On This Page
FILTER BY TAG

Integrations Overview

The Integrations section is where you generate and manage REST API security keys for connecting external systems to your account.
API keys enable secure communication when sending and receiving REST API messages for automated payment processing, reporting, and other integrations.

Understanding REST API Keys

REST API security keys enable secure authentication when your systems communicate with the Visa Acceptance Solution for SMB API. There are two types of keys available:
Shared Secret
Authentication Method: HTTP Signature Authentication.
Best For: Simple integrations, quick setup.
Complexity: Low - Easy to implement.
Certificate
Authentication Method: JSON Web Token (JWT) Authentication.
Best For: Enterprise integrations, highest security.
Complexity: Medium - Requires certificate management.

REST API Key Security Best Practices

REST API keys are like passwords for your systems:
Never share keys
Never share keys with unauthorized parties.
Store securely
Use secure credential management systems.
Separate environments
Use different keys for test and production.
Key expiration
Keys expire after 3 years. Plan for renewal before expiration.
Rotate regularly
Generate new keys periodically for security.

Integrations Page Overview

The Integrations page displays a table of all your API keys with:
Key ID
Unique identifier for the key.
Key type
REST - Shared Secret or REST - Certificate.
Status
Active or Expired.
Created
Date the key was generated.
Expires
Expiration date (3 years from creation)
Actions
Three-dot menu for managing the key.
If you have not created any keys yet, you will see an empty state with a message: "No keys found" and a button to create your first key.

Certificate Key Information

Certificate keys generate a public-private key pair:
  • The private key is stored in the .p12 file you download.
  • The public key is stored on the Visa servers.
  • Your integration uses the private key to sign requests.
  • The server uses the public key to verify the signature.
  • This provides strong authentication without transmitting secrets.

Using API Keys in Your Integration

For Shared Secret Keys:
Your integration code will need:
Key ID
Include in the API request header.
Shared Secret
Use to generate the HTTP signature.
Merchant ID
Your account identifier.
For Certificate Keys:
Your integration code will need:
Key ID
Include in the API request header.
.p12 file
Load into your application.
Password
To decrypt the .p12 file.
Merchant ID
Your account identifier.
Refer to the Visa Acceptance Solution for SMB API documentation for code samples, authentication implementation guides, API endpoint references, and testing tips.

Key Expiration and Renewal

All REST API keys expire after 3 years. To prepare for expiration:
60 Days Before Expiration:
  1. Generate a new key of the same type.
  2. Test the new key in your development environment.
  3. Update your integration code to use the new key.
  4. Deploy the updated code to production.
  5. Verify the new key is working correctly.
  6. Keep the old key active as a backup.
After Successful Transition:
  1. Monitor for any issues for 1-2 weeks.
  2. Once confident, delete the old expired key.
  3. Update your key inventory documentation.
You can have multiple active keys at the same time. This allows you to transition gradually between old and new keys, have different keys for different integrations, and maintain a backup key in case of issues.

Important: Shared Secret Visibility

You can only view the Shared secret value ONCE during creation. After you close the creation dialog:
  • The secret value cannot be retrieved again.
  • If you lose it, you need to delete the key and create a new one.
  • Always download or copy both the Key ID and Shared secret before closing.
  • Store them securely in your credential management system.

Key Deletion Impact

When you delete a key:
  • Any integrations using that key will immediately stop working.
  • The deletion cannot be undone.
  • You need to generate a new key and update your integrations.
  • Plan deletions carefully to avoid service disruptions.
RELATED TO THIS PAGE