Merchant Account Credentials

As described here, the API requires that certain headers are sent for the various requests. To be specific, the public-keyheader is mandatory for all the API requests and the secret-key is required only in a few situations as the documentation will advise along the way. The other critical variable is the signing key, a randomly generated string stored on the merchant account record, whose sole purpose is to support the generation of the HMAC Hash signature sent alongside the merchant callbacks.

When the merchant account is created and approved by the admins, all the above 3 mentioned values are generated and securely stored. The public-key (as its name suggests) is displayed among the merchant account details in plain text. The signing key too is displayed in plain text for the merchant to view it. The secret key on the other hand is stored as a strongly hashed value and the gateway team never gets to see the plain text version of this secret key. The merchant should therefore generate a new secret key from their dashboard in order to temporarily see the secret key in plain text and get a chance to store is somewhere safe.

The merchant is at liberty to re-generate just the secret key OR all the keys mentioned above that way in case of compromise, the merchant has full control of the keys change without needing the gateway support team. The table below advises further.