header required: true description: >- The media type of the response. Must be application/vnd.dwolla.v1.hal+json schema: type: string enum: - application/vnd.dwolla.v1.hal+json default: application/vnd.dwolla.v1.hal+json schemas: BadRequestError: title: BadRequestError description: Error response schema for 400 Bad Request type: object required: - code - message properties: code: type: string example: BadRequest message: type: string example: The request body contains bad syntax or is incomplete. ForbiddenError: title: ForbiddenError description: Error response schema for 403 Forbidden type: object required: - code - message properties: code: type: string example: Forbidden message: type: string example: The supplied credentials are not authorized for this resource. securitySchemes: clientCredentials: type: oauth2 flows: clientCredentials: tokenUrl: /token x-speakeasy-token-endpoint-authentication: client_secret_basic scopes: {} ````