Credentials
Credentials are unique access keys that we use to identify an integration in your account. They are directly linked to the applicationEntity registered in Mercado Pago that acts as an identifier to manage your integrations. For more information, access the link below.Application details you created for that integration and will allow you to develop your project with the best Mercado Pago security measures.
Types of credentials
Credentials are divided into two types: test credentials and production credentials. Below, we explain what they are about.
Test credentials
Test credentials are a set of keys that are used both in the development stage, to ensure secure settings, and in the testing stage, to test the integration.
During the integration process, use test credentials to perform all necessary configurations and validations, ensuring that no real payments are made in production. These credentials simulate the information of a production account, but in a secure testing environment. Keep using test credentials throughout the entire development phase. Only change them to production credentials when the system is completely validated and ready to be published.
When you create an application, the test credentials will be generated automatically. If this does not happen, simply click on Activate credentials in the data of the respective application or as indicated below.
- In Your integrations, select your application. Then, go to the Tests section and click on Test Credentials in the menu on the left side of the screen.
- Accept the Privacy Statement and the Terms and Conditions. Fill in the reCAPTCHA and click on Activate credentials.
When accessing the test credentials, the Public Key and Access Token credential pair will be displayed.
Public Key and Access Token
The test Public Key and Access Token credentials are used in the same way as production credentials, but will not allow any real transactions to be made. In some integrations, they will be required during the development stage to simulate transactions and verify that your integration works correctly.
| Type | Description |
| Public Key | The application's public key is generally used in the frontend. It allows, for example, access to information about payment methods and encrypt card data. |
| Access Token | Application's private key that should always be used in the backend to generate payments. It is essential to keep this information safe on your servers. |
Share credentials
If you are developing for someone else or receiving help in the integration or configuration of your stores, you can securely share the credentials with another Mercado Pago account.
You can share credentials up to a maximum of 10 times. If you reach this limit, you must delete old permissions, without impacting already configured integrations.
In addition, if for security reasons you no longer want to share your credentials, you can cancel access.
Below, we show you how to share credentials.
- In the upper right corner of Mercado Pago Developers, click Log in and enter the required data with the information corresponding to your Mercado Pago account. Then, click on the Your integrations button located in the upper right corner.
- Access the application of the integration for which you need to share the credentials.
- Go to the Testing or Production section, depending on the type of credential you want to share. Remember that to access production credentials, you must activate them. If you don't know how to activate them, go to Activate production credentials.
- Once you select the credentials, go to the Share credentials with a developer section and click on the Share Credentials button.
- Enter the email address of the person you want to grant access to. Remember: it is mandatory that the email address is associated with a Mercado Pago account.
Renew credentials
You can renew your production credentials for security reasons or any other relevant reason.
To renew a credential pair, follow the steps below.
- Access your production credentials through Your integrations.
- Select the credential pair you want to renew. These can be Public Key and Access Token or Client ID and Client Secret. Keep in mind that both credentials in the pair you choose will be renewed.
- Click on the three dots located to the right of the credential you want to renew and select Renew. Click on Renew now to confirm the change.
Done, your credentials have been renewed.
Security Recommendations
When integrating Mercado Pago solutions, you will handle sensitive data that you must protect from potential losses or vulnerabilities, such as your Mercado Pago access credentials, the keys you use in your integrations, or your customers' information.
We will show you how you can optimize the security of your integrations in a simple and quick way.
Send the Access Token by header
Every time you make API calls, send the Access Token via header instead of query param. This will allow you to protect it so that it is not exposed to anyone outside your integration.
For example, if you perform a GET request to the /users/me resource, it would be like this:
curl
curl -H 'Authorization: Bearer {{YOUR_ACCESS_TOKEN}}' \ https://api.mercadolibre.com/users/me
Use OAuth to manage third-party credentials
OAuth is an authorization protocol that allows applications to securely access user accounts in HTTP services without requiring the user to directly share their credentials. It works as an intermediary that facilitates controlled access to user data by third-party applications.
For more information, access the documentation.