⚙️
DusuPay API Documentation
  • Introduction
  • Getting Started
    • Registration
    • Error Handling
    • Authentication
    • Merchant Account Credentials
      • Generate Secret Key
      • Regenerate Security Keys
    • Supported Countries/Regions
    • Transaction Limits
    • Sandbox Test Accounts
    • DusuPay Public Keys
  • Utility Functions
    • Balance Inquiry
    • Payment Options
    • Payout Bank Codes
    • Mobile Money Operator Prefixes
    • Handling Notifications/Callbacks
      • Callback Events
    • Transaction Status Verification
  • Funds Collection
    • Getting Started
    • Mobile Money Collection
      • Mobile Money - Direct Charge
      • Mobile Money - Hosted Page
    • NGN Bank Transfers
    • ZAR Bank Collections
    • Card Payments
      • Hosted Payment Page
      • Direct Card Payment (S2S)
  • Payouts/Disbursements
    • Getting Started
    • Mobile Money Payouts
    • Bank Account Transfers
  • Callbacks
    • HMAC Signature Verification
    • RSA Signature Verification
  • Appendix
    • Merchant Account Transfers
    • Availing Payout Funds
    • Sub Account Transfers
    • Funds Settlement
    • Transaction Audit Logs
    • Cross Currency Transactions
Powered by GitBook
On this page
  1. Getting Started

Merchant Account Credentials

For every approved merchant account, a set of credentials is automatically generated and stored on the record. This section describes how the merchant can manage credentials after the account creation

PreviousAuthenticationNextGenerate Secret Key

Last updated 10 months ago

As described , the API requires that certain headers are sent for the various requests. To be specific, the public-keyheader is mandatory for all the API requests and the secret-key is required only in a few situations as the documentation will advise along the way. The other critical variable is the signing key, a randomly generated string stored on the merchant account record, whose sole purpose is to support the generation of the HMAC Hash signature sent alongside the merchant callbacks.

When the merchant account is created and approved by the admins, all the above 3 mentioned values are generated and securely stored. The public-key (as its name suggests) is displayed among the merchant account details in plain text. The signing key too is displayed in plain text for the merchant to view it. The secret key on the other hand is stored as a strongly hashed value and the gateway team never gets to see the plain text version of this secret key. The merchant should therefore generate a new secret key from their dashboard in order to temporarily see the secret key in plain text and get a chance to store is somewhere safe.

The merchant is at liberty to re-generate just the secret key OR all the keys mentioned above that way in case of compromise, the merchant has full control of the keys change without needing the gateway support team. The table below advises further.

Scenario/Use case
Resource

If you wish to generate only the secret key and the other keys remain the same

If you wish to generate a fresh set of credentials and replace all the existing ones

We strongly recommend routine change of the credentials as a security measure especially in situations where integration work is outsourced to parties external to the merchant/organization.

here
Generate Secret Key
Regenerate Security Keys