# Merchant Account Credentials As described [here](/getting-started/authentication.md), the API requires that certain headers are sent for the various requests. To be specific, the `public-key`header is mandatory for all the API requests and the `secret-key` is required only in a few situations as the documentation will advise along the way. The other critical variable is the **signing key**, a randomly generated string stored on the merchant accout record, whose sole purpose is to support the generation of the HMAC Hash signature sent alongside the merchant callbacks. When the merchant account is created and approved by the admins, all the above 3 mentioned values are generated and securely stored. The public-key (as its name suggests) is dislayed among the merchant account details in plain text. The signing key too is displayed in plain text for the merchant to view it. The secret key on the other hand is stored as a strongly hashed value and the gateway team never gets to see the plain text version of this secret key. The merchant should therefore generate a new secret key from their dashboard in order to temporarily see the secret key in plain text and get a chance to store is somewhere safe. The merchant is at liberty to re-generate just the secret key OR all the keys mentioned above, that way in case of compromise, the merchant has full control of the keys change without needing the gateway support team. The table below advises further. | | | | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------- | | If you wish to generate only the secret key and the other keys remain the same | [Generate Secret Key](/getting-started/merchant-account-credentials/generate-secret-key.md) | | If you wish to generate a fresh set of credentials and replace all the existing ones | [Regenerate Security Keys](/getting-started/merchant-account-credentials/regenerate-security-keys.md) | {% hint style="info" %} We strongly recommend routine change of the credentials as a security measure especially in situations where integration work is outsourced to parties external to the merchant/organization. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developer.ellypayapp.com/getting-started/merchant-account-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.