JSON API basic/Client Certificate authentication

These two areas cover the most basic configuration a merchant must do and that is the creation of his authentication credentials.

When using the Saferpay Payment API, the shop has to authenticate itself towards the Saferpay gateway, so Saferpay knows this request is legit. in order to do so, Saferpay offers two ways of authentication.

Either one, or the other has to be used, but not both!

Basic authentication

This is the default authentication method, available to all merchants who have an eCommerce contract. To create a new user, simply click on Create new JSON API login.

The username will be created by Saferpay, however the password and a description can be defined by you, as long as the password follows the following rules:

The password is only saved encrypted! It cannot be looked up, after you have saved it, so please keep it somewhere safe!

  • A length of 16 characters.

    • Allowed Characters are:


      • abcdefghijklmnopqrstuvwxyz

      • 1234567890

      • :+-,_*/$%&()[]=!

  • 1 upper- and lower-case letter.

  • 1 special character, or number

You can also delete a login at any time, by simply checking the box of the login and clicking on Remove.

Client Certificate

This a more advanced method of authentication, involving a certificate. In order to create a certificate, you first have to create a Certificate Signing Request, which must follow the following rules:

This certificate expires after two years and must be renewed!

This method auf authentication is only available for merchants with a Saferpay Business contract.

2048 bit Key length SHA-256 Hash algorithm Content of the CSR: Country name = country code (e.g. CH) Locality name = place name Organization name = company name Organizational unit name = Saferpay API (mandatory) Common name = Saferpay CustomerId (not the user ID!) Email address = email address of the technical contact A challenge password = password (if assigned when creating the private key) ATTENTION: Keep the private key in a safe place. It will be required again later (once SIX has issued the certificate)!

Once created, you can then upload the CSR and, as a response, you'll get the fully signed certificate, including the root-certificates.

Last updated