Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.payglocal.in/llms.txt

Use this file to discover all available pages before exploring further.

This page covers authentication for the Partner Merchant Onboarding APIs (/gcc/v2/partner/merchant/onboard/* and /gcc/v2/partner/merchant/verification/*). The Payment APIs (/gl/v1/payments/*) use a different scheme — an RSA-signed JWS token sent in the x-gl-token-external header. See Key Management → Overview.

Overview

The Merchant Onboarding APIs use a two-header authentication scheme:
HeaderDescription
x-gl-authYour static API Key, generated from the PayGlocal Partner Dashboard
x-gl-digestA per-request HMAC-SHA256 signature, Base64-encoded
Both headers are required on every Partner Onboarding API request, including Get Verification Redirect. Requests missing either header will be rejected.

Credentials

Partners generate API credentials from the PayGlocal Partner Dashboard:
  • API Key — sent in the x-gl-auth header. A static, non-secret identifier. Safe to store in environment variables.
  • API Secret — used as the HMAC signing key to generate x-gl-digest. Treat this like a password. Never expose it in client-side code, logs, or version control.
See Quickstart for credential download instructions.
If your API Secret is compromised, rotate it immediately from the dashboard. PayGlocal supports multiple simultaneous active keys to allow zero-downtime rotation.

Digest Generation

Algorithm

digest = Base64( HmacSHA256( signingInput, API_SECRET ) )

Signing Input Rules

HTTP MethodSigning Input
GETThe request URI path (including query string if present). Do not include the host or scheme.
POSTThe exact raw request body (JSON string)
PUTThe exact raw request body (JSON string)
For POST and PUT requests, compute the digest over the exact same byte sequence you send as the body. Any difference in whitespace, field ordering, or encoding will produce a mismatched digest and a 401 Unauthorized.
For GET requests, sign only the path. Example for Get Business Categories: 
/gcc/v2/partner/merchant/onboard/business-category

Code Examples — POST / PUT Requests

#!/bin/bash
API_KEY="your_api_key"
API_SECRET="your_api_secret"

BODY='{"externalOnboardingId":"partner-001","panNumber":"ABCDE1234F"}'
DIGEST=$(echo -n "$BODY" | openssl dgst -sha256 -hmac "$API_SECRET" -binary | base64)

curl -X POST https://api.onboard.uat.payglocal.in/gcc/v2/partner/merchant/onboard \
  -H "Content-Type: application/json" \
  -H "x-gl-auth: $API_KEY" \
  -H "x-gl-digest: $DIGEST" \
  -d "$BODY"

Code Examples — GET Requests

#!/bin/bash
API_KEY="your_api_key"
API_SECRET="your_api_secret"

# Sign the request URI path only — not the full URL
REQUEST_URI="/gcc/v2/partner/merchant/onboard/business-category"
DIGEST=$(echo -n "$REQUEST_URI" | openssl dgst -sha256 -hmac "$API_SECRET" -binary | base64)

curl -X GET "https://api.onboard.uat.payglocal.in${REQUEST_URI}" \
  -H "x-gl-auth: $API_KEY" \
  -H "x-gl-digest: $DIGEST"

Common Mistakes

MistakeResult
Using the API Key (not the Secret) as the HMAC key401 Unauthorized
Computing digest over parsed/re-serialized JSON instead of the raw body401 Unauthorized
Using the full URL (with host) for GET request digest instead of the request URI path401 Unauthorized
Using the body for GET request digest instead of the request URI path401 Unauthorized
Not Base64-encoding the HMAC output401 Unauthorized
Sending the digest as hex instead of Base64401 Unauthorized

Key Management

  • Keys can be generated and rotated from the PayGlocal Partner Dashboard.
  • PayGlocal supports multiple simultaneous active keys — activate the new key before deactivating the old one for zero-downtime rotation.
  • Key expiration policies are configured in accordance with RBI regulations.

Create Onboarding

Your first authenticated API call.

Sandbox Testing

Test your auth setup with Sandbox credentials.

FAQ — 401 Errors

Diagnose and fix authentication failures.