With the Braintree Drop-in UI pattern, saved payment methods are stored by Braintree. In other words, when a customer requests that their card is saved for future use, Broadleaf doesn’t receive any form of id or token for the payment method. Instead, we must provide the same customer id when creating a Braintree client token.
To ensure that customers cannot gain access to another customer’s payment methods, we only create the Braintree client token via a Broadleaf endpoint surfaced in PaymentTransactionServices where we resolve the customer id from the authorized user data. Therefore, the user must be an authenticated Broadleaf customer to resolve their saved payment methods.
To access their saved payment methods, the customer must login to their account. Doing so allows Broadleaf to declare the id of the known customer to Braintree. From there, Braintree’s Drop-in UI surfaces the customer’s saved payment methods as available options in the payment section of the checkout flow.