Gateway Credential Retrieval Guide
Launchpay Orchestrate
When a merchant is boarded for Card Not Present (CNP) processing through Launchpay Orchestrate, unique gateway credentials are generated for that merchant.
These credentials — an API key and API secret — allow your application to create and manage credit card and ACH transactions on behalf of the merchant.
This guide walks API-integrated partners through the end-to-end flow for detecting when credentials are available and retrieving them securely.
Before You Begin
Make sure you have the following:
- Active API credentials (
X-AuthenticationKeyIdandX-AuthenticationKeyValue) for your New Accounts cobrand. - A webhook subscription configured to receive
BatchedBoardingResultsevents. See Batched Boarding Results Webhook. - A merchant that has been successfully boarded for CNP processing through Launchpay Orchestrate.
How It Works
The retrieval process follows a webhook-driven, one-time-token pattern. Your application does not need to poll for credentials — instead, you are notified when they are ready, and you use a single-use token to retrieve them.
- Review the
BatchedBoardingResultswebhook after boarding completes and extract data. - Call the credentials endpoint with the token and the merchant's Infinicept Merchant ID.
- Store the returned
ApiKeyandApiSecretsecurely — the token is deleted after one use.
Step 1: Review the BatchedBoardingResults Webhook
✨NEW The BatchedBoardingResults webhook now includes Launchpay Orchestrate boarding service details. See these described below.
After boarding completes, Launchpay fires a BatchedBoardingResults webhook to your configured endpoint. The boarding result in the webhook payload includes a one-time retrieval token in the CredentialToken field within the Details object.
ImportantThe webhook payload does not contain the raw credential values (API key and secret). It only provides the
CredentialTokenyou need to retrieve them via the API.
Example Webhook Boarding Result
This is a shortened example of the full Batched Boarding Results webhook payload, focused specifically on the Launchpay Orchestrate boarding service details for illustration purposes.
{
"BoardingServiceTitle": "LaunchPay Orchestrate",
"Status": 4,
"Details": {
"BOARDINGREASON": "Successfully boarded.",
"CredentialToken": "6xpHArkthKJURHCJt7Ozb2aA7n67ds80pLDmSyo7mkI=",
"__PROCESSED_DATETIME__": "3/16/2026 8:23:15 PM +00:00",
"LocationId": "4004819",
"GatewayClient": "iframe_gtw",
"ErrorMessage": ""
}
}Key Fields
| Field | Location | Description |
|---|---|---|
CredentialToken | Details.CredentialToken | The one-time retrieval token you will use to call the credentials endpoint. |
BoardingServiceTitle | root | The boarding service name (e.g., "LaunchPay Orchestrate"). |
Status | root | The boarding status. A value of 4 indicates completed boarding. |
LocationId | Details.LocationId | The gateway location ID for the boarded merchant. |
GatewayClient | Details.GatewayClient | The client identifier for the hosted iframe. |
Step 2: Call the Credentials Endpoint
When the webhook provides the CredentialToken, make an authenticated POST request to retrieve the credentials. See POST Retrieve Gateway Credentials Endpoint for full request details.
POST https://merchantapp.io/{tenantId}/api/v2/credentialsNOTE: tenantId refers to your New Accounts cobrand slug.
Include the one-time token and the merchant's InfiniceptMerchantId in the request body:
Example Request
POST https://merchantapp.io/{tenantId}/api/v2/credentials
X-AuthenticationKeyId: your-key-id
X-AuthenticationKeyValue: your-key-value
Content-Type: application/json
{
"Token": "6xpHArkthKJURHCJt7Ozb2aA7n67ds80pLDmSyo7mkI=",
"InfiniceptMerchantId": "a6dd6d5e-53d8-434e-898c-18864b811451"
}Request Body Parameters
Field | Type | Required | Description |
|---|---|---|---|
| string | Required | The one-time retrieval token from the |
| string (UUID) | Required | The Infinicept merchant identifier for the merchant whose credentials are being retrieved. This value is available from the boarding webhook. |
The system validates that the token matches the expected cobrand and merchant before returning the credentials. If validation succeeds, the response contains the gateway credentials.
The response includes the boarding service context (EnabledBoardingServiceId and BoardingServiceTitle) along with a Credentials object containing the ApiKey and ApiSecret you need for transaction processing:
Example Response
{
"EnabledBoardingServiceId": 1602,
"BoardingServiceTitle": "LaunchPay Orchestrate",
"Credentials": {
"ApiKey": "b2W6zADOsjXEaoNuKeRQ39xGmdClc0F5",
"ApiSecret": "ZTdVECix07S1NHBcJWpKYlU2kzD5ytReGo9qFvmfbLrQX"
}
}The key values shown above are demo keys only and are not valid credentials.
Step 3: Store Credentials Securely
After a successful credential retrieval, the one-time token is immediately deleted — both from the Launchpay system and from the boarding result. A second request with the same token will fail, and there is no way to re-retrieve credentials using the same token. Need help generating a new token? Contact us on the Customer Support Portal.
You must store the returned ApiKey and ApiSecret in your application's secure credential store immediately upon retrieval.
ImportantGateway credentials grant the ability to process transactions on behalf of a merchant. Follow these practices to protect credentials throughout their lifecycle:
- Always retrieve credentials over HTTPS.
- Never log the
ApiKeyorApiSecretvalues in application logs, error reports, or monitoring systems. - Store credentials using encryption at rest (e.g., AWS Secrets Manager, Azure Key Vault, or an equivalent secure secrets store).
- Do not store
ApiKeyorApiSecretin plaintext in databases, configuration files, or environment variables. - Restrict credential access to only the services and personnel that require it.
Support
💬Have a question or need assistance retrieving your gateway credentials? Contact us on the Customer Support Portal.
🔹Learn about updates in our Changelog.
Updated 4 days ago