# User Tokens
source: https://developer.mastercard.com/mastercard-benefits-and-experiences-portal/documentation/use-cases/use-cases-3/index.md

## User Tokens Sequence {#user-tokens-sequence}

Create an SSO token for browsing and selecting benefits using a web page

API Reference: `GET /user-tokens`

The following sequence diagram shows the sequence of API calls between the different entities in this scenario.
Diagram use-case-3

## Sample Request and Response {#sample-request-and-response}

Use your own `partnerId` to make test calls to Sandbox API endpoints.

### Post the list of benefits selected by the cardholder in the "selectedBenefits" object. {#post-the-list-of-benefits-selected-by-the-cardholder-in-the-selectedbenefits-object}

Make a POST call with the cardholder's name, billing address, payment details and other user data. You can pass an optional `accessCodeExternalUniqueIdentifier` to notify the API of some additional identifier, such as an access code, that may affect the layout of a webview:

`POST https://sandbox.api.mastercard.com/the-portal/user-tokens`

```json
{
  "partnerId": 484,
  "partnerUUID": "ABC123456",
  "segmentCode": "BLACK",
  "emailAddress": "mastercard@priceless.com",
  "preferredLanguageCode": "en-US",
  "countryCode": "us",
  "accessCodeExternalUniqueIdentifier": "one_for_two",
  "firstName": "John",
  "lastName": "Doe",
  "billingAddress": {
    "countryCode": "us",
    "firstName": "John",
    "lastName": "Doe",
    "addressLine1": "123 Mission Street",
    "city": "San Francisco",
    "stateName": "California",
    "postalCode": "94105",
    "phone": 441132431751
  },
  "payment": {
    "creditCard": {
      "cardHolderName": "John Doe",
      "cardNumber": 5437870008012237,
      "expirationMonth": 1,
      "expirationYear": 2023
    }
  }
}
```

```json
{
	"msg": "OK",
	"data": {
		"accessToken": "e9U4fxfWEdVKJuU6bjS6"
	}
}
```

### Pass the newly generated `accessToken` in a webview URL. {#pass-the-newly-generated-accesstoken-in-a-webview-url}

You can find examples of URLs you need to use in a webview and screenshots the consumer will see in [Testing the API with a webview](https://developer.mastercard.com/mastercard-benefits-and-experiences-portal/documentation/tutorials-and-guides/test-webview/index.md).
Note: The token will expire in 20 minutes.