Authentication
How partners authenticate with CardPay, and how CardPay authenticates with Visa and Mastercard networks
Partner → CardPay Gateway
All API requests from partners to the CardPay platform are authenticated via HTTP Basic Authentication at the gateway layer.
Authorization: Basic base64(<username>:<password>)| Header | Description |
|---|---|
Authorization | Basic <base64(username:password)> |
Content-Type | application/json |
TENANT | Tenant/Sponsor Bank identifier (set by gateway routing) |
The gateway (API Gateway) validates credentials and proxies the request to the appropriate downstream service (CardPay Core or Network Gateway).
Credentials provisioned at onboarding
Partner credentials (username/password) are provisioned when the partner entity is configured. Contact M2P to obtain your credentials for sandbox and production environments.
CardPay → Visa Network
Client certificate stored in a JKS keystore (VISADIRECT_KEYSTORE_PATH). Visa validates the client certificate on every connection.
VISADIRECT_KEYSTORE_PATH=/path/to/keystore.jks
VISADIRECT_KEYSTORE_PWD=<keystore_password>
VISADIRECT_KEYSTORE_PRIVATE_PWD=<private_key_password>Standard HTTP Basic Auth over the mTLS connection:
VISA_DIRECT_API_USER=<visa_api_user>
VISA_DIRECT_API_PWD=<visa_api_password>For V2 APIs — request payload encrypted with Visa's public key using JWE (RSA-OAEP-256 / A128GCM). Response is decrypted with the client's private key.
Enabled per-partner via mle_enabled = true in the default_values table.
VISA_MLE_KEY_ID=<key_id>
VISA_MLE_PUBLIC_CERT_PATH=/path/to/visa_public_cert.pem
VISA_MLE_PRIVATE_KEY_PATH=/path/to/client_private_key.pem
# V2 credentials
VISA_V2_USERID=<v2_user>
VISA_V2_PWD=<v2_password>
VISA_V2_KEYSTORE_PATH=/path/to/v2_keystore.jks
VISA_V2_KEYSTORE_PWD=<v2_keystore_password>CardPay → Mastercard Network
OAuth signature generated using the partner's P12 private key and consumer key from the custom_fields table.
| Config Field | Description |
|---|---|
consumer_key | OAuth 1.0a consumer key |
p12_file_path | Path to PKCS12 file containing the private key |
alias_name | P12 key alias |
alias_password | P12 key password |
Request payload encrypted using the partner's encryption public key. Response decrypted using the partner's encryption P12 private key.
The request header x-Encrypted: true is set when the payload is JWE-encrypted.
| Config Field | Description |
|---|---|
client_enc_key_path | Public key for JWE encryption of request payloads |
client_enc_id | Encryption Key ID |
encp12_file_path | P12 file for JWE decryption of response payloads |
enc_key_alias | Encryption Key Alias |
enc_key_pwd | Encryption Key Password |
Authentication Summary
Partner → CardPay
HTTP Basic Auth over HTTPS. Credentials validated by the gateway (API Gateway) on every request.
CardPay → Visa
Mutual TLS + HTTP Basic Auth. Optional JWE Message Level Encryption for V2 APIs when mle_enabled = true.
CardPay → Mastercard
OAuth 1.0a signatures using P12 private key. JWE encryption for both request and response payloads.