Search Documentation
Search across all documentation pages, APIs and guides.
Authentication
OnePay uses a dual-credential authentication model. Every API request carries your App ID in the request body, and every sensitive request is signed with a SHA-256 HMAC hash generated server-side using your Hash Salt.
Your Hash Salt is a secret key. Never expose it in client-side JavaScript, mobile app binaries, or public repositories. All hash generation must happen on your backend server.
Your credentials
Log in to your OnePay merchant dashboard to find your App ID and Hash Salt. Each business account has a separate set of live and sandbox credentials.
| CREDENTIAL | WHERE TO FIND | USAGE |
|---|---|---|
app_id | Merchant dashboard API Keys | Included in every request body. Identifies your merchant account. |
hash_salt | Merchant dashboard API Keys | Used to generate the HMAC hash server-side. Never sent directly in requests. |
Hash generation
For payment creation requests, you must include a SHA-256 hash that signs the key transaction parameters. This prevents tampering and validates that the request originated from your server.
SHA256( app_id + currency + amount + HASH_SALT )
Concatenate values as plain strings with no separators. The
amount must match exactly what you send in the request body (e.g. "100.00").On This Page