Shieldpay

Getting Started

Integration Lifecycle

API Fundamentals

Environments

Authentication & Security

Additional Request Requirements

Webhooks

Examples

Generating a Private Key and CSR

Default

Production

Authentication (mTLS & API Keys)

IP Whitelisting

Obtaining Your Certificate & API Key

Request Signing (Digital Signature)

<p class="slate-p " ></p><p class="slate-p " >In addition to the security requirements, every request must include the following headers.</p><p class="slate-p " ></p><h2 class="slate-h2 " >Request ID</h2><p class="slate-p " >All API requests must include a <code class="slate-code">RequestID</code> header containing a unique, randomly generated v4 UUID. This is used for idempotency. If you send a request with a <code class="slate-code">RequestID</code> that has already been processed, you will receive an HTTP <code class="slate-code">409 Conflict</code> response.</p><p class="slate-p " >Request IDs are scoped to your Organisation when performing idempotency checks. Seperate organisations can use the same <code class="slate-code">RequestID</code> without triggering a <code class="slate-code">409</code> response.</p><div class="code-block-wrapper"  style="width:100%;min-width:100%" ><div class="code-block-header">Plain text</div><pre class="slate-CodeBlockElement slate-code_block"><textarea id="publishedPageCodeblock" style="display:none !important; visibility: hidden; opacity: 0; width: 1px; height: 1px;" type="hidden">RequestID: 6e4d76af-a440-44d9-b9c1-b53c1ea3aa0e </textarea><code class="language-plainText keep-markup drop-tokens"></code></pre></div><p class="slate-p " ></p><h2 class="slate-h2 " >Timestamp</h2><p class="slate-p " >All API requests must include a <code class="slate-code">Timestamp</code> header containing the current time in ISO 8601 format (UTC). Requests with a timestamp that is in the future or more than 5 minutes in the past will be rejected with an HTTP <code class="slate-code">401 Unauthorized</code> response.</p><div class="code-block-wrapper"  style="width:100%;min-width:100%" ><div class="code-block-header">Plain text</div><pre class="slate-CodeBlockElement slate-code_block"><textarea id="publishedPageCodeblock" style="display:none !important; visibility: hidden; opacity: 0; width: 1px; height: 1px;" type="hidden">Timestamp: 2025-05-24T16:20:32.189Z </textarea><code class="language-plainText keep-markup drop-tokens"></code></pre></div><p class="slate-p " ></p>

In addition to the security requirements, every request must include the following headers.

 header containing a unique, randomly generated v4 UUID. This is used for idempotency. If you send a request with a 

 that has already been processed, you will receive an HTTP 

Request IDs are scoped to your Organisation when performing idempotency checks. Seperate organisations can use the same 

 header containing the current time in ISO 8601 format (UTC). Requests with a timestamp that is in the future or more than 5 minutes in the past will be rejected with an HTTP 

Sections

Additional Request Requirements

Request ID

Timestamp

On this page