> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Mint SDK Transaction Token

> Mint a short-lived scoped token your app passes to the Didit SDKs so they can submit transactions directly from the end-user's device via `POST /v1/transactions/`. The token is bound to one `vendor_data` (your user id): every transaction submitted with it has its subject identity enforced server-side from that binding, so a tampered client cannot submit on behalf of another user. Mint tokens from your backend - never ship the API key itself in an app. camelCase aliases (`vendorData`, `ttlSeconds`, `maxUses`) are also accepted.

export const AgentPromptAccordion = ({prompt, title = "AI Agent Integration Prompt"}) => {
  const [copied, setCopied] = React.useState(false);
  const handleCopy = e => {
    e.stopPropagation();
    if (!prompt) return;
    navigator.clipboard.writeText(prompt.trim()).then(() => {
      setCopied(true);
      setTimeout(() => setCopied(false), 2000);
    });
  };
  const agents = ["Claude Code", "Codex", "Cursor", "Devin", "Windsurf", "GitHub Copilot"];
  return <div className="didit-agent-card">
      {}
      <div className="didit-agent-titlebar">
        <div className="didit-agent-dots" aria-hidden="true">
          <span className="didit-agent-dot didit-agent-dot-red"></span>
          <span className="didit-agent-dot didit-agent-dot-yellow"></span>
          <span className="didit-agent-dot didit-agent-dot-green"></span>
        </div>
        <span className="didit-agent-filename">{title}</span>
        <button type="button" className={`didit-agent-copy ${copied ? "didit-agent-copy-copied" : ""}`} onClick={handleCopy} title="Copy prompt to clipboard" aria-label={copied ? "Copied!" : "Copy prompt to clipboard"}>
          {copied ? <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <path d="M3 8.5l3.5 3.5L13 4" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" />
              </svg>
              <span>Copied</span>
            </> : <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <rect x="5" y="5" width="9" height="9" rx="1.5" stroke="currentColor" strokeWidth="1.5" />
                <path d="M11 5V3.5A1.5 1.5 0 0 0 9.5 2h-6A1.5 1.5 0 0 0 2 3.5v6A1.5 1.5 0 0 0 3.5 11H5" stroke="currentColor" strokeWidth="1.5" />
              </svg>
              <span>Copy</span>
            </>}
        </button>
      </div>

      {}
      <pre className="didit-agent-body"><code>{prompt.trim()}</code></pre>

      {}
      <div className="didit-agent-footer">
        <span className="didit-agent-footer-label">Paste into</span>
        <div className="didit-agent-chips">
          {agents.map(name => <span key={name} className="didit-agent-chip">{name}</span>)}
        </div>
      </div>
    </div>;
};

<AgentPromptAccordion
  title="Mint SDK Transaction Token API Prompt"
  prompt={`Mint a short-lived scoped token that lets the Didit SDKs submit monitored transactions directly from an end-user's device.

Endpoint:
POST https://verification.didit.me/v3/transactions/sdk-token/

Authentication:
Use the x-api-key header with my Didit API key. This call runs on YOUR BACKEND only - the API key must never ship in an app. Only the returned sdk_token travels to the device.

Goal:
- Get an sdk_token scoped to one end user (vendor_data). The app passes it to the SDK's submitTransaction method (or directly to POST /v1/transactions/ via the X-Transaction-Token header).
- The token binds the subject identity server-side: every transaction submitted with it has its subject forced to the token's vendor_data, so a tampered client cannot submit on behalf of another user.

Request body (application/json):
{
"vendor_data": "user-042",   // required - your internal id for the end user
"ttl_seconds": 900,          // optional - default 900 (15 min), max 86400 (24 h)
"max_uses": 3                // optional - max successful submissions; omit for unlimited within the TTL
}
camelCase aliases (vendorData, ttlSeconds, maxUses) are also accepted.

Example call:
curl -X POST "https://verification.didit.me/v3/transactions/sdk-token/" \\
-H "x-api-key: YOUR_API_KEY" -H "Content-Type: application/json" \\
-d '{"vendor_data":"user-042","ttl_seconds":900,"max_uses":3}'

What to read from the response:
- sdk_token - hand this to your app; it authenticates POST /v1/transactions/ via the X-Transaction-Token header.
- expires_at - ISO-8601 expiry; mint a fresh token per user session rather than reusing long-lived ones.

Failure modes:
- 400 - missing vendor_data or invalid ttl_seconds/max_uses.
- 401 - missing or malformed x-api-key.

Best practice:
- Mint per user session, keep max_uses tight when the number of expected submissions is known.
- A 401 from POST /v1/transactions/ whose detail contains the word "expired" means the token aged out - mint a new one and retry.

For the full client-side submission guide, see /transaction-monitoring/sdk-transaction-submission.`}
/>


## OpenAPI

````yaml POST /v3/transactions/sdk-token/
openapi: 3.0.0
info:
  version: 3.0.0
  title: Didit Verification API
  description: Identity verification API. Authenticate with x-api-key header.
servers:
  - url: https://verification.didit.me
security: []
tags: []
paths:
  /v3/transactions/sdk-token/:
    post:
      tags:
        - Transactions
      summary: Mint an SDK transaction token
      description: >-
        Mint a short-lived scoped token your app passes to the Didit SDKs so
        they can submit transactions directly from the end-user's device via
        `POST /v1/transactions/`. The token is bound to one `vendor_data` (your
        user id): every transaction submitted with it has its subject identity
        enforced server-side from that binding, so a tampered client cannot
        submit on behalf of another user. Mint tokens from your backend - never
        ship the API key itself in an app. camelCase aliases (`vendorData`,
        `ttlSeconds`, `maxUses`) are also accepted.
      operationId: createTransactionSdkToken
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                vendor_data:
                  type: string
                  description: >-
                    Your internal identifier for the end user this token is
                    scoped to. Enforced as the subject identity of every
                    transaction submitted with the token.
                  example: user-042
                ttl_seconds:
                  type: integer
                  default: 900
                  maximum: 86400
                  description: >-
                    Token lifetime in seconds. Defaults to 900 (15 minutes);
                    maximum 86400 (24 hours).
                max_uses:
                  type: integer
                  nullable: true
                  description: >-
                    Maximum number of successful submissions allowed with this
                    token. Omit or null for unlimited uses within the TTL.
              required:
                - vendor_data
            example:
              vendor_data: user-042
              ttl_seconds: 900
              max_uses: 3
      responses:
        '201':
          description: >-
            The minted token. Hand `sdk_token` to your app; it authenticates the
            device-facing `/v1/transactions/` endpoints via the
            `X-Transaction-Token` header until `expires_at`.
          content:
            application/json:
              schema:
                type: object
                properties:
                  sdk_token:
                    type: string
                    description: The scoped transaction token to pass to the SDK.
                  expires_at:
                    type: string
                    format: date-time
                    description: When the token stops being accepted.
              example:
                sdk_token: q7Zt...urlsafe
                expires_at: '2026-07-07T12:15:00Z'
        '400':
          description: >-
            Validation failed: missing `vendor_data`, or `ttl_seconds` outside
            the allowed range.
          content:
            application/json:
              examples:
                Missing vendor_data:
                  value:
                    vendor_data:
                      - This field is required.
        '403':
          description: Missing, invalid, or revoked API key.
          content:
            application/json:
              examples:
                Invalid API Key:
                  value:
                    detail: Invalid API Key.
      security:
        - ApiKeyAuth: []
      x-codeSamples:
        - lang: curl
          label: curl
          source: >-
            curl -X POST
            https://verification.didit.me/v3/transactions/sdk-token/ \
              -H 'x-api-key: YOUR_API_KEY' -H 'Content-Type: application/json' \
              -d '{"vendor_data": "user-042", "ttl_seconds": 900, "max_uses": 3}'
        - lang: python
          label: Python
          source: |-
            import os

            import requests

            resp = requests.post(
                'https://verification.didit.me/v3/transactions/sdk-token/',
                headers={'x-api-key': os.environ['DIDIT_API_KEY']},
                json={'vendor_data': 'user-042', 'ttl_seconds': 900, 'max_uses': 3},
                timeout=10,
            )
            resp.raise_for_status()
            token = resp.json()
            print(token['sdk_token'], token['expires_at'])
components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key

````