Integration Security

ConnectPay secures server-to-server communications using mutual TLS (mTLS) or RSA public key. Here’s how to set it up:

Certificate Requirements:
- Provide a CA-issued full certificate chain in X509 ASCII Base64 format (PEM) with leaf, intermediate, and root certificates.
- Self-signed certificates are not accepted.
- Ensure the certificate chain is complete and in the correct order.
- More information about certificates can be found here.
Submission:
- Send the certificate chain to [email protected] in a .zip file.
- The ConnectPay technical team will add the certificate chain provided to the trust stores.
Validation:
- Certificates will be validated at both the web server and application levels.
- Certificates must not be expired or revoked.
Access:
- Use the following hostnames for mTLS-protected APIs:
  - STAGE: api-stage.connectpay.com
  - PROD: api.connectpay.com
General rules and tips:
- One-way and two-way APIs are mutually exclusive – you can’t access cert-protected APIs via the one-way TLS subdomain and vice versa.
- You will always find the proper hostname in our API Reference under each API.

For public domain access, such as auth redirects and notification webhooks, use separate one-way TLS API hostnames:

mTLS for Server-to-Server:
- All server-to-server API communications (except for merchant APIs) must use mTLS.
- Merchant APIs use RSA public key.
Basic Auth for Non-Person Data APIs:
- APIs that do not require access to ConnectPay Person’s data are protected by HTTP Basic Auth.
- Retrieve ClientKey and ClientSecret from your DevApp configuration.
- Encode them to Base64 and add them to the Authorization header:Authorization: Basic Base64(ClientKey:ClientSecret)

For more detailed instructions, refer to the product-related documentation or contact your ConnectPay Account Manager or Developer Support Team.

Feel free to let me know if you need any further adjustments!

Guides