I am currently using the braintree server package (Node.js) and am working towards implementing subscriptions.
As an intermediate step, I'm managing a list of payment methods for each customer, which is found inside a customer object: customer.paymentMethods.
I want to be sure that passing this list directly to the client is an ok thing to do. Essentially, I'd like to list all of the current payment methods, and also create a way to add new ones / remove existing ones. When a payment method is selected, I can pass the payment_method_token to the server to perform a particular action with this payment method.
As I'm only passing payment tokens to the user when they have the proper session, it seems safe to be passing tokens around in this way, but I want to be positive that I'm doing this correctly.
Can somebody verify whether or not this approach is ok?
Seems to me that 1) this is a lot of unneeded work and 2) not really what you should be doing...
You should be passing the payment nonce around - the SDKs do all the other work for you - https://developers.braintreepayments.com/start/overview
Specifically, for the subscription flow, see https://developers.braintreepayments.com/guides/recurring-billing/create/node - you need the paymentMethodToken, which comes from the nonce (either from the client or one stored on your server) and a planID that is set up in the Control Panel. The paymentMethodToken is not passed around, it is created (and can/should be stored) server side.