Skip to main content
This page covers authentication for the Partner Merchant Onboarding APIs (/gcc/v2/partner/merchant/onboard/* and /gcc/v2/partner/merchant/verification/*). The Payment APIs (/gl/v1/payments/*) use a different scheme — an RSA-signed JWS token sent in the x-gl-token-external header. See Key Management → Overview.

Overview

The Merchant Onboarding APIs use a two-header authentication scheme: Both headers are required on every Partner Onboarding API request, including Get Verification Redirect. Requests missing either header will be rejected.

Credentials

Partners generate API credentials from the PayGlocal Partner Dashboard:
  • API Key — sent in the x-gl-auth header. A static, non-secret identifier. Safe to store in environment variables.
  • API Secret — used as the HMAC signing key to generate x-gl-digest. Treat this like a password. Never expose it in client-side code, logs, or version control.
See Quickstart for credential download instructions.
If your API Secret is compromised, rotate it immediately from the dashboard. PayGlocal supports multiple simultaneous active keys to allow zero-downtime rotation.

Digest Generation

Algorithm

Signing Input Rules

For POST and PUT requests, compute the digest over the exact same byte sequence you send as the body. Any difference in whitespace, field ordering, or encoding will produce a mismatched digest and a 401 Unauthorized.
For GET requests, sign only the path. Example for Get Business Categories:

Code Examples — POST / PUT Requests


Code Examples — GET Requests


Common Mistakes


Key Management

  • Keys can be generated and rotated from the PayGlocal Partner Dashboard.
  • PayGlocal supports multiple simultaneous active keys — activate the new key before deactivating the old one for zero-downtime rotation.
  • Key expiration policies are configured in accordance with RBI regulations.

Create Onboarding

Your first authenticated API call.

Sandbox Testing

Test your auth setup with Sandbox credentials.

FAQ — 401 Errors

Diagnose and fix authentication failures.