Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/sistemashm24/pagos_hotspot_api/llms.txt

Use this file to discover all available pages before exploring further.

Mercado Pago is the leading payment processor across Latin America, supporting credit cards, debit cards, and local payment methods in Mexico, Argentina, Brazil, Colombia, and more. The Pagos Hotspot API integrates with Mercado Pago’s Payments API to charge tokenized cards and deliver WiFi access credentials after a confirmed payment. Like Conekta, credentials are stored per company (Empresa) so each tenant operates fully independently.

Credentials overview

The following four values are required to fully configure Mercado Pago for a company:
FieldWhere to find itStored encrypted
access_tokenMercado Pago dashboard → Your integrations → Credentials✅ Yes
public_keyMercado Pago dashboard → Your integrations → Credentials❌ No
webhook_secretMercado Pago dashboard → Your integrations → Webhooks✅ Yes
modeYou choose: "test" or "live"❌ No
Test credentials begin with TEST-; production credentials begin with APP_USR-.

Encryption at rest

The ENCRYPTION_KEY_MERCADO_PAGO environment variable must be set for access_token and webhook_secret to be stored encrypted in the database. If the variable is empty, tokens are persisted in plaintext. See the Environment Variables page for instructions on generating a Fernet key.
When ENCRYPTION_KEY_MERCADO_PAGO is set, the SecureTokenManager class applies Fernet symmetric encryption before writing access_token and webhook_secret to the empresas table. The values are transparently decrypted at payment time — captive portals and webhooks receive the plaintext token, never the encrypted blob. public_key and mode are not encrypted because they are non-sensitive and are returned in public configuration responses.

Setting credentials

POST /api/v1/payments/configurar-credenciales
This endpoint requires a valid client-admin session token. Only fields that are explicitly provided are updated — omitting a field leaves the stored value unchanged. Send an empty string ("") to clear a field.
access_token
string
Mercado Pago access token for server-side API calls. Test tokens start with TEST-; production tokens start with APP_USR-. Stored encrypted at rest.
public_key
string
Mercado Pago public key for the captive portal frontend (card tokenization). Test keys start with TEST-; production keys start with APP_USR-.
webhook_secret
string
The secret configured in the Mercado Pago dashboard under Your integrations → Webhooks → Secret key. Used by the API to verify the HMAC-SHA256 signature on incoming webhook events. Stored encrypted at rest.
mode
string
default:"test"
Operating mode: "test" or "live". Controls which credential set is active. Always update this alongside your credentials when switching environments.
telegram_bot_token
string
Optional. Telegram bot token for payment notifications. Can be set here or via PUT /api/v1/admin/mi-empresa. See the Telegram Notifications page.
telegram_chat_id
string
Optional. Telegram chat ID for payment notifications.
notificaciones_telegram
boolean
Optional. Set to true to enable Telegram alerts for this company.
curl -X POST https://api.example.com/api/v1/payments/configurar-credenciales \
  -H "Authorization: Bearer <session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "access_token": "TEST-1234567890abcdef-1234567890abcdef",
    "public_key": "TEST-abcdef1234567890-abcdef1234567890",
    "webhook_secret": "my_webhook_secret",
    "mode": "test"
  }'
Successful response:
{
  "success": true,
  "message": "Credenciales actualizadas correctamente",
  "empresa": { "id": "EMP_ABC123", "nombre": "Mi Empresa" },
  "campos_modificados": ["access_token (actualizado)", "public_key", "mode"],
  "configuracion_actual": {
    "access_token": true,
    "webhook_secret": false,
    "public_key": true,
    "mode": "live",
    "telegram_configurado": false,
    "telegram_activo": false
  }
}
The configuracion_actual object reports boolean presence flags — actual token values are never returned.

Retrieving current configuration

GET /api/v1/admin/mi-empresa/mercado-pago
curl https://api.example.com/api/v1/admin/mi-empresa/mercado-pago \
  -H "Authorization: Bearer <session_token>"
Response:
{
  "message": "Configuración cargada",
  "configuracion_actual": {
    "access_token": "********",
    "public_key": "APP_USR-abcdef1234567890-abcdef1234567890",
    "mode": "live",
    "webhook_secret": "********"
  }
}
Both access_token and webhook_secret are always masked in GET responses.

Webhook configuration

Webhook URL

The API exposes a single global webhook endpoint that handles notifications for all companies:
POST /api/v1/webhook/mercado-pago
Register this URL in the Mercado Pago dashboard under Your integrations → Webhooks → Notification URL. Mercado Pago will POST to this URL whenever a payment status changes (e.g., from pending to approved).

Signature verification

Mercado Pago signs every webhook request using HMAC-SHA256. The API verifies the signature using the following two headers:
HeaderDescription
X-SignatureHMAC-SHA256 signature of the request body
X-Request-IdUnique request identifier used as part of the signed payload
The verification algorithm follows the official Mercado Pago webhook security guide. The webhook_secret stored per company (configured via POST /api/v1/payments/configurar-credenciales) is used as the HMAC key.
Webhook signature verification relies on the decrypted webhook_secret value stored in the database. If you rotate your Mercado Pago webhook secret in the dashboard, you must update it in the API immediately via POST /api/v1/payments/configurar-credenciales.

Switching to live mode

1

Activate your Mercado Pago account

Complete the identity verification and bank account linking process in the Mercado Pago dashboard before your live credentials become active.
2

Copy your production credentials

In the dashboard, navigate to Your integrations → Credentials and copy the APP_USR-... access token and public key.
3

Register the webhook URL

Go to Your integrations → Webhooks, enter https://your-domain.com/api/v1/webhook/mercado-pago, and copy the generated Secret key as your webhook_secret.
4

Update credentials via the API

Call POST /api/v1/payments/configurar-credenciales with the live credentials and "mode": "live".

Build docs developers (and LLMs) love