Keep your credentials safe
By integrating Mercado Pago solutions, you will handle sensitive data that you must protect from possible losses or vulnerabilities. This data can be your credentials, those of your integrations and those of your clients.
Credentials are unique passwords with which we identify an integration in your account. They are used to capture payments in online stores and other applications securely. To find out detailed information about credentials, go to Credentials.
We will show you how you can optimize the security of your integrations simply and quickly.
Send the access token by header
Every time you make API calls, send the Access Token via header instead of via query param. This will allow you to protect your Access Token from being exposed to anyone outside of your integration.
For example, if you perform a GET to the /users/me resource, it would look like this:
curl -H 'Authorization: Bearer APP_USR-12345678-031820-X-12345678' \
Use the Public Key on the front-end
Public Key is a key of the application that is normally used in the frontend and allows, for example, to know the payment methods and to encrypt the card data. Remember to only use this type of key in the public side of your integration. To learn more, go to Credentials.
Renew your credentials periodically
We recommend you renew your credentials frequently to avoid possible vulnerabilities.
Renew your credentials in a simple way by following these steps:
- Go to Dashboard.
- Access the application whose credentials you want to renew.
- Select Production credentials > Share my credentials..
- Once there, you can renew both the Access Token and the Client Secret. To do so, click More Options > Renew.
Share your credentials by Dashboard
If you need to share your application credentials with other Mercado Pago accounts, do so securely through Your Applications. When you share your credentials, you allow another Mercado Pago account to see and use them. To do so, follow these steps:
- Go to Dashboard.
- Access the application whose credentials you want to share.
- Click on Share my credentials.
- Enter the e-mails of the Mercado Pago accounts that you want to share your credentials with. Both test and production credentials will be shared.
- Finally, click on Share Credentials.
You can remove these permissions at any time from the Credentials panel.
Use OAuth to manage third-party credentials
OAuth is an authorization protocol that allows applications to have limited access to the private information of Mercado Pago accounts, through the HTTP protocol that introduces an authentication and authorization layer in which you request access to the protected resources of sellers, through an access token limited to a particular application, without the need for the credentials of the sellers through the access flows.
To learn more about OAuth, go to this documentation.