Go to production
Once the configuration and testing process is complete, your integration will be ready to go live.
See below the necessary recommendations to make this change effectively and safely, ensuring that the integration is prepared to process real transactions.
To ensure the security of your Payouts transactions, you must implement end-to-end encryption. This involves creating a public-private key mechanism, where a request is encrypted by means of a security key, and another key is used to validate it.
Therefore, you must send your public key to Mercado Pago for transaction validation, and keep your private key securely stored to encrypt your requests.
X-signature header with the encrypted request body as the value. For development or testing environments, it is not mandatory to send it. For more information, refer to our API Reference.To create public and private keys in Linux or MacOS, run the following command in your terminal:
terminal
openssl genpkey -algorithm ed25519 -out mpprivate.pem && openssl pkey -in mpprivate.pem -pubout -out mppublic.pem
In response, two files will be generated, one with your public key, which you must send to Mercado Pago, and another with the private key, which must be securely stored in your system.
To send your public key, you will need to connect with the Integrations team. Below, we provide the following example request, where the private.key file is read, the request is encrypted, and the signature is added to the header.
package main
import (
"bytes"
"crypto/ed25519"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
// Path to the file storing the private key
privateKeyFile := "private.key"
// Read the private key from the file
privateKeyBytes, err := ioutil.ReadFile(privateKeyFile)
if err != nil {
fmt.Println("Error reading private key:", err)
return
}
// Convert the private key bytes to a PrivateKey
privateKey := ed25519.PrivateKey(privateKeyBytes)
// Define your request body
requestBody := []byte(`{"key": "value"}`)
// Sign the request body with the private key
signature := ed25519.Sign(privateKey, requestBody)
// Encode the signature to base64
signatureBase64 := base64.StdEncoding.EncodeToString(signature)
// Create a new HTTP request
req, err := http.NewRequest("POST", "https://example.com/api/endpoint", bytes.NewBuffer(requestBody))
if err != nil {
fmt.Println("Error creating request:", err)
return
}
// Add the X-signature header with the base64 encoded signature
req.Header.Set("X-signature", signatureBase64)
// Send the request
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
fmt.Println("Error sending request:", err)
return
}
defer resp.Body.Close()
// Read the response body
responseBody, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println("Error reading response body:", err)
return
}
// Print the response body
fmt.Println("Response:", string(responseBody))
}from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519
import base64
import json
def main():
# PEM formatted private key
private_key_pem = b'''************************************************'''
try:
# Load the private key from PEM format
private_key = serialization.load_pem_private_key(
private_key_pem,
password=None # No password protection in this example
)
# Ensure we have an Ed25519 private key
if not isinstance(private_key, ed25519.Ed25519PrivateKey):
print("Error: The provided key is not a valid Ed25519 private key")
return
# Define request body as a Python dict
request_data = b'''{REQUEST_BODY}'''
# Use request_data directly as it's already in bytes
request_body = request_data
print("Request body that will be signed:")
print(request_data.decode('utf-8')) # Print the request body
print("\n---\n")
# Sign the request body
signature = private_key.sign(request_body)
# Get the public key
public_key = private_key.public_key()
# Encode signature to base64
signature_base64 = base64.b64encode(signature).decode('utf-8')
# Print results
print(f"Generated signature: {signature_base64}")
print(f"Signature size: {len(signature)} bytes")
# Get key sizes
private_bytes = private_key.private_bytes(
encoding=serialization.Encoding.Raw,
format=serialization.PrivateFormat.Raw,
encryption_algorithm=serialization.NoEncryption()
)
public_bytes = public_key.public_bytes(
encoding=serialization.Encoding.Raw,
format=serialization.PublicFormat.Raw
)
print(f"Private key size: {len(private_bytes)} bytes")
print(f"Public key size: {len(public_bytes)} bytes")
# Verify the signature
try:
public_key.verify(signature, request_body)
print("✓ Signature verified successfully!")
except Exception:
print("✗ Signature verification failed!")
except Exception as e:
print(f"Error: {str(e)}")
if __name__ == "__main__":
main()After completing the necessary tests of your integration, remember to replace the credentialsUnique access keys that we use to identify an integration in your account, linked to your application. For more information, see the link below.Credentials used during the development stage with the production credentials to start operating in the store's production environment and begin receiving real payments. To do this, you need to activate them. Follow the steps below to do it.
- Go to Your integrations and select an application.
- In Integration data, go to the Credentials section, located on the right side of the screen, and click Production. Then, click Activate credentials. Alternatively, you can access them from the Production credentials section in the left side menu.
- In the Industry field, select the industry or business sector to which the business you are integrating belongs from the drop-down menu.
- In the Website (required) field, complete with the URL of your business website.
- Accept the Privacy Statement and the Terms and Conditions. Fill in the reCAPTCHA and click Activate production credentials.
To go live, you must place the production credentials of your Mercado Pago application in your integration.
To do this, go to Your integrations, go to the Credentials section, located on the right side of the screen, and click Production. Alternatively, you can also access them from Production > Production credentials.
There you will find your productive Public Key and Access Token, which you should use instead of the test account credentials.
For more information, refer to our Credentials documentation.