API tokens
The pawaPay Merchant API can only be used with an authentication token. You can read more about how this token can be used to access our API from our API docs.
This functionality is available to users with the Technical Administration role. Read more about User roles.
Generating an API token
Press the “Generate Token” button to generate an API token. You can have at most 2 active API tokens at a time.
You can use the “Copy to clipboard” button to easily copy the API token.
Store your token safely as pawaPay does not store your token after generating it for security reasons.
You need to configure your Callback URLs to be able to generate API tokens.
Active API tokens
Your active API tokens are listed together with the information about who generated them, when they were generated, and the Token ID. Note that the Token ID is not usable as the token itself but is only used for identifying a specific token when contacting our support team.
Revoking tokens
If you need to revoke an API token, you can press the “Revoke” button which is found under the “Actions” column.
Revoking an API token will immediately stop all payments that use the given token to authenticate API calls!
Signed requests
You can enable pawaPay to only accept signed requests for financial calls. You will need to provide us with the public key of the key pair you are signing your requests with.
Accepted algorithms
We accept 4 kinds of encryption algorithms:
- RSASSA-PSS Using SHA-512
- RSASSA-PKCS1-v1_5 Using SHA-256
- ECDSA Using Curve P-256 DSS and SHA-256
- ECDSA Using Curve P-384 DSS and SHA-384
Adding a public key
Add your public key
You can add your public key by navigating to the Security tab and pressing on “Add public key”.
Enter public key details
You will then be presented a window where you can:
- Name your public key
- Enter the public key itself
- Choose whether you want to immediately start accepting only signed requests
And done!
After successfully adding a key you will be able to view and remove it.
You can also switch this feature on and off by using the toggle. Switching the feature off will not remove any existing keys.
Signed callbacks
Enable this feature to make pawaPay sign all callbacks. You can then verify those signatures when receiving the callback to ensure they have not been tampered with and are coming from pawaPay.
Read more about signed callbacks in our API docs.