This page covers authentication for the Partner Merchant Onboarding APIs (
/gcc/v2/partner/merchant/onboard/* and /gcc/v2/partner/merchant/verification/*).
The Payment APIs (/gl/v1/payments/*) use a different scheme — an RSA-signed JWS token sent in
the x-gl-token-external header. See Key Management → Overview.Overview
The Merchant Onboarding APIs use a two-header authentication scheme:
Both headers are required on every Partner Onboarding API request, including Get Verification Redirect. Requests missing either header will be rejected.
Credentials
Partners generate API credentials from the PayGlocal Partner Dashboard:- API Key — sent in the
x-gl-authheader. A static, non-secret identifier. Safe to store in environment variables. - API Secret — used as the HMAC signing key to generate
x-gl-digest. Treat this like a password. Never expose it in client-side code, logs, or version control.
Digest Generation
Algorithm
Signing Input Rules
For GET requests, sign only the path. Example for Get Business Categories:
Code Examples — POST / PUT Requests
Code Examples — GET Requests
Common Mistakes
Key Management
- Keys can be generated and rotated from the PayGlocal Partner Dashboard.
- PayGlocal supports multiple simultaneous active keys — activate the new key before deactivating the old one for zero-downtime rotation.
- Key expiration policies are configured in accordance with RBI regulations.
Create Onboarding
Your first authenticated API call.
Sandbox Testing
Test your auth setup with Sandbox credentials.
FAQ — 401 Errors
Diagnose and fix authentication failures.

