For security reasons related to payments and in order to avoid fraudulent operations, the embedded form relies on a merchant server that must be provided by you.
This server responds to several needs:
- Validate that the transactions that must be transmitted to the payment gateway correspond to purchases on your merchant website and that the amounts and currencies match,
- Securely store your keys of communication with the payment gateway,
- Receive instant notifications from the payment gateway upon each payment event (accepted, rejected, etc.),
Three keys are needed for authenticating your exchanges with the payment gateway:
|Server to server key||For calls to Web Services|
|Signature key||In order to check the authenticity of the data returned to the IPN or during the return of the payment form in the browser|
The keys are available in the
Sign in to the
Merchant Back Office:
- Enter your login. The login is sent to the merchant's e-mail address (the subject of the e-mail is Connection identifiers- [your shop name].
- Enter your password. The password is sent to the merchant's e-mail address (the subject of the e-mail is Connection identifiers- [your shop name].
- Click the Validate button to access the transaction management page
You can retrieve your API keys and authentication credentials from the
In the Settings > Shop menu, select your shop and go to the REST API keys tab.
The tab contains all the information required for authentication:
The REST payment Web Services use Basic HTTP authentication for securing the calls between the merchant server and the payment gateway servers (see Authentication phase for more information). In order to proceed to authentication, you need a login and a password.
They can be retrieved in the REST API Keys tab of the
|User||Username allowing to build the header Authorization string|
|Test password||Password allowing to build the header Authorization string for test transactions (with test cards).|
|Production password||Password allowing to build the header Authorization string for production transactions (with real cards).|
Fore more information on the implementation, see Implementation using different programming languages.
Two keys are available:
|Public test key||Public key for creating test payment forms.|
|Public production key||Public key for creating production payment forms.|
This is a so-called ‘public’ key as it is publicly visible in the source code of the page displayed by the buyer's browser.
The information is sent to the merchant in two cases:
|Server notification (IPN)||For each newly created transaction, we call your merchant servers to notify them.|
|Browser return||Once the payment has been made, the same information is posted to the embedded form and the merchant website.|
These two information flows can be intercepted or modified during their transmission. Therefore, a hashing process is used for allowing the merchant to check the authenticity and integrity of the received data.
There are two keys for this purpose:
|HMAC SHA256 test key||Allows to confirm data authenticity for test transactions.|
|HMAC SHA256 production key||Allows to confirm data authenticity for production transactions.|
If you do not yet have access to the
|Public test key||69876357:testpublickey_DEMOPUBLICKEY95me92597fd28tGD4r5|
|HMAC SHA256 test key||38453613e7f44dc58732bad3dca2bca3|
These keys are 100% functional. However, it is not possible to access the