All requests use a TLSv1.2 encrypted connection over HTTPS. Only HIGH ciphers are supported.

For additional security, you exchange a set of certificates to gain access to the gateway. All certificates are issued by the private Certificate Authority (CA) of the Payment Gateway, which the client needs to trust. As part of this process, you provide a certificate signing request (CSR), which is signed and returned to you:

ca.crtThe private Certificate Authority (public key) of the Payment Gateway and the Boarding Gateway. Used when signing your client certificate. You also use it to verify The Payment Gateway or Boarding Gateway's authority when accessing the interface.
customer.crtYour certificate (public key) for authentication.
customer.keyYour certificate’s private key for authentication. Boarding Gateway-only
customer.pemA combination of your private and public keys as needed e.g. by cURL. Boarding Gateway-only
customer.key12This is a key package.

❗️

Important

Make sure you keep all private keys secret. When connecting to an API endpoint, such as api.girogate.de, use ca.crt to verify the server certificate. Do not pin to a specific server certificate, since they will be replaced on a yearly basis.