Generating and retrieving credit card nonce in server-side code, like C#

I’m trying to add a card on file for a customer as part of a monthly subscription. I’ve already upserted a catalog object which contains the subscription plan ID for the subscription for me to reference.

A paid subscription requires a card - so it needs the “card_id” argument passed in. In order to generate a card, a credit card nonce or payment ID is required for the “source_id” argument. I don’t think a payment ID would work for this, since subscriptions aren’t one-time payments.

That leaves the option of a nonce. From the documentation I’ve read, the only way to generate a card nonce for Square is through the Web Payments SDK. It seems the only option from the SDK that may work is storing a card on file with SCA (Strong Customer Authentication), which shows sample code on GitHub here. I tried that, but failed to get an authenticated response to the /card endpoint, due to a missing CORS header and resulting 403 error. I did more research on this issue, and it seems using JavaScript to generate a card won’t work due to the insecure risk of exposing the application ID and location ID. I’m not sure if there’s a workaround for cross-origin requests. Another non-option is the SQPaymentForm, which is deprecated and will be retired in October of this year.

At this rate, with it seeming that client-side coding may not be a viable option, I was wondering if there are ways to generate a card nonce and store a card for a customer by using any type of server-side languages. It looks like that solution would be using the /customers/{customer_id}/cards endpoint (documentation) to create a customer card, which requires the parameter “card_nonce.” I happen to be using C# as the back-end for my Web app. If not, I will have to figure something out with the Web Payments SDK, as the SCA method keeps generating CORS errors. I also may need corrected on the notion that it isn’t possible to pass a payment ID to store a card for subscriptions.

With Square the ability to generate a source_id with server side code isn’t available. You’ll need to generate the source_id with the Web Payments SDK. Also the location_id and application_id can be publicly exposed. Its the access token that can’t be exposed. :slightly_smiling_face:

Thank you for your response. Is it common to see CORS errors with the SDK? If you see the code in the GitHub link I provided, the part where I receive the error is on the Fetch API call to the /card endpoint (starting at line 30). Am I referencing the correct code by choosing SCA?

CORS errors generally happen when you’re trying to call our APIs on the front end client side rather then the backend server side. :slightly_smiling_face: