Quickstart — your first signed request

This guide walks you from zero to a successful signed request on the MidasPay sandbox. You need a terminal, curl, and sandbox credentials issued by MidasPay.

By the end you will have:

✅ Sandbox credentials (merchant_id and portal access)
✅ An RSA-2048 key-pair registered with MidasPay
✅ A signed request that creates a checkout session
✅ A paid test order (using your channel's sandbox test credentials)
✅ A signed webhook delivered to your endpoint

Step 1 · Get sandbox credentials

Contact your MidasPay merchant manager (or email developer-support@midaspayment.com) to request sandbox access. You will receive:

A merchant_id (alphanumeric string, e.g. merchant123456).
An invite to the sandbox Merchant Portal where you upload your public key and view orders, webhooks and bills.

Sub-merchants

If your integration uses sub-merchants (marketplaces, platforms), you will also receive a sub_merchant_id which you include in request bodies.

Step 2 · Generate an RSA key-pair

MidasPay authenticates every request with an RSA-SHA256 signature. You hold the private key; MidasPay only ever sees your public key (uploaded as a certificate to the Merchant Portal).

# Generate a 2048-bit private key in PKCS#8 PEM format
openssl genpkey -algorithm RSA -out merchant_private.pem -pkeyopt rsa_keygen_bits:2048

# Extract the matching public key
openssl rsa -in merchant_private.pem -pubout -out merchant_public.pem

Upload your public key / certificate in the Merchant Portal (Developer → API Keys). After upload, MidasPay provides a certificate serial number that you include in every Authorization header (the serial_no field).

Never share the private key

Treat merchant_private.pem like a database password: store it in your secret manager (Vault, AWS Secrets Manager, KMS-wrapped storage, etc.), never commit it to Git and never paste it into chat or logs. See Signature generation for the full policy.

Step 3 · Sign your first request

Every MidasPay request carries an Authorization header with signature metadata, and the signature is computed over a five-line canonical string:

<HTTP method>\n
<path + query>\n
<timestamp seconds>\n
<nonce>\n
<request body>\n

The Authorization header format is:

Authorization: TXGW-SHA256-RSA2048 auth_id="<merchant_id>",auth_id_type=MERCHANT_ID,
               nonce_str="<random>",signature="<base64>",
               timestamp="<unix seconds>",serial_no="<cert serial>"

Sign with the private key corresponding to the certificate whose serial_no you advertise. See Signature generation & verification for the full algorithm and Signature examples for ready-to-use code in Java, Go, Python, Node.js, PHP, C# and Ruby.

Interactive signature tool

The Request Signature Form lets you paste a JSON body, timestamp, nonce and your private key into the browser and produces the exact Authorization header value — handy for one-off testing. The private key never leaves your browser.

Step 4 · Create a checkout session

Call POST /v1/mor/token/create with a signed request. The response returns a hosted redirect_url where the buyer completes payment.

# 1. Prepare body (example minimal payload — fields depend on your MOR contract)
BODY='{ "reference_id": "quickstart-001", ... }'

# 2. Compute signature inputs
METHOD='POST'
PATH='/v1/mor/token/create'
TS=$(date +%s)
NONCE=$(openssl rand -hex 16)

# 3. Build canonical string and sign
printf '%s\n%s\n%s\n%s\n%s\n' "$METHOD" "$PATH" "$TS" "$NONCE" "$BODY" \
  | openssl dgst -sha256 -sign merchant_private.pem \
  | base64 | tr -d '\n' > sig.b64
SIG=$(cat sig.b64)

# 4. Fire the request
curl -X POST "https://sandbox-pay.centauriglobal.com${PATH}" \
  -H 'Content-Type: application/json' \
  -H "Authorization: TXGW-SHA256-RSA2048 auth_id=\"<YOUR_MERCHANT_ID>\",auth_id_type=MERCHANT_ID,nonce_str=\"${NONCE}\",signature=\"${SIG}\",timestamp=\"${TS}\",serial_no=\"<YOUR_CERT_SERIAL>\"" \
  -d "$BODY"

Expected successful response (shape simplified — consult the endpoint's reference page for the authoritative schema):

{
  "token": "eyJhbGciOiJI...",
  "redirect_url": "https://sandbox-checkout.midaspayment.com/?token=eyJhbGciOiJI..."
}

Open redirect_url in your browser — you'll see the MidasPay sandbox checkout page.

Step 5 · Pay with a sandbox test credential

Each underlying payment channel (credit card, e-wallet, bank transfer) provides its own set of sandbox test credentials that you use on the checkout page. Ask your MidasPay merchant manager for the test-credential pack appropriate to the channels you want to exercise.

On submit:

The checkout page redirects the buyer to the return_url you configured in application_context.
MidasPay delivers a signed notification (webhook) to the webhook_url you configured. See Webhooks → Verify signatures.

Inspecting webhooks easily

Point webhook_url at a throw-away inbox such as https://webhook.site or https://smee.io to see the exact payload and headers MidasPay sends. Do not use these services for production traffic.

What's next

🔐 Understand the signature scheme — canonical string format, certificate rotation, replay protection.
📡 Subscribe to webhooks — event types, envelope format, retry and deduplication.
🧪 Cover every test scenario — what the sandbox simulates and what it doesn't.
🔁 Make writes idempotent — retry safely with reference_id.
🚦 Handle throttling gracefully — exponential back-off recipes for 429 responses.
🗂️ Browse the full API reference via the sidebar tabs above.

Stuck? Email developer-support@midaspayment.com with your debug_id (it's in every error response) for support.

Step 1 · Get sandbox credentials​

Step 2 · Generate an RSA key-pair​

Step 3 · Sign your first request​

Step 4 · Create a checkout session​

Step 5 · Pay with a sandbox test credential​

What's next​