Overview
Basis Theory Elements provides a secure method for tokenizing credit card information on the frontend. Card data is tokenized directly with Basis Theory — sensitive card details never touch your servers. This reduces your PCI scope by avoiding sensitive data transmission through your servers.
Use Rye’s Basis Theory Key to Generate Card Tokens
To generate a Basis Theory card token for confirming a Rye checkout intent, you must use Rye’s Basis Theory public key, not your own Basis Theory key.
This ensures the token is created under Rye’s account. Using your own key will cause the checkout intent to fail.
Generate a Scoped Token
For better security, Rye requires developers to generate a scoped token. Doing so ensures that even if someone obtains your token ID, they will not be able to use it — the token is tied to your Rye account and must match your account credentials to function.
To scope the token, do the following:
- Create a session via Rye’s createSession endpoint. The response will return a session key and a container value.
- Use the returned session key in the BT-API-KEY header and pass the container value in the request body when creating the token.
The following example demonstrates how to do this using Rye’s TypeScript SDK.
Generate a Token Using Demo App
You can use the demo app to generate a Basis Theory token for testing:
For the card number, use the test card number 4242 4242 4242 4242 with any future expiration date and any 3-digit CVC.
Alternatively, you can use the steps below to create a simple NextJS app to generate the token.
Generate a Token Using Basis Theory React Elements
This guide walks through the Basis Theory React Elements approach, including a NextJS demo app. For a complete example, see rye-com/basis-theory-cc-capture-ui.
Create a New NextJS App
Install Dependencies
NextJS Example Code
Create src/app/actions.ts with code below.
checkout-intents sdk does not support client-side usage, so the session creation must be done in a server action. The createBasisTheorySession function creates a session with Basis Theory and returns the session key and container value, which are needed to scope tokens to your Rye account.
Create /src/app/CardTokenizer.tsx with code below.
Update src/app/page.tsx with code below.
Run the App Locally
The app will run locally at http://localhost:3000. Open that page in your browser to enter card details and generate a Basis Theory token. The token will be returned in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
For testing in the Rye staging environment, use the test card number 4242 4242 4242 4242 with any future expiration date and any 3-digit CVC.
Generate a Token Using Other Basis Theory SDKs
In addition to React, Basis Theory provides SDKs for other platforms, including vanilla JavaScript, iOS, and Android. The flow is similar across SDKs: initialize Basis Theory with Rye’s public key, present the card entry UI, and Basis Theory will return a token that you can pass to Rye.
Use the Token with Rye
Once you have a Basis Theory token, you can use it to complete a purchase through the Rye API. There are two flows available: a single-step purchase and a two-step flow.
Single-Step Purchase
Submit a complete purchase in one call by providing the product, buyer details, and payment method together:
Two-Step Flow
If you have already created a checkout intent, you can submit payment separately using the intent ID:
Refresh the CVC for Reused Tokens
Basis Theory tokens can be reused across multiple orders, but the CVC stored on a token expires 60 minutes after it was last collected. After that, attempts to confirm a checkout intent with the token will fail until the CVC is refreshed.
There are two ways to refresh the CVC, both of which use the Update Token endpoint and require a scoped token created from a Rye Basis Theory session.
Option 1: Recollect the CVC with the Card Verification Code Element
Use the Basis Theory CardVerificationCodeElement to recollect the CVC from the cardholder. The CVC is sent directly from the browser to Basis Theory and never touches your servers.
Option 2: Update the Token Directly
If you already have the CVC available in plain text on a PCI-compliant server, you can update the token directly by calling the Basis Theory Update Token endpoint with the scoped session key.
After refreshing the CVC, the token can be used to confirm another checkout intent.
Notes
- Sensitive card data is handled entirely by Basis Theory and never touches your servers, reducing your PCI scope.