Skip to main content

Partner onboarding

Before you can onboard merchants, dpay configures your partner account. This section explains what you receive and how authentication works.

What you receive from dpay

ItemDescription
API key (dpk_...)A single platform key that authenticates all partner API calls. It is shown once when generated.
ScopesThe key's permission set (see below).
ChannelThe identifier of your onboarding channel. It links every merchant account to you and determines the agreement template and rates.
Webhook secretUsed to verify the HMAC signature of incoming webhooks.
The API key is shown only once

Store the dpk_... key securely, such as in a secrets manager or environment variable. dpay stores only its hash. If you lose the key, it must be regenerated and the old key will stop working.

Authenticating API calls

Send every partner API call with this header:

Authorization: Bearer dpk_your_platform_key

Partner API base URL:

https://panel.dpay.pl/api/partner/v1

The exception is on-behalf payment registration, which uses the standard registration endpoint on the payments domain (https://api-payments.dpay.pl).

Scopes

Each key has assigned scopes. A call outside the key's scope receives a 403 response.

ScopeAllows you to
onboarding:readRead the onboarding status of your merchants.
onboarding:writeCreate and complete onboarding flows (draft, segments, and finalize).
account:readRead a merchant account on behalf of the merchant (transactions, settlements, balance, and account frame).
payments:writeRegister payments on the merchant's behalf.
payouts:writeRequest payouts on the merchant's behalf.
Two permission gates

A scope on the key is necessary but not sufficient. On-behalf actions also require merchant consent (delegation) covering the relevant permission. The payouts:write scope alone is not enough if the merchant has not opted in to payouts. See the section below.

Onboarding channel

Your channel (for example, fakturka) is how dpay identifies that an account belongs to you. The channel determines:

  • the agreement template signed by the merchant,
  • the rates (MDR) that apply to merchants in your channel,
  • the account assignment to your partner account (the captive model).

For iframe onboarding, pass the channel in the ch option. For API and redirect onboarding, the channel is derived from your key. If your key has multiple channels, specify one in the channel field.

To act on a merchant's behalf, you need the merchant's explicit consent. Consent has two levels, and the merchant confirms each one with an SMS code (the only OTP channel):

  1. Account access + payments - granted automatically when the merchant signs your channel agreement during onboarding using an SMS code. There is no separate "request consent" API call. Delegation is part of the channel agreement, and the signature strongly authenticates the authorised person.
  2. Payouts - require a separate, explicit merchant opt-in in the account frame, also confirmed by SMS code. Payout permission is never implied by the agreement alone.
Merchant consent screen with SMS code confirmation
The merchant sees exactly what they are consenting to (with payouts handled separately) and confirms by SMS code. dpay never shares the merchant's login credentials with you.

How delegation works

Delegation rules

  • Payouts require separate consent. Even if the merchant has signed the agreement (account access + payments), payouts (payouts:write) require a separate, explicit opt-in in the account frame with its own SMS code.
  • Payouts always go to the merchant's account. Payout consent does not let you specify an arbitrary account. dpay pays only to the merchant's verified bank account and always pays the entire available balance.
  • Revocation is immediate and complete. The merchant revokes access in the account frame using an SMS code. Revocation covers all permissions at once. From that point, on-behalf calls return 403 (fail closed), and you receive an authorization.revoked webhook.

Next step

Choose how you want to onboard merchants: