BI-SNAP ComplianceThis page describes the credential exchange process between merchants and Midtrans for BI-SNAP Core API integration, including the secure exchange of public keys. This fulfills BI-SNAP requirements for secure key delivery and management (ASPI audit items on public key exchange and delivery method).
Midtrans will provide the following during the credential exchange process:
- ClientID
- ClientSecret
- PartnerID
- ChannelID
The Partner must provide the following:
- PublicKey (must be in PKCS8 format and PEM encoded)
Onboarding to BI SNAPIf you don't see any BI SNAP menu in your dashboard, we might need to activate it for you first. Reach out to your Midtrans Sales PIC or Support ([email protected]) to activate the feature for you.
Generate Public and Private Key
Access Key Page
Generating access keys can be done via Settings > Access Keys page, within the Payment BI SNAP section.
Always generate the key pair starting from the Sandbox environment first before generating in Production. Otherwise, the supported scopes will be empty. If you mistakenly generated the key pair in Production environment, contact Midtrans Support for further assistance.
Generating Public and Private Key
Generate the Private Key first using the first command (line 2), then generate the Public Key using the second command (line 3).
--generate private-public key pair in PKCS8 format and PEM encoded
openssl genpkey -algorithm rsa -out private-key.pem -outform PEM -pkeyopt rsa_keygen_bits:\<minimum 2048>
openssl rsa -in private-key.pem -outform PEM -pubout -out public-key.pem
--alternatively if partner system can only consume PKCS1 private key, then partner can convert the public key from PKCS1 to PKCS8
openssl rsa -RSAPublicKey_in -in publicKeyPKCS1.pem -pubout -out publicKeyPKCS8.pemRegistering the Public Key
Below is an example of how a correct Public Key looks like. Once generated, copy the entire file from the header until footer and then paste it the Dashboard > Settings > Access Keys > Payment BI SNAP then click the Start generate credential button. After pasting, click Register.
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAomV+Vm1xlRXanmh108Kusls7SSKec0oCejtc9QG
Obpd4RnQ+7gihm2k6etnSNP7b+XrpY+fBkiQNaBInii9M10kW9Bhf/M9GH/edL3IqnzDNSi7tcoQgnO7h8x
mzLNWHTjtR6bkrsdBS5dry6htotaF5KXomuoYgztCdGDOa0W20aeLzYSXIoW7s/Ay5yIXt0xaXTll3/bmez
leguFPnwQZq5EqZFWlUZvutDi+f2l9rTRY0Fb64y+VAf+mnIbEovGqsPEeF/p97YWxcY7CWm8NsT0lwBVOt
kmEl967Brz5yvEObF5bJgVodi6mNVsN1ki0MCitIhYO8shcE7eUilQIDAQAB
-----END PUBLIC KEY-----
Registering the public key
Secured Exchange Method
In order to make sure the credentials are exchanged securely over public networks, the credentials must be encrypted during transit.
Zip encrypted
Midtrans will provide the credentials in a Password Protected Zip file. The Password Protected Zip File and Password to the Zip File will be sent to separate emails.
Merchant must provide the public key in a Password Protected Zip file. The Password Protected Zip File and Password to the Zip File must be sent to separate emails.
Public Key Exchange and Delivery Method
The following describes how public keys are exchanged between merchants and Midtrans, fulfilling BI-SNAP requirements for secure exchange of public keys used for SHA256withRSA signatures.
Merchant → Midtrans (Merchant's Public Key)
| Step | Description |
|---|---|
| 1. Key generation | Merchant generates an RSA keypair (minimum 2048-bit) in PKCS#8 format, PEM-encoded, using the OpenSSL commands documented above |
| 2. Registration via Dashboard | Merchant registers their public key via the Midtrans Dashboard (Settings > Access Keys > Payment BI SNAP). The Dashboard is protected by HTTPS (TLS 1.2+) and requires authenticated login. |
| 3. Alternative: Secured email | For environments where Dashboard access is not available, the public key may be shared via password-protected ZIP file, with the ZIP file and password sent in separate emails |
| 4. Verification | Upon registration, Midtrans validates the key format (PKCS#8, PEM, minimum 2048-bit RSA) and associates it with the merchant's Client ID |
Midtrans → Merchant (Midtrans' Public Key)
| Step | Description |
|---|---|
| 1. Provision | Midtrans generates its RSA keypair within its secure key management infrastructure |
| 2. Delivery via Dashboard | Midtrans' public key is accessible to the merchant via the Dashboard (Settings > Access Keys), protected by authenticated HTTPS session |
| 3. Alternative: Secured email | Midtrans may deliver its public key via password-protected ZIP file (password sent separately) when Dashboard delivery is not feasible |
| 4. Verification | Merchants should verify the key fingerprint upon receipt. Midtrans support can confirm key fingerprints through a separate authenticated channel if needed |
Client Secret Delivery
| Step | Description |
|---|---|
| 1. Generation | Midtrans generates the client secret during credential provisioning |
| 2. Delivery | Client secret is delivered via the Dashboard or via password-protected ZIP file (password sent separately) |
| 3. Storage obligation | Merchants must store the client secret securely (see Key Management Lifecycle for storage recommendations) |
Compliance NoteThis process fulfills BI-SNAP requirements for secure exchange of public keys used for SHA256withRSA signatures. All exchanges occur over encrypted channels (HTTPS/TLS 1.2+), and credentials are never transmitted in plaintext over public networks. For key lifecycle management details (rotation, revocation, storage), refer to the Security Specification page.