Skip to main content
Portal sessions are the bridge from your server to the browser. You mint a token here with your secret key, hand it to your frontend, and @unitpay/react exchanges it for a customer-scoped billing UI — no secret key ever leaves your backend.
The token is a short-lived JWT scoped to one customer. Pass it to <UnitPayProvider portalToken={…}>; every hook and component in the React SDK reads the customer from it.

unitpay.portalSessions.create

Mints a portal session for one customer and returns the token to embed in your frontend. ParametersCreatePortalSessionParams:
customerId
string
required
The customer this session grants access to.
ttlSeconds
number
default:"3600"
Token lifetime in seconds. Min 60, max 86400.
ReturnsPromise<PortalSession>:
token
string
The JWT to pass to <UnitPayProvider portalToken={…}>.
expiresAt
string
ISO-8601 timestamp when the token expires.
Mint the token in a server route and return only the token to the browser:
app/api/portal-session/route.ts
import { UnitPay } from '@unitpay/node';

const unitpay = new UnitPay({ apiKey: process.env.UNITPAY_API_KEY });

export async function POST(req: Request) {
  const { customerId } = await getSession(req); // your auth

  const session = await unitpay.portalSessions.create({
    customerId,
    ttlSeconds: 3600,
  });

  return Response.json({ token: session.token });
}

unitpay.portalSessions.revoke

Invalidates portal tokens before they expire — for logout, or when a customer’s access changes. Revoke a single session by its jti, or every active session for a customer. ParametersRevokePortalSessionParams (one of):
jti
string
Revoke a single session by its JWT ID.
customerId
string
Revoke all active sessions for this customer.
ReturnsPromise<void>.
// Revoke every session for a customer (e.g. on account suspension)
await unitpay.portalSessions.revoke({ customerId: 'cus_123' });

See also

React SDK

Build the customer-facing billing UI the token powers.

UnitPayProvider

Where the portal token is consumed.