--- page_title: Authentication using client auth token product: API Reference page_source: https://juspay.io/in/docs/api-reference/docs/visa-agentic-transactions/authentication-using-client-auth-token llms_txt: https://juspay.io/in/docs/llms.txt product_llms_txt: https://juspay.io/in/docs/api-reference/llms.txt --- # **Client Auth Token Authentication** **What is a client auth token?** Client auth token (CAT) is an authentication mechanism which gives a short lived token which can be used by any client to validate themselves as an authenticated entity. **How is it generated?** In this flow, the merchant does a server to server api call (create or get customer api call in VISA VIC API use cases) which gives a CAT and an expiry for the same. The client auth token is given after validating the api key of the merchantGet customer:[](https://juspay.io/in/docs/api-reference/docs/express-checkout/getcustomer)[https://juspay.io/in/docs/api-reference/docs/express-checkout/getcustomer](https://juspay.io/in/docs/api-reference/docs/express-checkout/getcustomer%EF%BF%BCCreate)[Create](https://juspay.io/in/docs/api-reference/docs/express-checkout/getcustomer%EF%BF%BCCreate) customer:[](https://juspay.io/in/docs/api-reference/docs/express-checkout/createcustomer)[https://juspay.io/in/docs/api-reference/docs/express-checkout/createcustomer](https://juspay.io/in/docs/api-reference/docs/express-checkout/createcustomer%EF%BF%BC%EF%BF%BCDuring)[During](https://juspay.io/in/docs/api-reference/docs/express-checkout/createcustomer%EF%BF%BC%EF%BF%BCDuring) the allowed time-period, the client can call backend apis with this client auth token and the backend validates that the API is being called for the customer with whom the client auth token is created against. **How is it scoped?** Juspay scopes a client auth token in 2 variations:1. OrderId based2. CustomerId based In #1, every api call related to an order needs to be sent along with a client auth token created against that order ID In #2, every api call related to an customer needs to be sent along with a client auth token created against that customerid **How is it safe?** * **Tightly scoped** : Given that the token is scoped tightly against a specific entity’s value, there is no scope for misusing the token to capture details of a different customer * **Short Lived:** The token is also short lived and also comes with a specific number of requests against which it can be used. This reduces the possibility of continued misuse in case the token is compromised --- ## See Also - [Introduction](https://juspay.io/in/docs/api-reference/docs/visa-agentic-transactions/introduction) - [Provision Token and create Passkey](https://juspay.io/in/docs/api-reference/docs/visa-agentic-transactions/provision-token-and-create-passkey)