> ## Documentation Index > Fetch the complete documentation index at: https://docs.baanx.com/llms.txt > Use this file to discover all available pages before exploring further. # Secure PIN Operations > Token-based PIN management with PCI-compliant image delivery ## Overview PIN operations use a secure token-based flow that keeps sensitive data completely isolated from your application. Card details and PIN viewing are delivered as secure images, while PIN setting uses hosted pages. You never handle or store sensitive PIN data. Never attempt to handle, store, or transmit PIN data directly in your application. Always use the token-based flow. ## Security Architecture ### Token-Based Flow Sensitive operations follow a simple pattern: Request a single-use, time-limited token from the API For viewing: Display secure image. For setting: Use PCI-compliant hosted page Token is invalidated after use or timeout (\~10 minutes) ```mermaid theme={null} sequenceDiagram participant App as Your Application participant API as Baanx API participant Image as Secure Image participant User as User App->>API: POST /v1/card/details/token API-->>App: {token, imageUrl} App->>Image: Display image Image->>User: Show card details securely Note over API: Token invalidated after access ``` ### Benefits No sensitive data touches your infrastructure Reduces security audit scope Session management and expiration Industry-standard secure pages ## Viewing Card Details Display full card information (PAN, CVV, expiry) as a secure image. The card details are never transmitted to or stored by your application. ### Step 1: Generate Details Token ```javascript JavaScript/Node.js theme={null} const response = await fetch('https://dev.api.baanx.com/v1/card/details/token', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Client-ID': 'your_client_id', 'Authorization': `Bearer ${userAccessToken}` }, body: JSON.stringify({ customCss: { cardBackgroundColor: '#000000', cardTextColor: '#FFFFFF', panBackgroundColor: '#EFEFEF', panTextColor: '#000000' } }) }); const { token, imageUrl } = await response.json(); ``` ```python Python theme={null} import requests response = requests.post( 'https://dev.api.baanx.com/v1/card/details/token', headers={ 'Content-Type': 'application/json', 'X-Client-ID': 'your_client_id', 'Authorization': f'Bearer {user_access_token}' }, json={ 'customCss': { 'cardBackgroundColor': '#000000', 'cardTextColor': '#FFFFFF', 'panBackgroundColor': '#EFEFEF', 'panTextColor': '#000000' } } ) data = response.json() token = data['token'] image_url = data['imageUrl'] ``` ```bash cURL theme={null} curl -X POST https://dev.api.baanx.com/v1/card/details/token \ -H "Content-Type: application/json" \ -H "X-Client-ID: your_client_id" \ -H "Authorization: Bearer YOUR_USER_ACCESS_TOKEN" \ -d '{ "customCss": { "cardBackgroundColor": "#000000", "cardTextColor": "#FFFFFF", "panBackgroundColor": "#EFEFEF", "panTextColor": "#000000" } }' ``` ### Request Parameters Optional styling to match your brand. If omitted, default styling is applied. Card background color (hex format) Text color on card background (hex format). Must contrast with cardBackgroundColor. PAN number background color (hex format) PAN number text color (hex format). Must contrast with panBackgroundColor. ### Response ```json theme={null} { "token": "100a99cf-f4d3-4fa1-9be9-2e9828b20ebb", "imageUrl": "https://cards.baanx.com/details-image?token=100a99cf-f4d3-4fa1-9be9-2e9828b20ebb" } ``` Single-use token valid for \~10 minutes URL that renders card details as a secure image. Use as `src` attribute of an `` tag. **Security**: Treat `imageUrl` as highly sensitive. Never log or store it. Use HTTPS only and display in secure contexts. ### Step 2: Display Card Image ```javascript theme={null} function showCardDetails(imageUrl) { const img = document.createElement('img'); img.src = imageUrl; img.alt = 'Card Details'; img.style.cssText = ` max-width: 100%; border-radius: 12px; box-shadow: 0 4px 6px rgba(0,0,0,0.1); `; document.getElementById('card-details-container').appendChild(img); } ``` ### Complete React Implementation ```javascript React Component theme={null} import { useState } from 'react'; export function CardDetailsViewer({ clientId, accessToken }) { const [loading, setLoading] = useState(false); const [error, setError] = useState(null); const [imageUrl, setImageUrl] = useState(null); async function viewCardDetails() { setLoading(true); setError(null); try { const response = await fetch('https://dev.api.baanx.com/v1/card/details/token', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Client-ID': clientId, 'Authorization': `Bearer ${accessToken}` }, body: JSON.stringify({ customCss: { cardBackgroundColor: '#000000', cardTextColor: '#FFFFFF', panBackgroundColor: '#EFEFEF', panTextColor: '#000000' } }) }); if (!response.ok) { throw new Error('Failed to generate details token'); } const data = await response.json(); setImageUrl(data.imageUrl); } catch (err) { setError(err.message); } finally { setLoading(false); } } function hideCardDetails() { setImageUrl(null); } if (imageUrl) { return (
Card Details
); } return (
{error && (
{error}
)}
); } ``` ## Viewing PIN Display the card PIN as a secure image. The PIN is never transmitted to or stored by your application. ### Step 1: Generate PIN Token ```javascript JavaScript/Node.js theme={null} const response = await fetch('https://dev.api.baanx.com/v1/card/pin/token', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Client-ID': 'your_client_id', 'Authorization': `Bearer ${userAccessToken}` }, body: JSON.stringify({ customCss: { backgroundColor: '#EFEFEF', textColor: '#000000' } }) }); const { token, imageUrl } = await response.json(); ``` ```python Python theme={null} import requests response = requests.post( 'https://dev.api.baanx.com/v1/card/pin/token', headers={ 'Content-Type': 'application/json', 'X-Client-ID': 'your_client_id', 'Authorization': f'Bearer {user_access_token}' }, json={ 'customCss': { 'backgroundColor': '#EFEFEF', 'textColor': '#000000' } } ) data = response.json() token = data['token'] image_url = data['imageUrl'] ``` ```bash cURL theme={null} curl -X POST https://dev.api.baanx.com/v1/card/pin/token \ -H "Content-Type: application/json" \ -H "X-Client-ID: your_client_id" \ -H "Authorization: Bearer YOUR_USER_ACCESS_TOKEN" \ -d '{ "customCss": { "backgroundColor": "#EFEFEF", "textColor": "#000000" } }' ``` ### Request Parameters Optional styling to match your brand. If omitted, default styling is applied. Background color of the PIN image (hex format) Text color for the PIN digits (hex format). Must contrast with backgroundColor. ### Response ```json theme={null} { "token": "100a99cf-f4d3-4fa1-9be9-2e9828b20ebb", "imageUrl": "https://cards.baanx.com/details-image?token=100a99cf-f4d3-4fa1-9be9-2e9828b20ebb" } ``` Single-use token valid for \~10 minutes URL that renders PIN as a secure image. Use as `src` attribute of an `` tag. **Security**: Treat `imageUrl` as highly sensitive. Never log or store it. Display only in authenticated, secure contexts. ### Step 2: Display PIN Image ```javascript theme={null} function showPIN(imageUrl) { const img = document.createElement('img'); img.src = imageUrl; img.alt = 'Card PIN'; img.style.cssText = ` max-width: 100%; border-radius: 8px; `; document.getElementById('pin-container').appendChild(img); } ``` ### Complete React Implementation ```javascript React Component theme={null} import { useState } from 'react'; export function PINViewer({ clientId, accessToken }) { const [loading, setLoading] = useState(false); const [error, setError] = useState(null); const [imageUrl, setImageUrl] = useState(null); async function viewPIN() { setLoading(true); setError(null); try { const response = await fetch('https://dev.api.baanx.com/v1/card/pin/token', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Client-ID': clientId, 'Authorization': `Bearer ${accessToken}` }, body: JSON.stringify({ customCss: { backgroundColor: '#EFEFEF', textColor: '#000000' } }) }); if (!response.ok) { throw new Error('Failed to generate PIN token'); } const data = await response.json(); setImageUrl(data.imageUrl); } catch (err) { setError(err.message); } finally { setLoading(false); } } function hidePIN() { setImageUrl(null); } if (imageUrl) { return (
Card PIN
); } return (
{error && (
{error}
)}
); } ``` ## Setting/Changing PIN Allow users to create or change their PIN through a secure hosted page. ### Step 1: Generate Set PIN Token ```javascript JavaScript/Node.js theme={null} const response = await fetch('https://dev.api.baanx.com/v1/card/set-pin/token', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Client-ID': 'your_client_id', 'Authorization': `Bearer ${userAccessToken}` }, body: JSON.stringify({ isEmbedded: true, customCss: { backgroundColor: '#EFEFEF', textColor: '#000000', backgroundColorPrimary: '#000000', textColorPrimary: '#FFFFFF', buttonBorderRadius: 8, pinBorderRadius: 4 } }) }); const { token, hostedPageUrl } = await response.json(); ``` ```python Python theme={null} import requests response = requests.post( 'https://dev.api.baanx.com/v1/card/set-pin/token', headers={ 'Content-Type': 'application/json', 'X-Client-ID': 'your_client_id', 'Authorization': f'Bearer {user_access_token}' }, json={ 'isEmbedded': True, 'customCss': { 'backgroundColor': '#EFEFEF', 'textColor': '#000000', 'backgroundColorPrimary': '#000000', 'textColorPrimary': '#FFFFFF', 'buttonBorderRadius': 8, 'pinBorderRadius': 4 } } ) data = response.json() token = data['token'] hosted_page_url = data['hostedPageUrl'] ``` ```bash cURL theme={null} curl -X POST https://dev.api.baanx.com/v1/card/set-pin/token \ -H "Content-Type: application/json" \ -H "X-Client-ID: your_client_id" \ -H "Authorization: Bearer YOUR_USER_ACCESS_TOKEN" \ -d '{ "isEmbedded": true, "customCss": { "backgroundColor": "#EFEFEF", "textColor": "#000000", "backgroundColorPrimary": "#000000", "textColorPrimary": "#FFFFFF" } }' ``` ### Request Parameters Same as PIN viewing, with identical `customCss` options. ### Response ```json theme={null} { "token": "100a99cf-f4d3-4fa1-9be9-2e9828b20ebb", "hostedPageUrl": "https://cards.baanx.com/pin-direct/set?token=100a99cf-f4d3-4fa1-9be9-2e9828b20ebb" } ``` Set PIN hosted page includes built-in validation for PIN requirements (4 digits, no sequential patterns, etc.) ### Step 2: Display Set PIN Page ```javascript theme={null} function showSetPIN(hostedPageUrl) { const iframe = document.createElement('iframe'); iframe.src = hostedPageUrl; iframe.style.cssText = ` width: 100%; height: 450px; border: none; border-radius: 8px; `; document.getElementById('pin-container').appendChild(iframe); window.addEventListener('message', (event) => { if (event.origin !== 'https://cards.baanx.com') return; switch (event.data) { case 'success': console.log('PIN set successfully'); iframe.remove(); showSuccessMessage('PIN updated successfully'); break; case 'abort': console.log('User cancelled PIN change'); iframe.remove(); break; case 'error': console.error('Error setting PIN'); iframe.remove(); showErrorMessage('Failed to set PIN'); break; } }); } ``` ## Complete PIN Management Component ```javascript React Component theme={null} import { useState } from 'react'; export function PINManagement({ clientId, accessToken, cardStatus }) { const [loading, setLoading] = useState(false); const [error, setError] = useState(null); const [activeView, setActiveView] = useState(null); const [imageUrl, setImageUrl] = useState(null); const [hostedPageUrl, setHostedPageUrl] = useState(null); async function generateToken(endpoint) { setLoading(true); setError(null); try { const customCss = endpoint === 'pin' ? { backgroundColor: '#f5f5f5', textColor: '#1a1a1a' } : { backgroundColor: '#f5f5f5', textColor: '#1a1a1a', backgroundColorPrimary: '#2563eb', textColorPrimary: '#ffffff', buttonBorderRadius: 8, pinBorderRadius: 4 }; const requestBody = endpoint === 'pin' ? { customCss } : { isEmbedded: true, customCss }; const response = await fetch(`https://dev.api.baanx.com/v1/card/${endpoint}/token`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-Client-ID': clientId, 'Authorization': `Bearer ${accessToken}` }, body: JSON.stringify(requestBody) }); if (!response.ok) { throw new Error('Failed to generate token'); } const data = await response.json(); if (endpoint === 'pin') { setImageUrl(data.imageUrl); } else { setHostedPageUrl(data.hostedPageUrl); window.addEventListener('message', handleMessage); } setActiveView(endpoint); } catch (err) { setError(err.message); } finally { setLoading(false); } } function handleMessage(event) { if (event.origin !== 'https://cards.baanx.com') return; switch (event.data) { case 'success': closeView(); break; case 'abort': closeView(); break; case 'error': setError('Operation failed'); closeView(); break; } } function closeView() { setActiveView(null); setImageUrl(null); setHostedPageUrl(null); window.removeEventListener('message', handleMessage); } if (activeView === 'pin' && imageUrl) { return (
Card PIN
); } if (activeView === 'set-pin' && hostedPageUrl) { return (