Prerequisites
Before the Quickstart will work, make sure the items below are in place. Treat this as a one-time checklist per environment (sandbox / prod).
1. Merchant account & identifiers
| Item | How to obtain | Used in |
|---|---|---|
merchant_id | Provisioned by MidasPay operations after onboarding | auth_id in the Authorization header; many request bodies |
sub_merchant_id (if marketplace / platform) | Created alongside your main merchant by MidasPay operations | Request bodies that require per-sub-merchant scoping |
| Merchant Portal login | Invited by email after onboarding | Upload certificates, view orders / webhooks / bills |
Onboarding contact
Contact your MidasPay partnerships representative or email
developer-support@midaspayment.com to start the onboarding process.
2. RSA key-pair
- Algorithm: RSA-2048
- Hash: SHA-256
- Private key format: PEM (PKCS#8 unencrypted) — no DER, no passphrase.
- Generated locally — never let a third party (including MidasPay) see your private key.
- Registered: upload your public key / certificate in the Merchant
Portal. MidasPay issues a certificate serial number (
serial_no) that you must include in everyAuthorizationheader.
See Quickstart → Step 2
for the openssl commands, and
Signature generation for the signing
protocol.
3. Network access
- Outbound to MidasPay: your server must reach
pay.midaspayment.com(production) orsandbox-pay.centauriglobal.com(sandbox) over TCP 443 with TLS 1.2+. - Inbound from MidasPay (for webhooks): expose a public HTTPS endpoint and register it with MidasPay. If you whitelist by source IP, ask your MidasPay contact for the current allow-list — the specific IPs may change between regions and environments.
HTTP is rejected
All MidasPay endpoints reject plain HTTP. TLS versions below 1.2 are also rejected.
4. Local tooling (recommended)
| Tool | Purpose |
|---|---|
openssl >= 1.1.1 | Generate key-pair, sign payloads in shell |
curl >= 7.76 | Send signed requests from the terminal |
jq | Pretty-print JSON responses |
webhook.site or smee.io | Capture sandbox webhooks during development |
| Postman / Bruno / Insomnia | Step through requests interactively |
5. Knowledge of one supported language
This documentation includes signature samples in curl, Go, Java, PHP, Node.js, Python, Ruby and C#. Pick whichever matches your stack; the concepts translate one-to-one.
6. Compliance self-check
- You understand your own PCI DSS scope — hosted redirect, JS SDK iframe and direct card API have very different scopes. See Security → PCI DSS.
- Your systems can retain webhook logs for at least as long as your channel agreements require (commonly 90 days or more).
- You have a documented key-rotation procedure.
- Your legal / DPO has reviewed MidasPay's Data Processing Addendum for the regions you operate in.
Once all boxes are ticked, jump to Quickstart.