EllyPay Gateway API
  • Introduction
  • Getting Started
    • Registration
    • Error Handling
    • Authentication
    • Merchant Account Credentials
      • Generate Secret Key
      • Regenerate Security Keys
    • Supported Countries
    • Transaction Limits
    • Sandbox Test Accounts
    • RSA Public Keys
  • Utility Functions
    • Balance Inquiry
    • Payment Options
    • Payout Bank Codes
    • Handling Notifications/Callbacks
      • Callback Events
  • Funds Collection
    • Getting Started
    • Mobile Money Collection
  • Funds Payout
    • Getting Started
    • Mobile Money Payouts
    • Bank Account Transfers
  • Service Payments
    • Getting Started
    • Services List
    • Service Packages List
    • Service Choices List
    • Account Validation
    • Payment Confirmation
  • Callbacks
    • HMAC Signature Verification
    • RSA Signature Verification
  • Knowledge Base
    • Availing Payout Funds
    • Availing Service Payment Funds
    • Funds Settlement
    • Cross Currency Transactions
Powered by GitBook
On this page
  1. Getting Started

Merchant Account Credentials

For every approved merchant account, a set of credentials is automatically generated and stored on the record. This section describes how the merchant can manage credentials after the account creation

PreviousAuthenticationNextGenerate Secret Key

As described here, the API requires that certain headers are sent for the various requests. To be specific, the public-keyheader is mandatory for all the API requests and the secret-key is required only in a few situations as the documentation will advise along the way. The other critical variable is the signing key, a randomly generated string stored on the merchant accout record, whose sole purpose is to support the generation of the HMAC Hash signature sent alongside the merchant callbacks.

When the merchant account is created and approved by the admins, all the above 3 mentioned values are generated and securely stored. The public-key (as its name suggests) is dislayed among the merchant account details in plain text. The signing key too is displayed in plain text for the merchant to view it. The secret key on the other hand is stored as a strongly hashed value and the gateway team never gets to see the plain text version of this secret key. The merchant should therefore generate a new secret key from their dashboard in order to temporarily see the secret key in plain text and get a chance to store is somewhere safe.

The merchant is at liberty to re-generate just the secret key OR all the keys mentioned above, that way in case of compromise, the merchant has full control of the keys change without needing the gateway support team. The table below advises further.

If you wish to generate only the secret key and the other keys remain the same

If you wish to generate a fresh set of credentials and replace all the existing ones

We strongly recommend routine change of the credentials as a security measure especially in situations where integration work is outsourced to parties external to the merchant/organization.

Generate Secret Key
Regenerate Security Keys