Secure Payments Credentials Management


In order for LoanPro, a middleware application, or even the Secure Payments (formerly PCI Wallet) user interface to communicate with Secure Payments back end, requests need to be authenticated. Secure Payments uses JSON Web Tokens for authentication. In our implementation two tokens are generated: 

  • Token
  • Secret

These two tokens represent the Secure Payments account, so they should be kept private.

A new token and secret a generated each time you log in to Secure Payments. This allows the Secure Payments user interface to communicate with the back end. When you see the token and secret listed in your Secure Payments account, those are the credentials created upon log in. If you log out of Secure Payments, those credentials are revoked and can't be used to access Secure Payments. Each set of credentials is independent of the others, so revoking these credentials doesn't affect the expiration or revocation of any other set of credentials.

This is why we recommend you use credentials that are generated when you update your Secure Payments password in LoanPro. The expiration of this specific set of credentials can then be tracked by LoanPro.

All authenticated Secure Payments endpoints expect both the secret and token to be submitted as part of the request headers:

  • authorization: {token}
  • secret: {secret}

Tokens and secrets are a pair, and don't work without each other. Each secret is unique to each token and vice versa. Token and secret pairs have a life of 90 days, after which they expire.

Keep in mind that even if a token and secret are valid, but the user password has expired, requests won’t be allowed.

  • 401 - This will be the return code if the password or secret are wrong/expired.
  • 402 - This will be the return code if the user password has expired.

Your password and credentials will expire every 90 days. We recommend the following process when updating credentials:

Reset Your Password in LoanPro

Keeping your Secure Payments password up to date is important. The primary email for Secure Payments will receive notifications when the password is going to expire. Because your credentials should always be the same in both LoanPro and Secure Payments, we strongly recommend that you do all your password updates in LoanPro. If you update your password in Secure Payments, either through the UI or the API, your LoanPro account will no longer be connected to Secure Payments. When you update your password, always do so in LoanPro to avoid any issues.

These article links will give you more guidance on managing your password:

To update your password, navigate to Settings > Company Merchant > Secure Payments inside of LoanPro

The Secure Payments account page within LoanPro's Company settings. A box highlights the Change Password option.

When you click 'Change Password', you will be asked for your old password and a new password.

The pop-up window to change a Secure Payment account's password. Fields include Username, Old Password, New Password, and Confirm New Password.

Once you have entered the information, click SAVE. Make sure that your old password is correct. If it's not correct, you will only have a few attempts to change the password before the account will be locked. If you don't know your old password, contact support so they can help you with this process. It will be far better to talk to support than to lock your account with failed attempts.

Syncing Authentication Credentials

Once your password has changed, you should have an updated set of credentials shown in the same area of LoanPro. You should use these new credentials in your middleware application. We strongly recommend that you use the same credentials in your middleware as are in LoanPro, so that they are on the same expiration cycle. This will ensure that they are on the same expiration cycle. This will help you ensure that when your middleware can communicate with Secure Payments, LoanPro can as well, and vice versa.

Generating New Authentication Credentials

It is possible to generate a new set of authentication credentials outside of LoanPro. We don't recommend this; we recommend that you have your middleware and LoanPro using the same set of credentials, so you have a view in Secure Payments of when your tokens will expire.

A new token and secret are generated every time you log in to Secure Payments. The token can be view by navigating to the Profile section inside the Secure Payments interface.

You can also choose to generate new credentials for your Secure Payments account. This is done using the following call:


With a payload of:


The response should look something like this:

"token":"new token",
"secret":"new secret"

Revoking Authentication Credentials

You may want to revoke an old set of authentication credentials instead of waiting for them to expire. It is a fairly common practice to refresh credentials and add them to both middleware and LoanPro, then revoke the ones they replaced. In order to revoke a set of credentials, use the following call:


Make sure you use the token and secret you want to revoke in the request headers to authenticate the request.

The response from a successful revoke request should look like this:

"message":"Token revoked."

How did we do?

Powered by HelpDocs (opens in a new tab)