Skip to main content

Authentication

Overview

About security credentials

When using APIs through the Payments Developer Portal, you must use certificates for:

  • Authentication - to confirm your identity.
  • Authorization - to confirm your permissions.

In addition, you may be asked to provide certificates for:

  • Signing requests, especially POST requests.
  • Encrypting personal data.
  • Receiving callbacks.

Depending on your chosen product, you may be asked to provide one or more of the following types of certificates:

  • Transport Certificate (also called mTLS Certificate) - Provided by an approved Certification Authority (CA). This is an SSL authentication certificate that confirms the identity of a host running your application but does not carry any access permissions.
  • Digital Signature Certificate - For certain API requests, such as POST requests, you may be required to include a Digital Signature Certificate which you use to “sign” your requests. This is an additional layer of security that relies on asymmetric cryptography, just like OAuth with Signed JWT Assertions.
  • Open Authorization (OAuth) Access Token - OAuth is an authorization standard that allows applications to access another application's resources. OAuth access tokens confirm both access identity and permissions. There are two ways of obtaining an OAuth access token:
    • OAuth with Basic Authentication uses client id and client secret in Mock environments.
    • OAuth with Signed JWT Assertion uses asymmetric cryptography* in Testing and Production environments.
      *Asymmetric cryptography is used to sign "JWT Assertions" that are sent to confirm the identity of a host that has access to a private key. The public key for this authentication mechanism can be shared in the form of a certificate and can be used to verify the signatures of the "JWT Assertions" produced by the host.
    • For information on making requests to J.P. Morgan APIs, see OAuth.
  • Callback Certificate - The Callback Certificate is a way to give permission to J.P. Morgan services to send updates as they occur, not only when you have sent an API request. It permits asynchronous connection to your system.
  • Encryption Certificate - The Encryption Certificate allows for an additional layer of security in which you encrypt the request payload. J.P. Morgan supports encryption at multiple levels such as at the Request level and/or at PII Data only, which encrypts data in your payload.

For additional information on creating certificates and configuring credentials for API access, refer to the "Getting Started” page of the API documentation in which you are interested in using.

Tip

Separate credentials are required per environment (Client Testing and Production). 

About callbacks

A callback occurs when J.P. Morgan sends event updates asynchronously to your system for the product you are using. To enable callbacks, you must submit your callback URL and authentication certificate via the Payments Developer Portal.

The following diagram illustrates the request, response, and callback communication between your application and callback handle and the J.P. Morgan service. 

Callback flow diagram

Certificates needed for callbacks

You are required to upload a Callback Certificate and optionally, an Encryption Certificate, to the Payments Developer Portal.

For a callback, J.P. Morgan issues a Callback Certificate and a Digital Signature Certificate.

Setup authentication

Generate a signed certificate

Generate an authority-signed certificate through a Certificate Authority (CA) or a self-signed certificate using the J.P. Morgan authentication utility or OpenSSL. The following table details approved certificate types for Client Testing and Production environments:

Approved certificates
Environment CA-signed certificate Self-signed certificate
Client Testing Yes Yes
Production Yes No

Use a Certificate Authority

CA-signed certificates must be signed by a J.P. Morgan approved certificate authority.

Follow the instructions for generating a certificate from your selected certificate authority.

Attention

If you are using a CA signed X.509 certificate, it is your responsibility to ensure the certificate is updated before it expires. New certificates need to be provided to J.P. Morgan to prevent service interruptions.

Use the authentication utility

The authentication utility for a desired language can be found in the sample-authentication-code directory of the authentication repository. If you choose to generate a self-signed certificate using the authentication utility:

  1. Download and unzip or fork and clone the J.P. Morgan authentication utility.
  2. Open the terminal (or shell), navigate to the sample-authentication-code directory, and then install any required dependencies. Additional information can be found in the README file.
  3. Run the generate certificates file to generate a client certificate request and a self-signed certificate.
  4. Enter your country (two-letter ISO 3166-1 code), state/province (abbreviated or fully spelled), locality/city, organization (legal entity name which owns the domain being secured), organization unit (internal department name), and common name (the fully qualified domain name being secured). This information will be used to construct your client certificate request and self-signed certificate.
Example of location and organization parameters
Plaintext
Country Name (2 letter ISO code): US 
State or Province Name: FL 
Locality Name (eg, city): Tampa 
Organization Name (eg, company): SampleOrganization 
Organizational Unit Name (eg, section): SampleUnit 
Common Name (eg, fully qualified domain name): www.example.com

Use OpenSSL

If you choose to generate a self-signed certificate using OpenSSL:

1. Run the following OpenSSL command after updating the angle bracketed variables as follows:

  • <filename>.txt — Name the public key to be generated, which needs to be zipped and shared with J.P. Morgan.
  • <filename>.key — Name the file that will contain your private key. Do not send it to J.P. Morgan.
  • <Country> — This variable must be a two-letter ISO code.
  • <State> — This variable can be the abbreviated or fully spelled name of your province or state.
  • <City> — This variable must be your city or locality.
  • <Organization> — This variable must be the legal name of the entity which owns your common name.
  • <Organization Unit> — This variable should be the internal department name which owns your common name.
  • <Common Name> — This variable must be your fully qualified domain name.
Generate a key
Plaintext
$ openssl req -new -newkey rsa:2048 -nodes -out try2.csr -keyout try2.key -subj "/C=SW/ST=Stockholm/L=Bandhagen/O=VK/OU=VK/CN=localhostTry2"
Generating a 2048 bit RSA private key
....................................+++++
......................+++++
writing new private key to 'try2.key'
-----

2. Run the following OpenSSL command to generate a Certificate Signing Request (CSR) using the private key. Be sure to update the angle bracketed variables the same as the previous list, in addition to:

  • <privateKeyFilename>.key — This is the name of the private key you just created.
  • <csrFilename>.csr — Name the CSR file to be generated.
Generate the certificate (.pem) using the key and CSR
Plaintext
$ openssl req -x509 -days 365 -key try2.key -in try2.csr -out try2.pem

3. Upload the output of the second step to the Payments Developer Portal.

Add security certificates

When you have products available for the Client Testing and Production environments, you can add the security certificates required to send requests to J.P. Morgan APIs. 

  1. In the Payments Developer Portal, navigate to the Security page.
  2. For the environment you plan to use, select the corresponding tab.
  3. In the Request section, click Add Security.
    The "Add certificate" dialog appears.
  4. For the "Certificate use" dropdown, select the type of security certificate you wish to upload.
  5. In the "Certificate upload" box, drag and drop, or browse for the desired certificate, for example, MTLS, Digital signature, or OAuth 2.0.
  6. Click Add Certificate..
    The "Add security" dialog closes and the added certificate is listed.

You have completed the API security requirements. You can start sending API requests in your chosen environments.

Add callback URL and certificates

J.P. Morgan requires authentication for callbacks to protect communication with clients.

To add an authentication certificate:

  1. Navigate to the Global Payments screen, Security tab and select your environment.
  2. Under Response, in the Callbacks section, click Configure callbacks.
    The Configure Callbacks dialog appears.
  3. In the Configure Callbacks dialog, enter your callback URL.
  4. Select the existing certificate if it is your desired choice or use the Drag and drop or Browse box to upload your desired choice.
  5. Click Configure callbacks.
    The Configure Callbacks dialog closes.

You have added your callback URL and certificate.

Reference of approved list of certificate authorities

J.P. Morgan supports the X.509 International Telecommunication Union standard for the format of public key certificates. In order to use SSL certificates, you must provide J.P. Morgan with UAT and Production certificates issued by one of the listed approved certificate authorities. These certificates should be installed on your server - J.P. Morgan installs them on theirs.

You must use a listed approved Root Certificate and it is recommended to use a listed Intermediate Certificate. Standard API SSL certificate installation lead time is three business days if the Root/Intermediate Certificate combination is available in the J.P. Morgan system. You can submit a new Intermediate Certificate from one of the listed certificate authorities, however, it takes up to ten business days for J.P. Morgan to review, approve, and install.

The validity date for a certificate cannot be greater than one year from the issue date.

Approved root certificates

The approved list of Root Certificates with the authority, name, and footprint::

Approved Root Certificates
Authority & Certificate SHA-1 Thumbprint
DigiCert Global Root CA ‎a8 98 5d 3a 65 e5 e5 c4 b2 d7 d6 6d 40 c6 dd 2f b1 9c 54 36
DigiCert High Assurance EV Root CA ‎5f b7 ee 06 33 e2 59 db ad 0c 4c 9a e6 d3 8f 1a 61 c7 dc 25
DigiCert Global Root G2 ‎df 3c 24 f9 bf d6 66 76 1b 26 80 73 fe 06 d1 cc 8d 4f 82 a4
DigiCert AssuredID Root CA ‎05 63 b8 63 0d 62 d7 5a bb c8 ab 1e 4b df b5 a8 99 b2 4d 43
DigiCert Baltimore CyberTrust Root ‎d4 de 20 d0 5e 66 fc 53 fe 1a 50 88 2c 78 db 28 52 ca e4 74
DigiCert FederatedID Root CA ‎8e 93 4f 88 a5 a4 55 33 36 e2 9b 5f b8 66 60 48 ef aa 82 40
DigiCert VeriSign Class 3 Public Primary CA G5 ‎4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
Entrust Root Certificate Authority ‎b3 1e b1 b7 40 e3 6c 84 02 da dc 37 d4 4d f5 d4 67 49 52 f9
Entrust Root Certificate Authority—G2 ‎9e 1a 0c 35 e7 14 b6 97 92 d0 90 b2 cc 4b ba 45 83 3c 30 15
Entrust Root Certification Authority - G2 Global Root ‎8c f4 27 fd 79 0c 3a d1 66 06 8d e8 1e 57 ef bb 93 22 72 d4
GlobalSign R3 ‎d6 9b 56 11 48 f0 1c 77 c5 45 78 c1 09 26 df 5b 85 69 76 ad
GlobalSign Root CA ‎b1 bc 96 8b d4 f4 9d 62 2a a8 9a 81 f2 15 01 52 a4 1d 82 9c
GoDaddy Root Certificate Authority-G2 ‎47 be ab c9 22 ea e8 0e 78 78 34 62 a7 9f 45 c2 54 fd e6 8b
GoDaddy Class 2 Certificate Authority ‎27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
J.P. Morgan Chase JPMC Root CA ‎1a 58 c1 67 02 09 45 31 0f 25 e9 90 b9 94 cd 59 c8 f2 6b a5
Let's Encrypt ISRG Root X1 ‎ca bd 2a 79 a1 07 6a 31 f2 1d 25 36 35 cb 03 9d 43 29 a5 e8
Sectigo Comodo RSA Certificate Authority ‎af e5 d2 44 a8 d1 19 42 30 ff 47 9f e2 f8 97 bb cd 7a 8c b4
Sectigo AAA Certificate Services ‎d1 eb 23 a4 6d 17 d6 8f d9 25 64 c2 f1 f1 60 17 64 d8 e3 49

Approved intermediate certificates

The approved list of Intermediate Certificates with the authority, name, and footprint:

Approved Intermediate Certificates
Authority & Certificate SHA-1 Thumbprint
DigiCert CN RSA EV CA G1 DigiCert CN RSA EV CA G1 03 09 bf 53 d2 b7 5b c6 b3 ef 5f 33 7f 51 ee ba 1f 99 68 85
DigiCert ECC Secure Server CA 56 ee 7c 27 06 83 16 2d 83 ba ea cc 79 0e 22 47 1a da ab e8
DigiCert Encryption Everywhere DV TLS CA G2 ed 63 02 68 4a 32 59 aa 04 f1 0f e9 a9 7a 8f d3 0b 96 5d 26
DigiCert EV RSA CA G2 09 0a 16 f9 ba 16 00 1b 2e c1 30 f8 05 23 e5 b5 eb 25 91 58
DigiCert GeoTrust EV RSA CA 2018 a3 99 04 64 17 b6 7e 32 0d 3e fa 69 d7 dc e6 b8 bf e8 a9 f2
DigiCert GeoTrust Global TLS RSA4096 SHA256 2022 CA1 7e 6d b7 b7 58 4d 8c f2 00 3e 09 31 e6 cf c4 1a 3a 62 d3 df
DigiCert GeoTrust RSA CA 2018  7c cc 2a 87 e3 94 9f 20 57 2b 18 48 29 80 50 5f a9 0c ac 3b
DIgiCert GeoTrust RSA CN CA G2 7d f1 c5 f3 c9 46 9a 05 bf 61 d5 64 c5 20 2f 20 ee e0 72 10
DigiCert GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 2f 7a a2 d8 60 56 a8 77 57 96 f7 98 c4 81 a0 79 e5 38 e0 04
DigiCert GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 b2 c2 f9 fc 3a 06 f3 a5 e8 42 89 2a f9 c6 4e d4 77 8b e0 18
DigiCert GeoTrust TLS RSA CA G1 8b 3c 5b 9b 86 7d 4b e4 6d 1c b5 a0 1d 45 d6 7d c8 e9 40 82
DigiCert Global CA G2 d6 ae e3 16 31 f7 ab c5 6b 9d e8 ab ec cc 41 08 a6 26 b1 04
DigiCert Global CA-3 G2 10 84 c3 32 26 b4 8d 7c 0b fe d8 21 80 aa b1 dd d8 44 b2 83
DigiCert Global G2 TLS RSA SHA256 2020 CA1 1d 73 22 b4 1e d9 9f dd 68 51 1b ab 78 6c 8e 26 e0 83 1b 3b
DigiCert Global G2 TLS RSA SHA256 2020 CA1 1b 51 1a be ad 59 c6 ce 20 70 77 c0 bf 0e 00 43 b1 38 26 12
DigiCert Microsoft Azure TLS Issuing CA 02 e7 ee a6 74 ca 71 8e 3b ef d9 08 58 e0 9f 83 72 ad 0a e2 aa
DigiCert RapidSSL Global TLS RSA 4096 SHA256 2022 CA1 68 f2 2b 1a 62 98 f7 da 19 1e 61 49 ed 8d e0 ef ff 54 ad 8c
DigiCert RapidSSL RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 9b d0 8a 58 87 6f 6c 84 9d b6 bb 99 a8 b1 94 89 26 47 86 0e
DigiCert RapidSSL RSA CA 2018 98 c6 a8 dc 88 79 63 ba 3c f9 c2 73 1c bd d3 f7 de 05 ac 2d
DigiCert Secure Site CN CA G3 44 79 f6 9c 9b e9 c3 94 b9 f1 72 11 aa 6d 6d a8 14 3d b6 9c
DigiCert SHA2 Assured ID CA e1 2d 2e 8d 47 b6 4f 46 9f 51 88 02 df bd 99 c0 d8 6d 3c 6a
DigiCert SHA2 Assured ID Code Signing CA 92 c1 58 8e 85 af 22 01 ce 79 15 e8 53 8b 49 2f 60 5b 80 c6
DigiCert SHA2 Extended Validation Server CA 7e 2f 3a 4f 8f e8 fa 8a 57 30 ae ca 02 96 96 63 7e 98 6f 3f
DigiCert SHA2 High Assurance Server CA a0 31 c4 67 82 e6 e6 c6 62 c2 c8 7c 76 da 9a a6 2c ca bd 8e
DigiCert SHA2 Secure Server CA 62 6d 44 e7 04 d1 ce ab e3 bf 0d 53 39 74 64 ac 80 80 14 2c
DigiCert SHA2 Secure Server CA 1f b8 6b 11 68 ec 74 31 54 06 2e 8c 9c c5 b1 71 a4 b7 cc b4
DigiCert Thawte EV RSA CA 2018 9e 84 8f 52 57 5c 6b 1a 69 d6 ab 62 e0 28 8b fa d4 a5 56 4e
DigiCert Thawte RSA CA 2018 4d ee a7 06 0d 80 ba bf 16 43 b4 e0 f0 10 4c 82 99 50 75 b7
DigiCert Thawte TLS RSA CA G1 c9 fe fc 76 3d 95 48 b4 87 69 6f 04 7a cb a0 ab e4 5c 7b c1
DigiCert TLS RSA SHA256 2020 CA1 1c 58 a3 a8 51 8e 87 59 bf 07 5b 76 b7 50 d4 f2 df 26 4f cd
DigiCert TLS RSA SHA256 2020 CA1 69 38 fd 4d 98 ba b0 3f aa db 97 b3 43 96 83 1e 37 80 ae a1
DigiCert TrustAsia TLS RSA CA ec 41 91 d1 f3 57 bd 53 94 83 28 6f a6 7f d2 19 14 3d 26 11
DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 7b 0f 36 0b 77 5f 76 c9 4a 12 ca 48 44 5a a2 d2 a8 75 70 1c
Encryption Everywhere DV TLS CA G1 59 4f 2d d1 03 52 c2 36 01 38 ee 35 aa 90 6f 97 3a a3 0b d3
Entrust Certification Authority L1K f2 1c 12 f4 6c db 6b 2e 16 f0 9f 94 19 cd ff 32 84 37 b2 d7
Entrust Certification Authority L1M cc 13 66 95 63 90 65 fa b4 70 74 d2 8c 55 31 4c 66 07 7e 90
Entrust Code Signing Root Certification Authority CSB b3 37 b8 fd b5 6e cb 58 bf 5d bc f8 c2 2c 32 01 07 53 5a 02
Entrust Extended Validation Code Signing CA EVCS2 ‎b5 20 63 ce cf fa fa 24 b5 79 93 b8 ef e7 fb 1e 4d 6d 56 bc
Gandi RSA Domain Validation Secure Server CA 3 Gandi a5 e9 a8 a4 2b 69 1c 08 bd 9e e5 d6 86 dd 69 c3 71 44 98 dd
GeoTrust CN RSA CA G1 ab cb 71 01 35 6f 9e 4e 7a 44 99 88 e4 30 0b d0 3b 32 1f 95
GeoTrust RapidSSL SHA256 CA c8 6e db c7 1a b0 50 78 f6 1a cd f3 d8 dc 5d b6 1e b7 5f b6
GlobalSign AlphaSSL AlphaSSL CA - SHA256 G4 d3 41 62 62 72 7f e1 82 e0 99 6c 79 3b 0f a4 46 76 c6 54 1a
GlobalSign AlphaSSL CA - SHA256 G2 4c 27 43 17 17 56 5a 3a 07 f3 e6 d0 03 2c 42 58 94 9c f9 ec
GlobalSign Extended Validation CA - SHA256 G3 60 23 19 2f e7 b5 9d 27 89 13 0a 9f e4 09 4f 9b 55 70 d4 a2
GlobalSign GCC R3 DV TLS CA 2020 1c 61 0a 0a 87 d4 92 f4 83 22 c2 af d3 be 9b 6a d3 6b 6b ee
GlobalSign Organization Validation CA - SHA256 G3 20 d1 eb ab 5a 71 58 7b 91 16 e4 c7 44 15 d1 a8 5b 0d dd a5
GlobalSign Organization Validation CA - SHA256 G2 90 2e f2 de eb 3c 5b 13 ea 4c 3d 51 93 62 93 09 e2 31 ae 55
GlobalSign PersonalSign 1 CA - SHA256 G3 5e c2 8e d7 9e 8c e8 5d 8f 84 cd 7a a7 b8 6d 73 b1 71 de b9
GlobalSign RSA DV SSL CA 2018 a4 16 00 23 31 a4 e0 c8 c5 3d 94 ac 1e 02 34 72 3d 8b de 97
GlobalSign RSA OV SSL CA 2018 df e8 30 23 06 2b 99 76 82 70 8b 4e ab 8e 81 9a ff 5d 97 75
GoDaddy Secure Certificate Authority G2 27 ac 93 69 fa f2 52 07 bb 26 27 ce fa cc be 4e f9 c3 19 b8
JPMC PSIN0P551 4f 74 1b d2 e1 3a 18 a5 11 e6 8b 6d fc 51 97 ff 30 2c e5 49
JPMC PSIN0P551 35 1e 74 b2 98 01 21 1c 5e 16 58 95 b6 34 20 b4 f7 9c 26 fd
Let's Encrypt DST Authority X3 e6 a3 b4 5b 06 2d 50 9b 33 82 28 2d 19 6e fe 97 d5 95 6c cb
Let's Encrypt DST R3 48 50 4e 97 4c 0d ac 5b 5c d4 76 c8 20 22 74 b2 4c 8c 71 72
Let's Encrypt R3 a0 53 37 5b fe 84 e8 b7 48 78 2c 7c ee 15 82 7a 6a f5 a4 05
RapidSSL TLS RSA CA G1 RapidSSL TLS RSA CA G1 ‎cb fe 9e b4 3b 3b 37 fe 0d fb c4 c2 eb 2d 4e 07 d0 8b d8 e8
Sectigo COMODO CA Gandi Pro SSL CA 2 72 27 6f a9 27 54 59 0c b8 24 e8 fa d4 71 59 75 fa 31 6b 33
Sectigo COMODO CA Network Solutions OV Server CA 2 44 0f f6 8a 35 e0 39 95 ac 55 e4 57 a6 7e b1 68 0f 9a 7c dd ‎
Sectigo COMODO CA ZeroSSL RSA Domain Secure Site CA c8 1a 8b d1 f9 cf 6d 84 c5 25 f3 78 ca 1d 3f 8c 30 77 0e 34
Sectigo COMODO RSA Organization Validation Secure Server CA 10 4c 63 d2 54 6b 80 21 dd 10 5e 9f ba 5a 8d 78 16 9f 6b 32
Sectigo Corporation Service Company RSA OV SSL CA d7 2c af 0e f1 a2 ea f2 f5 fe e5 cc fd 74 28 a3 20 41 84
Sectigo Gandi Standard SSL CA 2 24 71 06 a4 05 b2 88 a4 6e 70 a0 26 27 17 16 2d 09 03 e7 34
Sectigo InCommon RSA Server CA ‎f5 fb 01 de a6 e5 9c a6 dd 05 70 54 f4 a3 ff 72 dd e1 d5 c6
Sectigo Network Solutions DV Server CA 2 90 85 4c e5 74 d0 32 18 df 2e 7b 4a 05 4a a5 3f 69 51 c1 d2
Sectigo Network Solutions RSA DV SSL CA 3 ec 86 c3 53 d7 ac b5 4d e7 6f 11 64 79 14 e8 f3 84 c5 e6 a3
Sectigo RSA Extended Validation Secure Server CA a3 df 96 6d 0c b2 d8 4a f8 f1 6c 85 5b 97 c4 93 64 f5 d8 c0
Sectigo Public Code Signing CA R36 0b c5 e7 67 73 d2 e4 4f c9 90 3d 4d fe fe 45 15 53 bb ec 4a
Sectigo Public Code Signing Root R46 32 9b 78 a5 c9 eb c2 04 32 42 de 90 ce 1b 7c 6b 1b a6 c6 92
Sectigo TrustAsia RSA DV TLS CA G2  ‎‎f3 4d de cf 3e a1 0b d2 e2 f6 30 8e d1 ce 53 7b 09 35 78 b3
Sectigo Trusted Secure Certificate Authority 5 52 5c 47 fb 3a 5e 06 55 fb d4 be 96 3c a1 e9 4d 5f ec b4 3d
Sectigo USERTrust RSA Certification Authority ‎d8 9e 3b d4 3d 5d 90 9b 47 a1 89 77 aa 9d 5c e3 6c ee 18 4c
Secure Site CA G2 Secure Site CA G2 ‎8d 88 8b 3c ae 20 c7 4f 4c e1 b3 0b f5 1e e3 6e ab 56 2c de

Next steps