Skip to main content

Overview

PayGlocal Payment APIs (/gl/v1/payments/*) use asymmetric key cryptography for authentication. Every request payload is wrapped in an RSA-signed JWS (JSON Web Signature) token sent in the x-gl-token-external header, and every response includes a signed token you can verify. This ensures request authenticity and response integrity.
The default scheme is JWS signing (authenticity). Some flows (e.g., billpay) additionally require the request body to be encrypted as a JWE using PayGlocal’s public certificate — your PayGlocal integration lead will confirm whether your MID needs encryption.

The Two Keys

Your Private Key (PVT-KEY) is never stored by PayGlocal. You can only download it once — at the moment of creation. If you lose it, you must create a new key pair.

How the Keys Work Together

Environments

PayGlocal has two separate environments, each requiring their own set of keys:
Download your keys from the correct environment. UAT keys will not work in Production and vice versa. Access to the Production environment is only enabled after you have executed the service contract with PayGlocal.

Security Standards

PayGlocal uses industry-leading encryption to protect your data:
  • TLS 1.3 for point-to-point transport security
  • End-to-End Encryption (E2EE) — the payload is encrypted throughout its entire journey, even through intermediaries
  • RSA 2,048-bit keys for resistance against cryptanalytic advances
  • Zero-trust architecture for data at rest, in transit, and in use

Next Steps

Download Your Private Key

Step-by-step guide to creating and downloading your PVT-KEY from the PayGlocal Control Center.

Download the Public Certificate

How to obtain PayGlocal’s PUBCERT for encrypting requests and validating responses.

Construct API Requests

Configure the sample client code and start making authenticated API calls.