Xoxoday Plum’s redemption portal authenticates customers via short-lived, cryptographically signed SSO tokens that carry pseudonymous identity and session metadata, eliminating re-login while keeping underlying account details confined to the bank’s own systems.
How Xoxoday Plum handles SSO in the redemption marketplace
When a customer clicks through to the Xoxoday Plum rewards marketplace from a bank’s authenticated channel — such as a mobile banking app or internet banking portal — they arrive already authenticated. No separate login screen appears. Xoxoday Plum achieves this through a token-based SSO flow that the bank’s backend initiates at the moment of handoff. The bank generates a short-lived, cryptographically signed token and passes it to Xoxoday Plum in the redirect request. That token carries a pseudonymous customer identifier rather than raw account credentials, which means no personally identifiable banking data travels outside the bank’s own systems at any point.What the token contains
Each token includes three categories of session metadata. First, a pseudonymous customer identifier — typically a hashed or masked reference — maps the customer to their loyalty account without exposing core banking credentials. Second, a timestamp and expiry field constrains the token’s validity to a short window (usually seconds to a few minutes), neutralising replay attacks if the token is ever intercepted in transit. Third, a checksum or digital signature lets Xoxoday Plum confirm the token originated from the bank’s trusted system by validating it against a pre-shared key or public certificate.How Xoxoday Plum validates and creates the session
On receipt, Xoxoday Plum verifies the token signature, confirms it has not expired, and creates an in-app session scoped to that customer. Xoxoday Plum then fetches the customer’s points balance and eligible rewards catalog in the same call, so the marketplace loads pre-populated and ready for redemption — no additional authentication steps required. Validation is stateless on Xoxoday Plum’s side: the token is the sole proof of identity and no session state is retained beyond the token’s own expiry window.A real-world example
Consider a bank whose mobile app infrastructure is certified to ISO 27001 and SOC 2 Type II. When the customer taps “Redeem Points,” the bank’s backend mints a signed token and passes it to Xoxoday Plum via a secure HTTPS redirect. The rewards marketplace opens with the customer’s balance and catalog already loaded — the entire handoff completes in under a second, with no visible authentication interruption.Why this approach matters for enterprise security teams
Tokenization means Xoxoday Plum never stores or transmits banking credentials. The pseudonymous identifier ensures that even a logged or intercepted token carries no actionable account data. Short expiry windows and signature verification together satisfy the zero-trust authentication posture that enterprise IT and compliance teams require — without introducing any friction for the end customer. Learn more: Xoxoday Plum Help Centre — Redemption Portal / Rewards Marketplace (Front-end) (TBS)How does Xoxoday Plum personalise the rewards catalog per customer?
Learn how Xoxoday Plum filters and ranks rewards based on customer tier, points balance, and redemption history.
What security standards does Xoxoday Plum's marketplace meet?
Understand how Xoxoday Plum’s redemption infrastructure aligns with ISO 27001, SOC 2 Type II, and GDPR requirements.