Secure Payments Credentials Management
Secure Payments is a LoanPro product that integrates with both the Loan Management System (LMS) and third-party payment processors to facilitate payments. We developed it as a separate software so that it can more easily comply with Payment Card Information (PCI) Data Security Standards (DSS). This means that Secure Payments' code, procedures, and practices all meet a high standard for security, and that's where all of your customers' payment profile information is saved.
Since Secure Payments holds sensitive customer payment information, maintaining credentials in a secure way is an important thing to know. In this article, we'll discuss how to use and revoke your credentials.
Secure Payments Tokens
To communicate with Secure Payments on the back end, requests for LMS and custom applications need to be authenticated. Secure Payments uses a token and secret to authenticate requests. These two tokens represent and give access to the Secure Payments account, so it's important to keep them safe. Here are the important points regarding Secure Payments credentials:
- LMS and custom applications are required to authenticate the account's token and secret to access Secure Payments.
- The token and secret do not expire. However, the password used to log in to the user interface will expire every 90 days.
- Unused authentication should be revoked.
Most Secure Payments endpoints expect both the secret and token to be submitted as part of the request headers. The headers for your requests will need to be formatted like the following:
Tokens and secrets are a pair, and they don't work without each other; each secret is unique to each token and vice versa. While the token and secret do not expire, requests won’t be allowed if the account's password has. If this is the case, you'll receive a 401 response with an authentication error message.
Like we mention above, your Secure Payments password will expire every 90 days, and an expired password will lead to an authentication error. As such, we recommend the following process when updating credentials.
Reset Your Password in LoanPro
The primary email associated with your Secure Payments account will receive notifications when the password is going to expire. If you update your password in Secure Payments, either through the UI or the API, your LoanPro account will no longer be connected to Secure Payments. Due to this, we strongly recommend that you complete all your password updates in LoanPro to avoid any issues.
To update your password, navigate to Settings > Company > Merchant > Secure Payments inside of your LoanPro account. Then, select 'Change password'.
When you click 'Change password', you will be asked for your old password and to enter a new one.
Once you have entered your password information, click 'Save'. You'll want to make sure that your old password is correct, since you will only have a few unsuccessful attempts to change the password before the account will be locked. If you don't know your old password, you can contact support for help. If you'd like to learn more about managing your password, the following article links provide more information on the topic:
- Monitor Password Expiration Status Through the API
- Password Guidance
- Secure Payments Username and Password in the User Interface
Generating New Authentication Credentials
It is possible to generate a new set of authentication credentials outside of LoanPro. This is achieved by using sending a POST request formatted like the following:
If your request is successful, you will receive a response payload that looks like this:
Revoking Authentication Credentials
You may want to revoke an old set of authentication credentials. It's a fairly common practice to refresh credentials and add them to both your custom application and LoanPro and revoke the ones they replaced. To revoke a set of credentials, send a POST request to the following endpoint:
Make sure you use the token and secret you want to revoke in the request headers to authenticate the request. The response from a successful revoke request should look like the following: