This is the recommended starting point for every new ConnectPSP integration.
It consolidates the minimum setup required before you move to your first Cash-In or Cash-Out flow.
✅ Use this page first if you are still collecting credentials, choosing environments, or defining your webhook strategy.
| Item | Purpose | Required for |
|---|---|---|
clientId + clientSecret | Generate the JWT used in Authorization | All authenticated flows |
ApplicationToken | Identifies your integration | All authenticated flows |
CryptoToken | Generates DigitalSignature | Cash-Out and Rebalance |
| Webhook URL | Receives asynchronous events | Cash-In and Cash-Out confirmations |
| Environment | Base URL | Use it for |
|---|---|---|
| Staging | https://api.homologacao.connectpsp.com | Development, QA, and first end-to-end tests |
| Production | https://api.connectpsp.com | Real operations after validation and rollout approval |
Start in staging and keep production credentials isolated until your flows are fully validated.
Keep all secrets server-side only.
- Never expose
clientSecretorCryptoTokenin browser or mobile code - Use environment variables or a secret manager
- Rotate credentials according to your internal security policy
- Log request IDs and
externalReference, but never raw secrets
Call POST /auth/token with the credentials provided during onboarding:
curl -X POST https://api.homologacao.connectpsp.com/auth/token \
-H "Content-Type: application/json" \
-d '{
"clientId": "YOUR_CLIENT_ID",
"clientSecret": "YOUR_CLIENT_SECRET"
}'Save the returned accessToken and send it in the Authorization header of subsequent requests.
For most authenticated requests, the minimum header set is:
Authorization: Bearer <accessToken>
ApplicationToken: <your-app-token>For sensitive operations like Cash-Out and Rebalance, you also need:
DigitalSignature: <hmac-sha256>See the Authentication Guide for complete signature examples in Node.js, Python, and cURL.
Both inbound and outbound flows are asynchronous. Your integration should be ready to receive events before you move to business validation.
Recommended webhook behaviors:
- Respond with
200 OKquickly - Process asynchronously in your application layer
- Use
externalReferenceor internal transaction codes for reconciliation - Record event timestamps and idempotently ignore duplicates
If you have not prepared webhook handling yet, review the Webhooks Guide before production rollout.
Choose one of these next steps:
- Your First Cash-In — best for validating QR Code generation and webhook confirmation
- Your First Cash-Out — best for validating DigitalSignature and async settlement
- Credentials stored securely on the server side
- Staging flow validated end-to-end
- Webhook endpoint reachable from the public internet
X-Idempotency-Keyused on mutation endpoints- Internal reconciliation key defined using
externalReference - Production environment separated from staging configuration