Mint Embed Token
Create a short-lived pass (an “embed token”) that lets one of your users do
one specific job inside a Finogate-hosted page shown on your website. Right
now that job is adding a card (add_card).
The pass lasts about 10 minutes. Take the token we return and load
the page inside an iframe on your site, like this:
<iframe src="{embed_url}#token={token}&mode={mode}"></iframe>
The pass only works for the one user it was created for, and only for that one job — it can’t be used for anything else.
Authorizations
The access token received from the authorization server in the OAuth 2.0 flow.
Body
Request body for POST /v1/platform/embed-tokens.
The end-user the iframe will act on behalf of. Must be an end_user belonging to the calling tenant.
The origin of the page that will embed the iframe (e.g. https://app.example.com). Used as the postMessage targetOrigin so success payloads cannot leak to other windows. Must be a bare origin: scheme + host + optional port, no path.
255Which embed surface the token authorises. Today the only supported scope is add_card.
add_card, add_bank, card_payment Optional. Only honored when scope='add_card'. Pins the card to a specific approved card-processing merchant account (the id returned by GET /v1/platform/card-processing/users/{user_id}). Omit to use the user's deterministically selected default merchant.
Response
Successful Response
Standard response wrapper for single-object responses and errors.
Generic over the payload type. A route that declares
CommonResponse[SomeModel] gets the real data schema rendered in
OpenAPI/Swagger; a bare CommonResponse leaves data untyped.