Hello Clever automatically generates a card token when a payment reaches authorised status. You can save this token and use it to create future payments for the same customer — no need for them to re-enter card details. This page covers how to use a saved token to create a payment and how to delete a token when it’s no longer needed.
For security, tokens are only returned in the webhook notification or API response when payment status changes to authorised or waiting. Store the token securely on your server — never expose it to the frontend.

How tokenisation works

1

Complete an initial payment

When a customer completes their first card payment (via S2S or SDK), Hello Clever returns a token object in the response and webhook once the payment is authorised.
2

Save the token

Store the token.id value in your system, associated with the customer’s account.
3

Charge the token for future payments

Use POST /v2/cards/tokenisation with the saved token ID instead of card details.

POST /v2/cards/tokenisation — Create Payment via Token

Create a card payment using a previously saved token. No card details are required.
app-id
string
required
Your application ID.
secret-key
string
required
Your secret key.
token_id
string
required
The saved token ID (e.g. tok_dfe1988a1ffc0d6562d3).
amount
number
required
Payment amount in cents.
currency
string
required
Currency code (AUD or USD).
external_id
string
required
Your internal order or reference ID.
capture
boolean
If true, captures automatically on authorisation. Defaults to true.
return_url
string
URL to redirect if 3DS re-authentication is required.
webhook_notification
object
Override the default webhook for this payment.
If the token’s underlying card has expired or the bank requires re-authentication, a 3ds_url will be returned in pay_code. Redirect the customer to complete authentication.

DELETE /v2/cards/tokens/:token_id — Delete Token

Permanently delete a saved card token. Use this when a customer removes a saved payment method from their account.
token_id
string
required
The token ID to delete (e.g. tok_dfe1988a1ffc0d6562d3).
Token deletion is permanent and cannot be undone. After deletion, any future payment attempts using this token will fail. Ensure your system removes the stored token ID to prevent failed charge attempts.