Payment Tokenization for Server-side integration
Integrate Klarna's Payment Tokenization for server-side scenarios. This guide shows how to request a customer token, handle tokenization outcomes including step-up flows, and securely store tokens for future transactions.
Overview
This guide covers how to create a customer token with Klarna using a server-side integration when the customer is present to provide consent. As an Acquiring Partner, the backend collects payment context from a Partner, calls the Payment Authorize API with a tokenization request, handles the STEP_UP_REQUIRED initial response, manages the step-up flow, and securely stores the token for future use.
For conceptual understanding of tokenization, token scopes, use cases, and authorization patterns, see the Payment Tokenization resource.
Prerequisites
Before starting tokenization, ensure the following:
- A Partner Account onboarded with Klarna
- An API Key associated with your Partner Account
- Backend capability to receive and process Klarna webhooks
- Partner-facing APIs capable of forwarding redirect URLs and Klarna network data without modification
- A checkout or account setup flow where the customer is present and able to complete step-up interactions
- Clear customer consent for saving the payment method and future charges according to token scope
Integration overview
Once the customer initiates tokenization (for example, during subscription signup or account setup):
- 1.The Partner initiates tokenization through the Acquiring Partner
- 2.The Acquiring Partner forwards the tokenization request to Klarna by calling the authorizePayment
- 3.Klarna returns
STEP_UP_REQUIREDbecause customer consent is always required for tokenization - 4.The Acquiring Partner returns the
payment_request_urlto the Partner - 5.The customer completes the Klarna Purchase Journey to provide consent
- 6.Klarna sends a webhook upon step-up completion. The payload differs by scenario:
- 6.1.Tokenization only: The webhook contains the
customer_token. No further API call is needed. The Acquiring Partner securely stores the customer token issued by Klarna, maps it to an internal identifier, and returns that internal customer token identifier to the Partner. - 6.2.Tokenization combined with authorization: The webhook contains both the
customer_tokenand aklarna_network_session_token. The Acquiring Partner calls the Payment Authorize API again with theklarna_network_session_tokento complete the initial Payment Authorization. Klarna returns the final result (APPROVEDorDECLINED). The Acquiring Partner then securely stores the customer token issued by Klarna, maps it to an internal identifier, and returns the internal customer token identifier and payment result to the Partner.
Integration details
Step 1: Determine tokenization scenario
Determine which tokenization scenario applies to the use case:
- Tokenization only: Save a payment method without an immediate charge
- Tokenization combined with authorization: Create a token while processing the first Payment Authorization
The appropriate request structure for each scenario is shown in Step 3. See the Payment Tokenization resource for detailed scenario descriptions and use cases.
Step 2: Collect payment context from the Partner
Collect the necessary information from the Partner to request a customer token. The required fields depend on the tokenization scenario.
Update the Partner-facing API to collect the following fields for tokenization without an initial Payment Authorization:
| Parameter | Required (Acquiring Partner) | Required (Partner) | Description |
|---|---|---|---|
currency | Yes | Yes | Currency in ISO 4217 format for future transactions using the token. |
scopes | Yes | Yes | Token scope defining the authorization pattern: payment:customer_present or payment:customer_not_present. See Token Scopes for guidance. |
supplementary_purchase_data | Yes | Recommended | Additional details about the tokenization use case. Include this data to improve fraud assessment and customer communication. |
supplementary_purchase_data.subscriptions | Yes | Conditional | Subscription details including subscription reference, billing plans, and free trial status. Mandatory when the token will be used for subscription charges, i.e. when token scope = payment:customer_not_present. |
supplementary_purchase_data.ondemand_service | Yes | Conditional | On-demand service details describing the service the token will be used for. Mandatory when the token will be used for on-demand charges, i.e. when token scope = payment:customer_present. |
supplementary_purchase_data.customer | Yes | Recommended | Information about the customer based on their previous interactions with the Partner. Used by Klarna to simplify sign-up and for fraud assessment. |
klarna_network_session_token | Yes | Conditional | Encodes Klarna Network Session Token context (prequalification, sign-in state, or approval). Optional on the initial tokenization request; required for finalization after step-up completion. |
klarna_network_data | Yes | Recommended | Additional data to enable custom features or data exchange supported by the Partner. Klarna accepts this passthrough field in a structured JSON format and forwards it to relevant systems for interoperability. Treat this value as an opaque string; do not validate or infer its structure. |
return_url | Yes | Recommended | URL to redirect the customer after completing the step-up flow. Recommended for web flows. |
app_return_url | Yes | Recommended | Mobile application return URL (app scheme with no action deeplink). The customer will be redirected to this URL after third-party redirects. Recommended for mobile app flows. |
Token scope selection is critical
The token scope must match your intended tokenization pattern. See Token Scopes for detailed guidance on choosing between payment:customer_present and payment:customer_not_present.
Requirements
- Use exact parameter names
klarna_network_session_tokenandklarna_network_datain the Partner-facing API to ensure Partners can easily identify and use them. - Forward all parameters unmodified to Klarna.
- Parameter validation must not be more restrictive than Klarna's authorizePayment.
- Support all printable UTF-8 characters.
- Supplementary purchase data handling:
- Map your existing Tokenization settings to Klarna customer token
scopes. - Map your existing Partner-facing fields (line items, customer billing address, shipping, order reference) into
supplementary_purchase_datawhen calling Klarna. - Don't add new Partner-facing fields "just for Klarna" if you already have equivalent fields in your existing schema. Avoid forcing Partners to submit the same data twice using parallel structures
Map your existing Partner-facing fields into supplementary_purchase_data when calling Klarna:
Line items:
supplementary_purchase_data.line_itemsCustomer info:
supplementary_purchase_data.customerShipping:
supplementary_purchase_data.shippingOrder reference:
supplementary_purchase_data.purchase_reference
Add new Partner-facing fields "just for Klarna" if you already have equivalents:
Don't introduce parallel structures like
itemsandklarna_line_itemsDon't force Partners to submit the same data twice
The two structures will diverge over time, causing maintenance issues
Supplementary purchase data scenarios
Acquiring Partners may receive supplementary purchase data (including line items, L2/L3 data for Card Network optimization, and transaction context) in one or both of the following ways:
- Embedded in
klarna_network_data: Forward as received without parsing or mapping - Provided as individual API fields: Map to the
supplementary_purchase_dataobject when calling authorizePayment
Step 3: Call the Payment Authorize API
Call the Payment Authorize API with the appropriate configuration based on the tokenization scenario.
When saving a payment method without an immediate charge:
- Include
request_customer_tokenwith desired scopes - Do NOT include
request_payment_transactionoramountin the request - Provide complete
supplementary_purchase_datadescribing the intended use case - Configure
step_up_configwithHANDOVERto allow customer consent collection
Request example
POST /v2/accounts/{partner_account_id}/payment/authorize
Content-Type: application/json
Klarna-Network-Session-Token: krn:network:us1:test:session-token:eyJhbGciOiJIU[...]
{
"currency": "USD",
"request_customer_token": {
"scopes": ["payment:customer_not_present"],
"customer_token_reference": "subscription-user-12345"
},
"supplementary_purchase_data": {
"subscriptions": [{API parameters
Step 4: Handle authorization results
The initial Payment Authorize API call always returns STEP_UP_REQUIRED for tokenization requests.
When requesting tokenization through the authorizePayment, Klarna returns response objects that correspond to the elements included in the request. The response contains a customer_token_response, and if an initial Payment Authorization was also requested, a payment_transaction_response will be included as well.
| Result | Description | Next steps |
|---|---|---|
STEP_UP_REQUIRED | Customer consent is always required for tokenization. Klarna creates a payment_request containing the payment_request_url for the Klarna Purchase Journey. | Return the payment_request_url to the Partner to redirect the customer. Customer interaction is required to complete tokenization. |
What you receive:
customer_token_response.result:STEP_UP_REQUIREDpayment_requestobject containing:payment_request_id: Unique identifier for the step-up requestpayment_request_url: URL to launch the Klarna Purchase Journey
Sample payload
{
"customer_token_response": {
"result": "STEP_UP_REQUIRED"
},
"payment_request": {
"payment_request_id": "krn:payment:us1:request:bcb5ca7d-[...]",
"payment_request_reference": "acquiring-partner-request-reference-1234",
"expires_at": "2026-04-01T19:53:15.738Z",
"created_at": "2026-04-01T16:53:15.738Z",
"updated_at": "2026-04-01T16:53:15.738Z",
"state": "SUBMITTED",
"supplementary_purchase_data": { },Return URLs for step-up scenario
Acquiring Partners must include return URLs in the step_up_config when calling authorizePayment to enable the step-up scenario.
These URLs, set inside the customer_interaction_config object, tell Klarna where to redirect the customer after they complete or stop the Purchase Journey.
return_url
If the Klarna Purchase Journey is launched in a web environment, Klarna redirects the customer to the return_url after they finish — whether they complete or stop the flow. This can be a URL managed by the Acquiring Partner (which handles redirection logic) or one collected directly from the Partner.
app_return_url
On mobile, the customer may be redirected to a third-party app (such as a bank app) or the Klarna app during the Purchase Journey. The app_return_url brings the customer back to the Partner's mobile app when this happens.
Partners must register a URL scheme (e.g., yourapp://klarna) or a universal link that resumes the payment flow. Klarna invokes this URL after the customer completes a native app-based step, such as biometric authentication or Klarna app login. Partners are expected to resume the mobile app in its last state without applying state changes or deep link navigations.
Interaction scenarios
The return_url and app_return_url are not mutually exclusive. Depending on the device and environment, either or both may be triggered:
| Scenario | Description |
|---|---|
| Pure web flow | The customer starts the Purchase Journey in a desktop browser. After completing the flow, Klarna redirects them to return_url. |
| App-to-app flow | The Partner's native app opens the Purchase Journey using a universal link. If the Klarna app is installed, the customer goes directly into it. After completion, Klarna redirects them to app_return_url. |
| WebView flow with app handover | The Partner's native app starts the Purchase Journey in a System WebView. If the customer must authenticate via an external banking app, app_return_url returns them to the Partner's app mid-flow. They then resume in the WebView and, on completion, are redirected to return_url. |
If the Acquiring Partner already collects a suitable return_url or app_return_url from the Partner, do not request a second one — this would increase the minimum integration requirements for Klarna to work.
Return authorization outcomes to the Partner
Map the Klarna authorization result to the Partner-facing API response according to the authorization outcome. The response may include a payment_request_url and/or a klarna_network_response_data parameter.
Requirements
payment_request_urlMUST be returned directly to the Partner in an existing field and MUST NOT be wrapped or hidden behind Acquiring Partner-managed redirects.- Use exact parameter name
klarna_network_response_datain the Partner-facing API to ensure Partners can easily identify and use the parameter. Treat this value as an opaque string; do not validate or infer its structure.
Below are examples of how Acquiring Partners can return the klarna_network_response_data parameter in their Partner-facing APIs depending on the authorization outcome.
{
"payment_id": "pr_27234RBQD9NAKD032BN",
"amount": 17800,
"currency": "USD",
"status": "open",
"url": "https://pay.test.klarna.com/na/requests/aeba9923-[...]/start",
"additional_data": {
"klarna_network_response_data": "{\"content_type\":\"vnd.klarna.network-data.v2+json\",\"content\":{\"operation\":\"payment_request\",\"response\":{\"result\":\"STEP_UP_REQUIRED\",\"payment_request\":{\"payment_request_id\":\"krn:payment:us1:request:10b51071-[...]\",\"payment_request_url\":\"https://pay.test.klarna.com/na/requests/aeba9923-[...]/start\"}}}}"
}
}What happens next:
With the payment_request_url, the Partner will handle the step-up scenario and launch the Klarna Purchase Journey (see Step 5).
Avoid intermediate redirects
Acquiring Partners should expose Klarna's payment_request_url directly to Partners rather than routing through an Acquiring Partner-owned URL.
Using an intermediate redirect under the Acquiring Partner's domain causes the following issues:
| Issue | Impact |
|---|---|
| Reduced app handover success | Cross-domain redirects reduce the likelihood of a successful handover to the Klarna app, negatively impacting Klarna's purchase conversion rate. |
| Incompatibility with Klarna web SDK integration | Not compatible with Partners using the Klarna web SDK for pop-up flows on websites or app-to-app handoff in native mobile apps. |
| Network issues | Frontend redirects expose customers to network issues. |
Step 5: Partner handles step-up scenario
When step-up is triggered, authorizePayment returns a STEP_UP_REQUIRED result along with a Payment Request containing the payment_request_url and klarna_network_response_data which the Partner needs in order to launch the Klarna Purchase Journey, either through a redirect or a pop-up experience.
The Purchase Journey allows the customer to authenticate with Klarna (via login, one-time passwords, etc.), choose a payment method, and accept the payment.
Phone collection in the Klarna Purchase Journey
What happens next:
When the customer completes step-up, Klarna sends a webhook with the token(s). Your next step depends on the scenario:
- Tokenization only: Extract the
customer_tokenfromklarna_customer.customer_tokenin the webhook payload, store it securely, and return the internal token identifier to the Partner. No further API call is needed. - Tokenization combined with authorization: Use the
klarna_network_session_tokenfrom the webhook to call the Payment Authorize API and complete the initial Payment Authorization, then store thecustomer_tokensecurely (Step 6).
See Step 6 for webhook monitoring details.
Step 6: Monitor step-up completion
When the payment.request.state-change.completed webhook arrives, tokenization is complete — the customer_token is available in the payload regardless of scenario. For the Tokenization only scenario, no further API call is needed: store the token and return the result to the Partner. For the Tokenization combined with authorization scenario, proceed to Step 6 to finalize the initial Payment Authorization.
To retrieve the required token(s), Klarna provides multiple integration methods. Subscribing to Klarna webhook events is required and may be combined with additional methods to improve resilience.
Using webhooks ensures reliable completion handling, particularly when the customer closes the browser before returning, network interruptions occur during redirects, or post-processing is required before notifying the customer.
Method: Subscribe to webhook events (required)
Subscribe to the payment.request.state-change.completed webhook event using the Klarna webhook guidelines. Klarna sends this event when the Payment Request reaches the COMPLETED state.
This event indicates that the customer has finished the step-up interaction and that the Acquiring Partner can proceed with finalizing the authorization.
Sample payload
{
"metadata": {
"event_type": "payment.request.state-change.completed",
"event_id": "d9f9b1a0-5b1a-4b0e-9b0a-9e9b1a0d5b1a",
"event_version": "v2",
"occurred_at": "2026-04-01T16:55:17Z",
"correlation_id": "2d1557e8-17c3-466c-924a-bbc3e91c2a02",
"subject_account_id": "krn:partner:global:account:test:HGBY07TR",
"recipient_account_id": "krn:partner:global:account:test:LWT2XJSE",
"product_instance_id": "krn:partner:product:payment:ad71bc48-8a07-[...]",
"webhook_id": "krn:partner:global:notification:webhook:120e5b7e-abcd-[...]",
"live": falseMethod: Read the Payment Request (optional/fallback)
As an alternative method, retrieve the Klarna token(s) by calling the readPaymentRequest.
Once the Payment Request reaches the COMPLETED state, the token(s) are available in the state_context object of the Payment Request.
Sample payload
{
"payment_request_id": "krn:payment:us1:request:bcb5ca7d-[...]",
"state": "COMPLETED",
"previous_state": "IN_PROGRESS",
"state_context": {
"klarna_customer": {
"customer_token": "krn:partner:us1:test:identity:customer-token:Rt4iBjqKBM[...]",
"customer_token_reference": "subscription-user-12345"
}
},
"expires_at": "2026-04-01T19:53:15.738Z",
"created_at": "2026-04-01T16:53:15.738Z",Step 7: Complete the initial Payment Authorization
This step applies only to the Tokenization combined with authorization scenario. Tokenization is already complete after step-up — the customer_token is delivered in the webhook payload.
To process the initial Payment Authorization, call the authorizePayment using:
- The newly obtained
klarna_network_session_tokenin theKlarna-Network-Session-Tokenrequest header - The same payment context (
amount,currency,supplementary_purchase_data,klarna_network_data) used in the initial request - The same
payment_transaction_referenceto link the requests
Finalization request example
curl https://api-global.test.klarna.com/v2/accounts/{partner_account_id}/payment/authorize \
-H 'Authorization: Basic <API key>' \
-H 'Content-Type: application/json' \
-H 'Klarna-Network-Session-Token: krn:network:us1:test:session-token:eyJhbGciOiJFU[...]' \
-d '{
"currency": "USD",
"request_payment_transaction": {
"amount": 999,
"payment_option_id": "S0xBUk5BXzE3NzI3MjQ5MTQzMjk=",
"payment_transaction_reference": "subscription-first-payment-001"
},
"request_customer_token": {If the klarna_network_session_token has expired (1-hour validity) or the payment context doesn't match the initial request, the finalization call returns DECLINED.
Klarna evaluates the Payment Request and returns one of the following results for payment_transaction_response:
| Result | Description | Next steps |
|---|---|---|
APPROVED | The Payment Authorization succeeded and a payment_transaction was created. The customer_token is returned in customer_token_response and is ready for future use. | Store the customer_token securely and return the payment result to the Partner. |
DECLINED | The Payment Authorization failed. No payment_transaction was created. The customer_token is still returned in customer_token_response and is valid for future use. | Return the failure result to the Partner. Store the customer_token securely — it remains valid despite the Payment Authorization failure. |
Sample payload
{
"payment_transaction_response": {
"result": "APPROVED",
"payment_transaction": {
"payment_transaction_id": "krn:payment:us1:transaction:5cb3e0e5-a6f0-[...]",
"amount": 999,
"currency": "USD",
"payment_pricing": { "..." : "..." },
"payment_funding": {
"type": "GUARANTEED",
"state": "FUNDED"
}Step 8: Return final authorization outcomes to the Partner
Map the Klarna authorization result to the Partner-facing API response and return the klarna_network_response_data.
Requirements
- Treat this value as an opaque string; do not validate or infer its structure.
- Use exact parameter name
klarna_network_response_datain the Partner-facing API to ensure Partners can easily identify and use the parameter. - All returned data MUST be forwarded without modification.
Below is an example of how Acquiring Partners can return the klarna_network_response_data parameter in their Partner-facing APIs.
{
"payment_id": "pr_27234RBQD9NAKD032BN",
"amount": 999,
"currency": "USD",
"status": "completed",
"additional_data": {
"klarna_network_response_data": "{\"content_type\":\"vnd.klarna.network-data.v2+json\",\"content\":{\"operation\":\"payment_request\",\"response\":{\"result\":\"APPROVED\",\"payment_transaction\":{\"payment_transaction_id\":\"krn:payment:us1:transaction:5cb3e0e5-a6f0-[...]\"}}}}"
}
}Next steps
- Payment Tokenization resource — Understand token scopes, authorization patterns, and lifecycle management
- Authorize Partner-initiated transactions — Use the stored customer token to charge customers when they are not present
- Manage payment transactions — Capture, refund, or cancel authorized payments
Related articles
API & SDK references