Authentication
Overview
About security credentials
When using APIs through the Payments Developer Portal, you must use certificates for:
- Authentication - to confirm your identity.
- Authorization - to confirm your permissions.
In addition, you may be asked to provide certificates for:
- Signing requests, especially POST requests.
- Encrypting personal data.
- Receiving callbacks.
Depending on your chosen product, you may be asked to provide one or more of the following types of certificates:
Transport Certificate (also called mTLS Certificate) - Provided by an approved Certification Authority (CA). This is an SSL authentication certificate that confirms the identity of a host running your application but does not carry any access permissions.
Open Authorization (OAuth) Access Token - OAuth is an authorization standard that allows applications to access another application's resources. OAuth access tokens confirm both access permissions and identity. There are two ways of obtaining an OAuth access token:
- OAuth with Basic Authentication uses client id and client secret in Mock environments.
- OAuth with Signed JWT Assertion uses asymmetric cryptography* in Testing and Production environments.
*Asymmetric cryptography is used to sign "JWT Assertions" that are sent to confirm the identity of a host that has access to a private key. The public key for this authentication mechanism can be shared in the form of a certificate and can be used to verify the signatures of the "JWT Assertions" produced by the host.
Digital Signature Certificate - For certain API requests, such as POST requests, you may be required to include a Digital Signature Certificate which you use to “sign” your requests. This is an additional layer of security that relies on asymmetric cryptography, just like OAuth with Signed JWT Assertions.
Callback Certificate - The Callback Certificate is a way to give permission to J.P. Morgan services to send updates as they occur, not only when you have sent an API request. It permits asynchronous connection to your system.
Encryption Certificate - The Encryption Certificate allows for an additional layer of security in which you encrypt the request payload. J.P. Morgan supports encryption at multiple levels such as at the Request level and/or at PII Data only, which encrypts data in your payload.
For additional information on creating certificates and configuring credentials for API access, refer to the "Getting Started” page of the API documentation in which you are interested in using.
About callbacks
A callback occurs when J.P. Morgan sends event updates asynchronously to your system for the product you are using. To enable callbacks, you must submit your callback URL and authentication certificate via the Payments Developer Portal.
The following diagram illustrates the request, response, and callback communication between your application and callback handle and the J.P. Morgan service.
Certificates needed for callbacks
You are required to upload a Callback Certificate and optionally, an Encryption Certificate, to the Payments Developer Portal.
For a callback, J.P. Morgan issues a Callback Certificate and a Digital Signature Certificate.
Setup authentication
Add security certificates
When you have products available for the Testing and Production environments, you can add the security certificates required to send requests to J.P. Morgan APIs.
To view the required credentials, and upload them to your project:
- Navigate to the Global Payments screen, Security tab.
The accepted credentials and certificate types are shown for each environment. - For each environment you plan to use, select the environment and then click Upload certificate. You cannot use the same certificate for more than one environment.
The Upload certificate dialog appears. - In the Upload certificate dialog, add your certificate.
- Click Upload certificate.
The Upload certificate dialog closes.
You have completed the API security requirements. You can start sending API requests in your chosen environments.
Add callback URL and certificates
J.P. Morgan requires authentication for callbacks to protect communication with clients.
To add an authentication certificate:
- Navigate to the Global Payments screen, Security tab and select your environment.
- Under Response, in the Callbacks section, click Configure callbacks.
The Configure Callbacks dialog appears. - In the Configure Callbacks dialog, enter your callback URL.
- Select the existing certificate if it is your desired choice or use the Drag and drop or Browse box to upload your desired choice.
- Click Configure callbacks.
The Configure Callbacks dialog closes.
You have added your callback URL and certificate.
Reference of approved list of certificate authorities
J.P. Morgan supports the X.509 International Telecommunication Union standard for the format of public key certificates. In order to use SSL certificates, you must provide J.P. Morgan with UAT and Production certificates issued by one of the listed approved certificate authorities. These certificates should be installed on your server - J.P. Morgan installs them on theirs.
You must use a listed approved Root Certificate and it is recommended to use a listed Intermediate Certificate. Standard API SSL certificate installation lead time is three business days if the Root/Intermediate Certificate combination is available in the J.P. Morgan system. You can submit a new Intermediate Certificate from one of the listed certificate authorities, however, it takes up to ten business days for J.P. Morgan to review, approve, and install.
The validity date for a certificate cannot be greater than one year from the issue date.
Approved root certificates
The approved list of Root Certificates with the authority, name, and footprint::
| Authority & Certificate | SHA-1 Thumbprint |
|---|---|
| DigiCert Global Root CA | a8 98 5d 3a 65 e5 e5 c4 b2 d7 d6 6d 40 c6 dd 2f b1 9c 54 36 |
| DigiCert High Assurance EV Root CA | 5f b7 ee 06 33 e2 59 db ad 0c 4c 9a e6 d3 8f 1a 61 c7 dc 25 |
| DigiCert Global Root G2 | df 3c 24 f9 bf d6 66 76 1b 26 80 73 fe 06 d1 cc 8d 4f 82 a4 |
| DigiCert AssuredID Root CA | 05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43 |
| DigiCert Baltimore CyberTrust Root | d4 de 20 d0 5e 66 fc 53 fe 1a 50 88 2c 78 db 28 52 ca e4 74 |
| DigiCert FederatedID Root CA | 8e 93 4f 88 a5 a4 55 33 36 e2 9b 5f b8 66 60 48 ef aa 82 40 |
| DigiCert VeriSign Class 3 Public Primary CA G5 | 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5 |
| Entrust Root Certificate Authority | b3 1e b1 b7 40 e3 6c 84 02 da dc 37 d4 4d f5 d4 67 49 52 f9 |
| Entrust Root Certificate Authority—G2 | 9e 1a 0c 35 e7 14 b6 97 92 d0 90 b2 cc 4b ba 45 83 3c 30 15 |
| Entrust Root Certification Authority - G2 Global Root | 8c f4 27 fd 79 0c 3a d1 66 06 8d e8 1e 57 ef bb 93 22 72 d4 |
| GlobalSign R3 | d6 9b 56 11 48 f0 1c 77 c5 45 78 c1 09 26 df 5b 85 69 76 ad |
| GlobalSign Root CA | b1 bc 96 8b d4 f4 9d 62 2a a8 9a 81 f2 15 01 52 a4 1d 82 9c |
| GoDaddy Root Certificate Authority-G2 | 47 be ab c9 22 ea e8 0e 78 78 34 62 a7 9f 45 c2 54 fd e6 8b |
| GoDaddy Class 2 Certificate Authority | 27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4 |
| J.P. Morgan Chase JPMC Root CA | 1a 58 c1 67 02 09 45 31 0f 25 e9 90 b9 94 cd 59 c8 f2 6b a5 |
| Let's Encrypt ISRG Root X1 | ca bd 2a 79 a1 07 6a 31 f2 1d 25 36 35 cb 03 9d 43 29 a5 e8 |
| Sectigo Comodo RSA Certificate Authority | af e5 d2 44 a8 d1 19 42 30 ff 47 9f e2 f8 97 bb cd 7a 8c b4 |
| Sectigo AAA Certificate Services | d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49 |
Approved intermediate certificates
The approved list of Intermediate Certificates with the authority, name, and footprint:
| Authority & Certificate | SHA-1 Thumbprint |
|---|---|
| DigiCert CN RSA EV CA G1 DigiCert CN RSA EV CA G1 | 03 09 bf 53 d2 b7 5b c6 b3 ef 5f 33 7f 51 ee ba 1f 99 68 85 |
| DigiCert ECC Secure Server CA | 56 ee 7c 27 06 83 16 2d 83 ba ea cc 79 0e 22 47 1a da ab e8 |
| DigiCert Encryption Everywhere DV TLS CA G2 | ed 63 02 68 4a 32 59 aa 04 f1 0f e9 a9 7a 8f d3 0b 96 5d 26 |
| DigiCert EV RSA CA G2 | 09 0a 16 f9 ba 16 00 1b 2e c1 30 f8 05 23 e5 b5 eb 25 91 58 |
| DigiCert GeoTrust EV RSA CA 2018 | a3 99 04 64 17 b6 7e 32 0d 3e fa 69 d7 dc e6 b8 bf e8 a9 f2 |
| DigiCert GeoTrust Global TLS RSA4096 SHA256 2022 CA1 | 7e 6d b7 b7 58 4d 8c f2 00 3e 09 31 e6 cf c4 1a 3a 62 d3 df |
| DigiCert GeoTrust RSA CA 2018 | 7c cc 2a 87 e3 94 9f 20 57 2b 18 48 29 80 50 5f a9 0c ac 3b |
| DIgiCert GeoTrust RSA CN CA G2 | 7d f1 c5 f3 c9 46 9a 05 bf 61 d5 64 c5 20 2f 20 ee e0 72 10 |
| DigiCert GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 | 2f 7a a2 d8 60 56 a8 77 57 96 f7 98 c4 81 a0 79 e5 38 e0 04 |
| DigiCert GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 | b2 c2 f9 fc 3a 06 f3 a5 e8 42 89 2a f9 c6 4e d4 77 8b e0 18 |
| DigiCert GeoTrust TLS RSA CA G1 | 8b 3c 5b 9b 86 7d 4b e4 6d 1c b5 a0 1d 45 d6 7d c8 e9 40 82 |
| DigiCert Global CA G2 | d6 ae e3 16 31 f7 ab c5 6b 9d e8 ab ec cc 41 08 a6 26 b1 04 |
| DigiCert Global CA-3 G2 | 10 84 c3 32 26 b4 8d 7c 0b fe d8 21 80 aa b1 dd d8 44 b2 83 |
| DigiCert Global G2 TLS RSA SHA256 2020 CA1 | 1d 73 22 b4 1e d9 9f dd 68 51 1b ab 78 6c 8e 26 e0 83 1b 3b |
| DigiCert Global G2 TLS RSA SHA256 2020 CA1 | 1b 51 1a be ad 59 c6 ce 20 70 77 c0 bf 0e 00 43 b1 38 26 12 |
| DigiCert Microsoft Azure TLS Issuing CA 02 | e7 ee a6 74 ca 71 8e 3b ef d9 08 58 e0 9f 83 72 ad 0a e2 aa |
| DigiCert RapidSSL Global TLS RSA 4096 SHA256 2022 CA1 | 68 f2 2b 1a 62 98 f7 da 19 1e 61 49 ed 8d e0 ef ff 54 ad 8c |
| DigiCert RapidSSL RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 | 9b d0 8a 58 87 6f 6c 84 9d b6 bb 99 a8 b1 94 89 26 47 86 0e |
| DigiCert RapidSSL RSA CA 2018 | 98 c6 a8 dc 88 79 63 ba 3c f9 c2 73 1c bd d3 f7 de 05 ac 2d |
| DigiCert Secure Site CN CA G3 | 44 79 f6 9c 9b e9 c3 94 b9 f1 72 11 aa 6d 6d a8 14 3d b6 9c |
| DigiCert SHA2 Assured ID CA | e1 2d 2e 8d 47 b6 4f 46 9f 51 88 02 df bd 99 c0 d8 6d 3c 6a |
| DigiCert SHA2 Assured ID Code Signing CA | 92 c1 58 8e 85 af 22 01 ce 79 15 e8 53 8b 49 2f 60 5b 80 c6 |
| DigiCert SHA2 Extended Validation Server CA | 7e 2f 3a 4f 8f e8 fa 8a 57 30 ae ca 02 96 96 63 7e 98 6f 3f |
| DigiCert SHA2 High Assurance Server CA | a0 31 c4 67 82 e6 e6 c6 62 c2 c8 7c 76 da 9a a6 2c ca bd 8e |
| DigiCert SHA2 Secure Server CA | 62 6d 44 e7 04 d1 ce ab e3 bf 0d 53 39 74 64 ac 80 80 14 2c |
| DigiCert SHA2 Secure Server CA | 1f b8 6b 11 68 ec 74 31 54 06 2e 8c 9c c5 b1 71 a4 b7 cc b4 |
| DigiCert Thawte EV RSA CA 2018 | 9e 84 8f 52 57 5c 6b 1a 69 d6 ab 62 e0 28 8b fa d4 a5 56 4e |
| DigiCert Thawte RSA CA 2018 | 4d ee a7 06 0d 80 ba bf 16 43 b4 e0 f0 10 4c 82 99 50 75 b7 |
| DigiCert Thawte TLS RSA CA G1 | c9 fe fc 76 3d 95 48 b4 87 69 6f 04 7a cb a0 ab e4 5c 7b c1 |
| DigiCert TLS RSA SHA256 2020 CA1 | 1c 58 a3 a8 51 8e 87 59 bf 07 5b 76 b7 50 d4 f2 df 26 4f cd |
| DigiCert TLS RSA SHA256 2020 CA1 | 69 38 fd 4d 98 ba b0 3f aa db 97 b3 43 96 83 1e 37 80 ae a1 |
| DigiCert TrustAsia TLS RSA CA | ec 41 91 d1 f3 57 bd 53 94 83 28 6f a6 7f d2 19 14 3d 26 11 |
| DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | 7b 0f 36 0b 77 5f 76 c9 4a 12 ca 48 44 5a a2 d2 a8 75 70 1c |
| Encryption Everywhere DV TLS CA G1 | 59 4f 2d d1 03 52 c2 36 01 38 ee 35 aa 90 6f 97 3a a3 0b d3 |
| Entrust Certification Authority L1K | f2 1c 12 f4 6c db 6b 2e 16 f0 9f 94 19 cd ff 32 84 37 b2 d7 |
| Entrust Certification Authority L1M | cc 13 66 95 63 90 65 fa b4 70 74 d2 8c 55 31 4c 66 07 7e 90 |
| Entrust Code Signing Root Certification Authority CSB | b3 37 b8 fd b5 6e cb 58 bf 5d bc f8 c2 2c 32 01 07 53 5a 02 |
| Entrust Extended Validation Code Signing CA EVCS2 | b5 20 63 ce cf fa fa 24 b5 79 93 b8 ef e7 fb 1e 4d 6d 56 bc |
| Gandi RSA Domain Validation Secure Server CA 3 Gandi | a5 e9 a8 a4 2b 69 1c 08 bd 9e e5 d6 86 dd 69 c3 71 44 98 dd |
| GeoTrust CN RSA CA G1 | ab cb 71 01 35 6f 9e 4e 7a 44 99 88 e4 30 0b d0 3b 32 1f 95 |
| GeoTrust RapidSSL SHA256 CA | c8 6e db c7 1a b0 50 78 f6 1a cd f3 d8 dc 5d b6 1e b7 5f b6 |
| GlobalSign AlphaSSL AlphaSSL CA - SHA256 G4 | d3 41 62 62 72 7f e1 82 e0 99 6c 79 3b 0f a4 46 76 c6 54 1a |
| GlobalSign AlphaSSL CA - SHA256 G2 | 4c 27 43 17 17 56 5a 3a 07 f3 e6 d0 03 2c 42 58 94 9c f9 ec |
| GlobalSign Extended Validation CA - SHA256 G3 | 60 23 19 2f e7 b5 9d 27 89 13 0a 9f e4 09 4f 9b 55 70 d4 a2 |
| GlobalSign GCC R3 DV TLS CA 2020 | 1c 61 0a 0a 87 d4 92 f4 83 22 c2 af d3 be 9b 6a d3 6b 6b ee |
| GlobalSign Organization Validation CA - SHA256 G3 | 20 d1 eb ab 5a 71 58 7b 91 16 e4 c7 44 15 d1 a8 5b 0d dd a5 |
| GlobalSign Organization Validation CA - SHA256 G2 | 90 2e f2 de eb 3c 5b 13 ea 4c 3d 51 93 62 93 09 e2 31 ae 55 |
| GlobalSign PersonalSign 1 CA - SHA256 G3 | 5e c2 8e d7 9e 8c e8 5d 8f 84 cd 7a a7 b8 6d 73 b1 71 de b9 |
| GlobalSign RSA DV SSL CA 2018 | a4 16 00 23 31 a4 e0 c8 c5 3d 94 ac 1e 02 34 72 3d 8b de 97 |
| GlobalSign RSA OV SSL CA 2018 | df e8 30 23 06 2b 99 76 82 70 8b 4e ab 8e 81 9a ff 5d 97 75 |
| GoDaddy Secure Certificate Authority G2 | 27 ac 93 69 fa f2 52 07 bb 26 27 ce fa cc be 4e f9 c3 19 b8 |
| JPMC PSIN0P551 | 4f 74 1b d2 e1 3a 18 a5 11 e6 8b 6d fc 51 97 ff 30 2c e5 49 |
| JPMC PSIN0P551 35 | 1e 74 b2 98 01 21 1c 5e 16 58 95 b6 34 20 b4 f7 9c 26 fd |
| Let's Encrypt DST Authority X3 | e6 a3 b4 5b 06 2d 50 9b 33 82 28 2d 19 6e fe 97 d5 95 6c cb |
| Let's Encrypt DST R3 | 48 50 4e 97 4c 0d ac 5b 5c d4 76 c8 20 22 74 b2 4c 8c 71 72 |
| Let's Encrypt R3 | a0 53 37 5b fe 84 e8 b7 48 78 2c 7c ee 15 82 7a 6a f5 a4 05 |
| RapidSSL TLS RSA CA G1 RapidSSL TLS RSA CA G1 | cb fe 9e b4 3b 3b 37 fe 0d fb c4 c2 eb 2d 4e 07 d0 8b d8 e8 |
| Sectigo COMODO CA Gandi Pro SSL CA 2 | 72 27 6f a9 27 54 59 0c b8 24 e8 fa d4 71 59 75 fa 31 6b 33 |
| Sectigo COMODO CA Network Solutions OV Server CA 2 | 44 0f f6 8a 35 e0 39 95 ac 55 e4 57 a6 7e b1 68 0f 9a 7c dd |
| Sectigo COMODO CA ZeroSSL RSA Domain Secure Site CA | c8 1a 8b d1 f9 cf 6d 84 c5 25 f3 78 ca 1d 3f 8c 30 77 0e 34 |
| Sectigo COMODO RSA Organization Validation Secure Server CA | 10 4c 63 d2 54 6b 80 21 dd 10 5e 9f ba 5a 8d 78 16 9f 6b 32 |
| Sectigo Corporation Service Company RSA OV SSL CA | d7 2c af 0e f1 a2 ea f2 f5 fe e5 cc fd 74 28 a3 20 41 84 |
| Sectigo Gandi Standard SSL CA 2 | 24 71 06 a4 05 b2 88 a4 6e 70 a0 26 27 17 16 2d 09 03 e7 34 |
| Sectigo InCommon RSA Server CA | f5 fb 01 de a6 e5 9c a6 dd 05 70 54 f4 a3 ff 72 dd e1 d5 c6 |
| Sectigo Network Solutions DV Server CA 2 | 90 85 4c e5 74 d0 32 18 df 2e 7b 4a 05 4a a5 3f 69 51 c1 d2 |
| Sectigo Network Solutions RSA DV SSL CA 3 | ec 86 c3 53 d7 ac b5 4d e7 6f 11 64 79 14 e8 f3 84 c5 e6 a3 |
| Sectigo RSA Extended Validation Secure Server CA | a3 df 96 6d 0c b2 d8 4a f8 f1 6c 85 5b 97 c4 93 64 f5 d8 c0 |
| Sectigo Public Code Signing CA R36 | 0b c5 e7 67 73 d2 e4 4f c9 90 3d 4d fe fe 45 15 53 bb ec 4a |
| Sectigo Public Code Signing Root R46 | 32 9b 78 a5 c9 eb c2 04 32 42 de 90 ce 1b 7c 6b 1b a6 c6 92 |
| Sectigo TrustAsia RSA DV TLS CA G2 | f3 4d de cf 3e a1 0b d2 e2 f6 30 8e d1 ce 53 7b 09 35 78 b3 |
| Sectigo Trusted Secure Certificate Authority 5 | 52 5c 47 fb 3a 5e 06 55 fb d4 be 96 3c a1 e9 4d 5f ec b4 3d |
| Sectigo USERTrust RSA Certification Authority | d8 9e 3b d4 3d 5d 90 9b 47 a1 89 77 aa 9d 5c e3 6c ee 18 4c |
| Secure Site CA G2 Secure Site CA G2 | 8d 88 8b 3c ae 20 c7 4f 4c e1 b3 0b f5 1e e3 6e ab 56 2c de |
Next steps
- Review J.P. Morgan API specifications.