> ## Documentation Index
> Fetch the complete documentation index at: https://docs.payglocal.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Key & Credential Management

> Understand what credentials PayGlocal needs, why each one matters, and how to get them from your GCC dashboard.

<Note>
  Not logged into GCC yet? Start at [PayGlocal Dashboards](/getting-started/payglocal-dashboards) first.
</Note>

## Why Do You Need Credentials?

PayGlocal uses a **JWT token-based integration model** for every API call. Before your payment request reaches PayGlocal's servers, it goes through two steps:

<Steps>
  <Step title="Encrypt your payload (JWE)">
    Your payment data is encrypted using **PayGlocal's public key** so only PayGlocal can read it.

    This produces a **JWE token** — a 5-part encrypted blob in the format `header.encryptedKey.iv.ciphertext.tag`.
  </Step>

  <Step title="Sign the encrypted payload (JWS)">
    The JWE is then signed using **your private key** to prove the request came from you.

    This produces a **JWS token** — a 3-part signed token in the format `header.payload.signature`.
  </Step>

  <Step title="Send the request">
    The JWS goes into the `x-gl-token-external` header. The JWE goes in the request body.

    PayGlocal verifies your signature, decrypts the payload, and processes the payment.
  </Step>
</Steps>

**This is why credentials exist.** Each of the five values plays a specific role in this flow:

| Credential                 | Role in the flow                                               |
| -------------------------- | -------------------------------------------------------------- |
| **PayGlocal's Public Key** | Encrypts your payload → only PayGlocal can decrypt             |
| **Your Private Key**       | Signs the request → proves it came from you                    |
| **Public Key ID (KID)**    | Tells PayGlocal which key was used to encrypt                  |
| **Private Key ID (KID)**   | Tells PayGlocal which key pair to verify the signature against |
| **Merchant ID (MID)**      | Identifies your merchant account on every API call             |

<Warning>
  Your **private key is downloaded once** and is not stored by PayGlocal. Keep it in a secrets manager — never commit it to source control or send it over email. If lost, you must regenerate a new key pair and update all integrations.
</Warning>

<Warning>
  Credentials are **environment-specific**. Generate and copy a separate set in **UAT** and in **Production** — keys, Key IDs, and Merchant ID from one environment do not work in the other.
</Warning>

***

## How to Get Each Credential

### Merchant ID (MID)

<Steps>
  <Step title="Log in to your GCC dashboard">
    Open [GCC UAT](https://gcc.uat.payglocal.in) or [GCC Production](https://gcc.prod.payglocal.in).
  </Step>

  <Step title="Open My Account and go to TID Details">
    Click your profile icon in the top-right corner of the dashboard, then click **My Account**.

    <Frame caption="Open the profile menu and select My Account">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/mid-step1-profile-click.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=5d118d48b6acb2a312f3345b9d857ea2" alt="Open profile menu and select My Account" width="1024" height="576" data-path="images/dashboard/mid-step1-profile-click.png" />
    </Frame>

    From the headings, click **TID Details**.

    <Frame caption="Open TID Details">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/mid-step2-tid-details.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=a47684de49778504f47f7fc7d195d7b0" alt="Open TID Details" width="1024" height="576" data-path="images/dashboard/mid-step2-tid-details.png" />
    </Frame>
  </Step>

  <Step title="Copy your Merchant ID">
    Under the **Payment Gateway** section, your **Merchant ID (MID)** is displayed. Copy it.
  </Step>
</Steps>

***

### Public Key & Private Key

Both keys are managed from the Key Management System in GCC. You'll download PayGlocal's public key first, then generate and download your own private key.

#### Downloading Public Key

<Steps>
  <Step title="Navigate to Key Management System">
    In the **left sidebar**, click **Configure**.

    <Frame caption="Open Configure in the left sidebar">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/key-mgmt-step1-configure.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=6e892ff08a39c1cd10326621967ea95e" alt="Open Configure in the left sidebar" width="1024" height="575" data-path="images/dashboard/key-mgmt-step1-configure.png" />
    </Frame>

    Then click **Key Management System**.
  </Step>

  <Step title="Download PayGlocal's Public Key">
    Find **PayGlocal Common Certificate** in the list and click **Download**.

    <Frame caption="Download the PayGlocal Common Certificate">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/key-mgmt-step2-download-public.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=706b88c578d99cab09537ac18975ebce" alt="Download the PayGlocal Common Certificate" width="1024" height="575" data-path="images/dashboard/key-mgmt-step2-download-public.png" />
    </Frame>

    <Note>
      This is **PayGlocal's public key** — you'll use it to encrypt your JWE payload so only PayGlocal can decrypt it.
    </Note>
  </Step>
</Steps>

#### Downloading Private Key

<Steps>
  <Step title="Filter by Key Type">
    In the same Key Management screen, click the **Key Type** dropdown filter.

    <Frame caption="Open the Key Type filter">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/private-key-step1-filter.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=2c1b29c421592a6807476bf1d6a7bdf8" alt="Open the Key Type filter" width="1024" height="575" data-path="images/dashboard/private-key-step1-filter.png" />
    </Frame>
  </Step>

  <Step title="Select RSA">
    From the dropdown menu, select **RSA**.

    <Frame caption="Select RSA, then Apply">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/private-key-step2-select-rsa.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=235200d3c88b659def70df581d267c48" alt="Select RSA from the dropdown" width="1024" height="575" data-path="images/dashboard/private-key-step2-select-rsa.png" />
    </Frame>

    Then click **Apply**.
  </Step>

  <Step title="Generate RSA Key">
    Click the **Generate RSA Key** button in the top-right corner. This creates a new RSA key pair.

    <Frame caption="Generate a new RSA key pair">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/private-key-step3-generate.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=8945628b89633b98ef40070e4c6ca4cc" alt="Generate a new RSA key pair" width="1024" height="576" data-path="images/dashboard/private-key-step3-generate.png" />
    </Frame>
  </Step>

  <Step title="Download Your Private Key">
    Once the key is generated, you'll see it in the table. Click the **Download** icon to save your private key.

    <Frame caption="Download your private key — available only once">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/private-key-step4-download.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=634c3d20bc727782d3050777d0552f55" alt="Download your private key" width="1024" height="572" data-path="images/dashboard/private-key-step4-download.png" />
    </Frame>

    <Warning>
      **This is your only chance to download the private key.** PayGlocal does not store it. If you lose it, regenerate a new key pair and update all your integrations.
    </Warning>
  </Step>
</Steps>

***

### Key IDs (Public KID & Private KID)

You don't have to hunt for Key IDs separately — each is embedded in the filename of the file you downloaded. The Private Key ID is also shown directly in GCC.

#### Fetching Public Key ID

The Public Key ID is embedded in the filename of **PayGlocal's certificate** you downloaded from GCC.

<Steps>
  <Step title="Go to your Downloads folder">
    Navigate to the folder where the **PayGlocal public key** was downloaded (usually your Downloads folder).
  </Step>

  <Step title="View the filename">
    Look at the filename of the downloaded `.pem` file. It follows this pattern:

    ```
    [PUBLIC_KEY_ID]_[rest-of-filename].pem
    ```

    <Frame caption="Public Key ID in the certificate filename">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/public-key-id-filename.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=ad671cf80abc8790037a22ddc920b02b" alt="Public Key ID in the certificate filename" width="1024" height="341" data-path="images/dashboard/public-key-id-filename.png" />
    </Frame>
  </Step>

  <Step title="Copy everything before the first underscore">
    The **Public Key ID** is everything before the first underscore (`_`).

    **Example:**

    * Full filename: `834hinrh-8r0n-4657-34nn-fnjhjre33uur_glocal.pem`
    * Public Key ID (KID): `834hinrh-8r0n-4657-34nn-fnjhjre33uur`

    <Note>
      **Pro tip:** Right-click the file → Rename → copy just the Key ID part (everything before the first `_`), then press Escape so you don't actually rename the file.
    </Note>
  </Step>
</Steps>

#### Fetching Private Key ID

Unlike the Public Key ID, your **Private Key ID can be fetched directly from the GCC dashboard** where you generated the RSA key.

<Steps>
  <Step title="Go to Key Management (RSA section)">
    Navigate back to **Configure → Key Management System** and filter by **RSA** (where you generated your private key).
  </Step>

  <Step title="Copy the Key ID from the table">
    In the Key Management table, you'll see your generated RSA key listed with its **Key ID** in the first column.

    <Frame caption="Private Key ID shown in the Key Management table">
      <img src="https://mintcdn.com/payglocal/gXgve7lEqiVYdq6T/images/dashboard/private-key-id-dashboard.png?fit=max&auto=format&n=gXgve7lEqiVYdq6T&q=85&s=a81da7d2ef1e3e4f4756637d58595b72" alt="Private Key ID in the Key Management table" width="1024" height="563" data-path="images/dashboard/private-key-id-dashboard.png" />
    </Frame>

    Copy the **Key ID** displayed in the table — this is your **Private Key ID**.

    <Note>
      You can also extract it from the downloaded filename, which follows the pattern `<kid>_<mid>.pem`: the part **before** the first `_` is your Private Key ID, and the part **after** it is your Merchant ID (MID). The dashboard method is easier since the Key ID is already displayed.
    </Note>
  </Step>
</Steps>

<CardGroup cols={2}>
  <Card title="Public Key ID Example" icon="key" color="#10B981">
    **Filename:**

    ```
    834hinrh-8r0n-4657-34nn-fnjhjre33uur_glocal.pem
    ```

    **Public Key ID:**

    ```
    834hinrh-8r0n-4657-34nn-fnjhjre33uur
    ```

    ✅ Everything before the first `_`
  </Card>

  <Card title="Private Key ID Example" icon="key" color="#F59E0B">
    **Filename:**

    ```
    884hiurh-8e0b-4907-38nn-fuerikejr89_paygmerchant.pem
    ```

    **Private Key ID:**

    ```
    884hiurh-8e0b-4907-38nn-fuerikejr89
    ```

    ✅ Everything before the first `_`
  </Card>
</CardGroup>

***

## Quick Reference

| # | Credential     | Where to get it                                                                      |
| - | -------------- | ------------------------------------------------------------------------------------ |
| 1 | Merchant ID    | GCC → Profile icon → My Account → TID Details → Payment Gateway                      |
| 2 | Public Key     | GCC → Configure → Key Management → PayGlocal Common Certificate                      |
| 3 | Private Key    | GCC → Configure → Key Management → Generate RSA Key                                  |
| 4 | Public Key ID  | Public key `.pem` filename — text before the first `_`                               |
| 5 | Private Key ID | GCC Key Management table, or private key `.pem` filename — text before the first `_` |

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Key Management Deep Dive" icon="key" href="/key-management/overview">
    JWS signing mechanics, key rotation, and environments.
  </Card>

  <Card title="Choose for Integration" icon="map" href="/integration/overview">
    Choose between No-Code and API integration based on how your business collects payments.
  </Card>
</CardGroup>

Questions? Reach out at [merchant.support@payglocal.in](mailto:merchant.support@payglocal.in).
