Why should the first call (GenerateToken) be done via a server to server call?
The data for executing a transaction can be divided in two big categories. Data which are entered by the shopper and data which should not be changed and not visible for the shopper. Address data and card data are typically data which are entered by the shopper. The amount, the decision whether it is a credit or a debit, login data are data which should not be changed by the shopper. Those data (secrets and non changeable data) should be sent in the fist call (GenerateToken) via server to server call.
Is it possible to override data which are already sent within the first call (GenerateToken)?
Normally, data which is sent once can't be overwritten. We're using this as an additional security mechanism that protects the request data from subsequent modifications.
If you still have a need for modifying data, please have a look at this article: Overwrite Token Parameter - Security Secret
Is it possible to send more than one transaction for the same token?
Each requested token is connected to a single transaction.
Do the server-to-server calls from step1 and step3 require whitelisting of the merchant’s IP addresses?
No, IP whitelisting is not required for COPYandPAY.