For security reasons related to payments and in order to avoid fraudulent operations, the embedded form relies on a merchant server that must be provided by you.
This server responds to several needs:
- Ensure that the transactions to be transmitted to the payment gateway correspond to purchases on your merchant website and that the amounts and currencies match.
- Securely store your communication keys with the payment gateway.
- Receive instant notifications from the payment gateway upon each payment event (accepted, rejected, etc.).
Embedded form (Browser),
Payment gateway server
Three keys are needed for authenticating your exchanges with the payment gateway:
|Server to server key||For calls to Web Services.|
|Signature key||In order to check the authenticity of the data returned to the IPN or during the return of the payment form in the browser.|
Sign in to the
Merchant Back Office
The keys are available in the
Finding the keys
You can retrieve your API keys and connection identifiers from the
In the Settings > Shop menu, select your shop and go to the REST API keys tab.
The tab contains all the information required for authentication:
Keep production password
As soon as the first payment is made with a real card, the production password is hidden for security reasons. We strongly advise you to keep this password in a safe place (encrypted file, database etc.). In case of loss, the merchant will have the option to generate a new one from his
Keys of server to server calls
The REST payment Web Services use Basic HTTP authentication for securing the calls between the merchant server and the payment gateway servers (see Authentication phase for more information). In order to proceed to authentication, you need a login and a password.
They can be retrieved in the REST API Keys tab of the
|User||Username for building the header Authorization string.|
|Test password||Password for building the header Authorization string for test transactions (with test cards).|
|Production password||Password for building the header Authorization string for production transactions (with real cards).|
For more information on the implementation, see Implementation using different programming languages.
The IPN signature is performed with the password. For more information, go here Use of IPN (notification URL).
I do not have an active account
If you do not yet have access to the
|Public test key||73239078:testpublickey_Zr3fXIKKx0mLY9YNBQEan42ano2QsdrLuyb2W54QWmUJQ|
|HMAC SHA256 test key||VgbDd550wI6W1rwODGy56QAUkUQwIEdwXG5ziDUUC72BS|
These keys are 100% functional. However, it is not possible to access the