Payment Tokenization for Server-side integration

Integrate Klarna's Payment Tokenization for server-side scenarios. This guide shows how to request a customer token, handle tokenization outcomes including step-up flows, and securely store tokens for future transactions.

Overview

This guide covers how to create a customer token with Klarna using a server-side integration when the customer is present to provide consent. As an Acquiring Partner, the backend collects payment context from a Partner, calls the Payment Authorize API with a tokenization request, handles the STEP_UP_REQUIRED initial response, manages the step-up flow, and securely stores the token for future use.

For conceptual understanding of tokenization, token scopes, use cases, and authorization patterns, see the Payment Tokenization resource.

Prerequisites

Before starting tokenization, ensure the following:

A Partner Account onboarded with Klarna
An API Key associated with your Partner Account
Backend capability to receive and process Klarna webhooks
Partner-facing APIs capable of forwarding redirect URLs and Klarna network data without modification
A checkout or account setup flow where the customer is present and able to complete step-up interactions
Clear customer consent for saving the payment method and future charges according to token scope

Integration overview

Once the customer initiates tokenization (for example, during subscription signup or account setup):

1.
The Partner initiates tokenization through the Acquiring Partner
2.
The Acquiring Partner forwards the tokenization request to Klarna by calling the authorizePayment
3.
Klarna returns STEP_UP_REQUIRED because customer consent is always required for tokenization
4.
The Acquiring Partner returns the payment_request_url to the Partner
5.
The customer completes the Klarna Purchase Journey to provide consent
6.
Klarna sends a webhook upon step-up completion. The payload differs by scenario:
- 6.1.
  Tokenization only: The webhook contains the customer_token. No further API call is needed. The Acquiring Partner securely stores the customer token issued by Klarna, maps it to an internal identifier, and returns that internal customer token identifier to the Partner.
- 6.2.
  Tokenization combined with authorization: The webhook contains both the customer_token and a klarna_network_session_token. The Acquiring Partner calls the Payment Authorize API again with the klarna_network_session_token to complete the initial Payment Authorization. Klarna returns the final result (APPROVED or DECLINED). The Acquiring Partner then securely stores the customer token issued by Klarna, maps it to an internal identifier, and returns the internal customer token identifier and payment result to the Partner.

sequenceDiagram autonumber participant Customer participant Partner participant AcquiringPartner as Acquiring Partner participant Klarna Customer->>Partner: Initiate tokenization Partner->>AcquiringPartner: Request tokenization Note over Partner,AcquiringPartner: payment context according to the tokenization scenario Note over Partner,AcquiringPartner: Tokenization settings matching Klarna customer token scopes Note over Partner,AcquiringPartner: return_url, app_return_url for step-up AcquiringPartner->>Klarna: Call Payment Authorize API Note over AcquiringPartner,Klarna: payment context according to the tokenization scenario Note over AcquiringPartner,Klarna: request_customer_token with scopes Note over AcquiringPartner,Klarna: step_up_config configured with HANDOVER Klarna->>AcquiringPartner: STEP_UP_REQUIRED Note over Klarna,AcquiringPartner: Customer consent always required for tokenization AcquiringPartner->>Partner: Return payment_request_url Partner->>Customer: Redirect to Klarna's Purchase Journey Customer->>Klarna: Customer provides consent alt Tokenization only Klarna-->>AcquiringPartner: Webhook: Payment Request completed Note over AcquiringPartner,Klarna: Payload contains customer_token, no further API call needed Note over AcquiringPartner: Store customer_token securely, map to internal identifier AcquiringPartner->>Partner: Return internal customer token identifier Partner->>Customer: Token saved successfully else Tokenization combined with authorization Klarna-->>AcquiringPartner: Webhook: Payment Request completed Note over AcquiringPartner,Klarna: Payload contains customer_token + klarna_network_session_token AcquiringPartner->>Klarna: Complete initial Payment Authorization Note over AcquiringPartner,Klarna: Call Payment Authorize API with Klarna Network Session Token Klarna->>AcquiringPartner: Payment Authorization result (APPROVED / DECLINED) alt APPROVED Note over AcquiringPartner: Store customer_token securely, map to internal identifier AcquiringPartner->>Partner: Return internal customer token identifier + Payment Authorization result Partner->>Customer: Token saved, Payment Authorization completed else DECLINED AcquiringPartner->>Partner: Return failure indicator Partner->>Customer: Token saved, Payment Authorization failed end end

Integration details

Step 1: Determine tokenization scenario

Determine which tokenization scenario applies to the use case:

Tokenization only: Save a payment method without an immediate charge
Tokenization combined with authorization: Create a token while processing the first Payment Authorization

The appropriate request structure for each scenario is shown in Step 3. See the Payment Tokenization resource for detailed scenario descriptions and use cases.

Step 2: Collect payment context from the Partner

Collect the necessary information from the Partner to request a customer token. The required fields depend on the tokenization scenario.

Update the Partner-facing API to collect the following fields for tokenization without an initial Payment Authorization:

Parameter	Required (Acquiring Partner)	Required (Partner)	Description
`currency`	Yes	Yes	Currency in ISO 4217 format for future transactions using the token.
`scopes`	Yes	Yes	Token scope defining the authorization pattern: `payment:customer_present` or `payment:customer_not_present`. See Token Scopes for guidance.
`supplementary_purchase_data`	Yes	Recommended	Additional details about the tokenization use case. Include this data to improve fraud assessment and customer communication.
`supplementary_purchase_data.subscriptions`	Yes	Conditional	Subscription details including subscription reference, billing plans, and free trial status. Mandatory when the token will be used for subscription charges, i.e. when token scope = `payment:customer_not_present`.
`supplementary_purchase_data.ondemand_service`	Yes	Conditional	On-demand service details describing the service the token will be used for. Mandatory when the token will be used for on-demand charges, i.e. when token scope = `payment:customer_present`.
`supplementary_purchase_data.customer`	Yes	Recommended	Information about the customer based on their previous interactions with the Partner. Used by Klarna to simplify sign-up and for fraud assessment.
`klarna_network_session_token`	Yes	Conditional	Encodes Klarna Network Session Token context (prequalification, sign-in state, or approval). Optional on the initial tokenization request; required for finalization after step-up completion.
`klarna_network_data`	Yes	Recommended	Additional data to enable custom features or data exchange supported by the Partner. Klarna accepts this passthrough field in a structured JSON format and forwards it to relevant systems for interoperability. Treat this value as an opaque string; do not validate or infer its structure.
`return_url`	Yes	Recommended	URL to redirect the customer after completing the step-up flow. Recommended for web flows.
`app_return_url`	Yes	Recommended	Mobile application return URL (app scheme with no action deeplink). The customer will be redirected to this URL after third-party redirects. Recommended for mobile app flows.

Token scope selection is critical

The token scope must match your intended tokenization pattern. See Token Scopes for detailed guidance on choosing between payment:customer_present and payment:customer_not_present.

Requirements

Use exact parameter names klarna_network_session_token and klarna_network_data in the Partner-facing API to ensure Partners can easily identify and use them.
Forward all parameters unmodified to Klarna.
Parameter validation must not be more restrictive than Klarna's authorizePayment.
Support all printable UTF-8 characters.
Supplementary purchase data handling:
- Map your existing Tokenization settings to Klarna customer token scopes.
- Map your existing Partner-facing fields (line items, customer billing address, shipping, order reference) into supplementary_purchase_data when calling Klarna.
- Don't add new Partner-facing fields "just for Klarna" if you already have equivalent fields in your existing schema. Avoid forcing Partners to submit the same data twice using parallel structures

Map existing line items into supplementary_purchase_data.line_items.
Map existing customer details into supplementary_purchase_data.customer.
Map existing shipping data into supplementary_purchase_data.shipping.
Map your existing purchase reference into supplementary_purchase_data.purchase_reference.

Don't

Introduce a parallel line-item structure such as klarna_line_items.
Duplicate customer fields you already collect from Partners.
Add a separate shipping object "just for Klarna".
Force Partners to submit the same purchase reference twice.

Supplementary purchase data scenarios

Acquiring Partners may receive supplementary purchase data (including line items, L2/L3 data for Card Network optimization, and transaction context) in one or both of the following ways:

Embedded in klarna_network_data: Forward as received without parsing or mapping
Provided as individual API fields: Map to the supplementary_purchase_data object when calling authorizePayment

flowchart LR Partner[Partner]:::tertiaryEntity LineItems[Line items,\nL2/L3 data,\netc]:::secondaryEntity KlarnaNetLeft[Klarna Network Data]:::secondaryEntity AP[Acquiring Partner's API]:::primaryEntity Supplementary[Supplementary\nPurchase Data]:::secondaryEntity KlarnaNetRight[Klarna Network Data]:::secondaryEntity Auth[Payment Authorization]:::primaryEntity %% Main flows Partner --> LineItems --> AP --> Supplementary --> Auth Partner --> KlarnaNetLeft --> AP --> KlarnaNetRight --> Auth

Step 3: Call the Payment Authorize API

Call the Payment Authorize API with the appropriate configuration based on the tokenization scenario.

When saving a payment method without an immediate charge:

Include request_customer_token with desired scopes
Do NOT include request_payment_transaction or amount in the request
Provide complete supplementary_purchase_data describing the intended use case
Configure step_up_config with HANDOVER to allow customer consent collection

Request example

JSON

1 2 3 4 5 6 7 8 9 10

POST /v2/accounts/{partner_account_id}/payment/authorize
Content-Type: application/json
Klarna-Network-Session-Token: krn:network:us1:test:session-token:eyJhbGciOiJIU[...]

{
  "currency": "USD",
  "request_customer_token": {
    "scopes": ["payment:customer_not_present"],
    "customer_token_reference": "subscription-user-12345"
  },

API parameters

Optionally set step_up_config.customer_interaction_config.interaction_expiry to override the default 3-hour Payment Request lifetime. See Custom Payment Request expiry.

Step 4: Handle authorization results

The initial Payment Authorize API call always returns STEP_UP_REQUIRED for tokenization requests.

When requesting tokenization through the authorizePayment API

, Klarna returns response objects that correspond to the elements included in the request. The response contains a customer_token_response, and if an initial Payment Authorization was also requested, a payment_transaction_response will be included as well.

Result	Description	Next steps
`STEP_UP_REQUIRED`	Customer consent is always required for tokenization. Klarna creates a `payment_request` containing the `payment_request_url` for the Klarna Purchase Journey.	Return the `payment_request_url` to the Partner to redirect the customer. Customer interaction is required to complete tokenization.

What you receive:

customer_token_response.result: STEP_UP_REQUIRED
payment_request object containing:
- payment_request_id: Unique identifier for the step-up request
- payment_request_url: URL to launch the Klarna Purchase Journey

Sample payload

JSON

1 2 3 4 5 6 7 8 9 10

{
  "customer_token_response": {
    "result": "STEP_UP_REQUIRED"
  },
  "payment_request": {
    "payment_request_id": "krn:payment:us1:request:bcb5ca7d-[...]",
    "payment_request_reference": "acquiring-partner-request-reference-1234",
    "expires_at": "2026-04-01T19:53:15.738Z",
    "created_at": "2026-04-01T16:53:15.738Z",
    "updated_at": "2026-04-01T16:53:15.738Z",

Return URLs for step-up scenario

Acquiring Partners must include return URLs in the step_up_config when calling authorizePayment API

to enable the step-up scenario.

These URLs, set inside the customer_interaction_config object, tell Klarna where to redirect the customer after they complete or stop the Klarna Purchase Journey.

return_url

If the Klarna Purchase Journey is launched in a web environment, Klarna redirects the customer to the return_url after they finish — whether they complete or stop the flow. This can be a URL managed by the Acquiring Partner (which handles redirection logic) or one collected directly from the Partner.

app_return_url

On mobile, the customer may be redirected to a third-party app (such as a bank app) or the Klarna app during the Klarna Purchase Journey. The app_return_url brings the customer back to the Partner's mobile app when this happens.

Partners must register a URL scheme (e.g., yourapp://klarna) or a universal link that resumes the payment flow. Klarna invokes this URL after the customer completes a native app-based step, such as biometric authentication or Klarna app login. Partners are expected to resume the mobile app in its last state without applying state changes or deep link navigations.

Interaction scenarios

The return_url and app_return_url are not mutually exclusive. Depending on the device and environment, either or both may be triggered:

Scenario	Description
Pure web flow	The customer starts the Klarna Purchase Journey in a desktop browser. After completing the flow, Klarna redirects them to `return_url`.
App-to-app flow	The Partner's native app opens the Klarna Purchase Journey using a universal link. If the Klarna app is installed, the customer goes directly into it. After completion, Klarna redirects them to `app_return_url`.
WebView flow with app handover	The Partner's native app starts the Klarna Purchase Journey in a System WebView. If the customer must authenticate via an external banking app, `app_return_url` returns them to the Partner's app mid-flow. They then resume in the WebView and, on completion, are redirected to `return_url`.

If the Acquiring Partner already collects a suitable return_url or app_return_url from the Partner, do not request a second one — this would increase the minimum integration requirements for Klarna to work.

Return authorization outcomes to the Partner

Map the Klarna authorization result to the Partner-facing API response according to the authorization outcome. The response may include a payment_request_url and/or a klarna_network_response_data parameter.

Requirements

payment_request_url MUST be returned directly to the Partner in an existing field and MUST NOT be wrapped or hidden behind Acquiring Partner-managed redirects.
Use exact parameter name klarna_network_response_data in the Partner-facing API to ensure Partners can easily identify and use the parameter. Treat this value as an opaque string; do not validate or infer its structure.

Below are examples of how Acquiring Partners can return the klarna_network_response_data parameter in their Partner-facing APIs depending on the authorization outcome.

JSON

1 2 3 4 5 6 7 8 9 10

{
  "payment_id": "pr_27234RBQD9NAKD032BN",
  "amount": 17800,
  "currency": "USD",
  "status": "open",
  "url": "https://pay.test.klarna.com/na/requests/aeba9923-[...]/start",
  "additional_data": {
    "klarna_network_response_data": "{\"content_type\":\"vnd.klarna.network-data.v2+json\",\"content\":{\"operation\":\"payment_request\",\"response\":{\"result\":\"STEP_UP_REQUIRED\",\"payment_request\":{\"payment_request_id\":\"krn:payment:us1:request:10b51071-[...]\",\"payment_request_url\":\"https://pay.test.klarna.com/na/requests/aeba9923-[...]/start\"}}}}"
  }
}

What happens next:

With the payment_request_url, the Partner will handle the step-up scenario and launch the Klarna Purchase Journey (see Step 5).

Avoid intermediate redirects

Acquiring Partners should expose Klarna's payment_request_url directly to Partners rather than routing through an Acquiring Partner-owned URL.

Using an intermediate redirect under the Acquiring Partner's domain causes the following issues:

Issue	Impact
Reduced app handover success	Cross-domain redirects reduce the likelihood of a successful handover to the Klarna app, negatively impacting Klarna's purchase conversion rate.
Incompatibility with Klarna web SDK integration	Not compatible with Partners using the Klarna web SDK for pop-up flows on websites or app-to-app handoff in native mobile apps.
Network issues	Frontend redirects expose customers to network issues.

Step 5: Partner handles step-up scenario

When step-up is triggered, authorizePayment API

returns a STEP_UP_REQUIRED result along with a Payment Request containing the payment_request_url and klarna_network_response_data which the Partner needs in order to launch the Klarna Purchase Journey, either through a redirect or a pop-up experience.

The Klarna Purchase Journey allows the customer to authenticate with Klarna (via login, one-time passwords, etc.), choose a payment method, and accept the payment.

What happens next:

When the customer completes step-up, Klarna sends a webhook with the token(s). Your next step depends on the scenario:

Tokenization only: Extract the customer_token from klarna_customer.customer_token in the webhook payload, store it securely, and return the internal token identifier to the Partner. No further API call is needed.
Tokenization combined with authorization: Use the klarna_network_session_token from the webhook to call the Payment Authorize API and complete the initial Payment Authorization, then store the customer_token securely (Step 6).

See Step 6 for webhook monitoring details.

Step 6: Monitor step-up completion

When the payment.request.state-change.completed webhook arrives, tokenization is complete — the customer_token is available in the payload regardless of scenario. For the Tokenization only scenario, no further API call is needed: store the token and return the result to the Partner. For the Tokenization combined with authorization scenario, proceed to Step 6 to finalize the initial Payment Authorization.

To retrieve the required token(s), Klarna provides multiple integration methods. Subscribing to Klarna webhook events is required and may be combined with additional methods to improve resilience.

Using webhooks ensures reliable completion handling, particularly when the customer closes the browser before returning, network interruptions occur during redirects, or post-processing is required before notifying the customer.

Subscribe to the payment.request.state-change.completed webhook event using the Klarna webhook guidelines. Klarna sends this event when the Payment Request reaches the COMPLETED state.

This event indicates that the customer has finished the step-up interaction and that the Acquiring Partner can proceed with finalizing the authorization.

Sample payload

JSON

1 2 3 4 5 6 7 8 9 10

{
  "metadata": {
    "event_type": "payment.request.state-change.completed",
    "event_id": "d9f9b1a0-5b1a-4b0e-9b0a-9e9b1a0d5b1a",
    "event_version": "v2",
    "occurred_at": "2026-04-01T16:55:17Z",
    "correlation_id": "2d1557e8-17c3-466c-924a-bbc3e91c2a02",
    "subject_account_id": "krn:partner:global:account:test:HGBY07TR",
    "recipient_account_id": "krn:partner:global:account:test:LWT2XJSE",
    "product_instance_id": "krn:partner:product:payment:ad71bc48-8a07-[...]",

Method: Read the Payment Request (optional/fallback)

As an alternative method, retrieve the Klarna token(s) by calling the readPaymentRequest API

Once the Payment Request reaches the COMPLETED state, the token(s) are available in the state_context object of the Payment Request.

Sample payload

JSON

1 2 3 4 5 6 7 8 9 10

{
  "payment_request_id": "krn:payment:us1:request:bcb5ca7d-[...]",
  "state": "COMPLETED",
  "previous_state": "IN_PROGRESS",
  "state_context": {
    "klarna_customer": {
      "customer_token": "krn:partner:us1:test:identity:customer-token:Rt4iBjqKBM[...]",
      "customer_token_reference": "subscription-user-12345"
    }
  },

Step 7: Complete the initial Payment Authorization

This step applies only to the Tokenization combined with authorization scenario. Tokenization is already complete after step-up — the customer_token is delivered in the webhook payload.

To process the initial Payment Authorization, call the authorizePayment API

using:

The newly obtained klarna_network_session_token in the Klarna-Network-Session-Token request header
The same payment context (amount, currency, supplementary_purchase_data, klarna_network_data) used in the initial request
The same payment_transaction_reference to link the requests

Finalization request example

SHELL

1 2 3 4 5 6 7 8 9 10

curl https://api-global.test.klarna.com/v2/accounts/{partner_account_id}/payment/authorize \
  -H 'Authorization: Basic <API key>' \
  -H 'Content-Type: application/json' \
  -H 'Klarna-Network-Session-Token: krn:network:us1:test:session-token:eyJhbGciOiJFU[...]' \
  -d '{
        "currency": "USD",
        "request_payment_transaction": {
          "amount": 999,
          "payment_option_id": "S0xBUk5BXzE3NzI3MjQ5MTQzMjk=",
          "payment_transaction_reference": "subscription-first-payment-001"

If the klarna_network_session_token has expired (1-hour validity) or the payment context doesn't match the initial request, the finalization call returns DECLINED.

Klarna evaluates the Payment Request and returns one of the following results for payment_transaction_response:

Result	Description	Next steps
`APPROVED`	The Payment Authorization succeeded and a `payment_transaction` was created. The `customer_token` is returned in `customer_token_response` and is ready for future use.	Store the `customer_token` securely and return the payment result to the Partner.
`DECLINED`	The Payment Authorization failed. No `payment_transaction` was created. The `customer_token` is still returned in `customer_token_response` and is valid for future use.	Return the failure result to the Partner. Store the `customer_token` securely — it remains valid despite the Payment Authorization failure.

Sample payload

JSON

1 2 3 4 5 6 7 8 9 10

{
  "payment_transaction_response": {
    "result": "APPROVED",
    "payment_transaction": {
      "payment_transaction_id": "krn:payment:us1:transaction:5cb3e0e5-a6f0-[...]",
      "amount": 999,
      "currency": "USD",
      "payment_pricing": { "..." : "..." },
      "payment_funding": {
        "type": "GUARANTEED",

Step 8: Return final authorization outcomes to the Partner

Map the Klarna authorization result to the Partner-facing API response and return the klarna_network_response_data.

Requirements

Treat this value as an opaque string; do not validate or infer its structure.
Use exact parameter name klarna_network_response_data in the Partner-facing API to ensure Partners can easily identify and use the parameter.
All returned data MUST be forwarded without modification.

Below is an example of how Acquiring Partners can return the klarna_network_response_data parameter in their Partner-facing APIs.

JSON

1 2 3 4 5 6 7 8 9

{
  "payment_id": "pr_27234RBQD9NAKD032BN",
  "amount": 999,
  "currency": "USD",
  "status": "completed",
  "additional_data": {
    "klarna_network_response_data": "{\"content_type\":\"vnd.klarna.network-data.v2+json\",\"content\":{\"operation\":\"payment_request\",\"response\":{\"result\":\"APPROVED\",\"payment_transaction\":{\"payment_transaction_id\":\"krn:payment:us1:transaction:5cb3e0e5-a6f0-[...]\"}}}}"
  }
}

Next steps

Payment Tokenization resource — Understand token scopes, authorization patterns, and lifecycle management
Authorize Partner-initiated transactions — Use the stored customer token to charge customers when they are not present
Manage payment transactions — Capture, refund, or cancel authorized payments