Why Can’t I Send a Raw Payload?
PayGlocal never accepts a plain JSON request. Every request must be:- Encrypted — so no one in transit can read your payment data
- Signed — so PayGlocal can verify the request genuinely came from you
Flow: From Payload to Request
What Each Function Does
generateJWE — Encrypt the Payload
Takes in: Your payment payload + PayGlocal’s public key + your Merchant ID + Public Key ID
What it does: Converts your JSON payload into an encrypted token. Once encrypted, the data is completely unreadable — only PayGlocal can decrypt it using their private key.
Returns: A JWE token — a compact encrypted string that becomes the body of your API request.
generateJWS — Sign the JWE
Takes in: The JWE token + your private key + your Merchant ID + Private Key ID
What it does: Takes the JWE token, hashes it with SHA-256, and signs that hash using your private key. This signature is proof that the request was sent by you and has not been modified in transit.
Returns: A JWS token — a compact signed string that goes into the x-gl-token-external header of your API request.
generateJWEAndJWS — The Single Entry Point
Takes in: Your payload + all five credentials (public key, private key, Merchant ID, Public Key ID, Private Key ID)
What it does: Calls generateJWE first, then passes its output to generateJWS. Validates all your credentials before running.
Returns: Both tokens together — { jweToken, jwsToken }.
This is the only function you need to call. Everything else happens internally.
Assembling the Request
Once you have both tokens, your request is:Why Two Tokens?
One without the other is incomplete. JWE alone means PayGlocal can read the data, but cannot trust it came from you. JWS alone means PayGlocal can verify the sender, but cannot read the payload.
Credentials You Need
See Key Management for step-by-step instructions on fetching all five credentials.

