Mercado Pago is the leading payment processor across Latin America, supporting credit cards, debit cards, and local payment methods in Mexico, Argentina, Brazil, Colombia, and more. The Pagos Hotspot API integrates with Mercado Pago’s Payments API to charge tokenized cards and deliver WiFi access credentials after a confirmed payment. Like Conekta, credentials are stored per company (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/sistemashm24/pagos_hotspot_api/llms.txt
Use this file to discover all available pages before exploring further.
Empresa) so each tenant operates fully independently.
Credentials overview
The following four values are required to fully configure Mercado Pago for a company:| Field | Where to find it | Stored encrypted |
|---|---|---|
access_token | Mercado Pago dashboard → Your integrations → Credentials | ✅ Yes |
public_key | Mercado Pago dashboard → Your integrations → Credentials | ❌ No |
webhook_secret | Mercado Pago dashboard → Your integrations → Webhooks | ✅ Yes |
mode | You choose: "test" or "live" | ❌ No |
TEST-; production credentials begin with APP_USR-.
Encryption at rest
WhenENCRYPTION_KEY_MERCADO_PAGO is set, the SecureTokenManager class
applies Fernet symmetric encryption
before writing access_token and webhook_secret to the empresas table.
The values are transparently decrypted at payment time — captive portals and
webhooks receive the plaintext token, never the encrypted blob.
public_key and mode are not encrypted because they are non-sensitive
and are returned in public configuration responses.
Setting credentials
"") to clear a field.
Mercado Pago access token for server-side API calls. Test tokens start with
TEST-; production tokens start with APP_USR-. Stored encrypted at rest.Mercado Pago public key for the captive portal frontend (card tokenization).
Test keys start with
TEST-; production keys start with APP_USR-.The secret configured in the Mercado Pago dashboard under Your integrations
→ Webhooks → Secret key. Used by the API to verify the HMAC-SHA256
signature on incoming webhook events. Stored encrypted at rest.
Operating mode:
"test" or "live". Controls which credential set is
active. Always update this alongside your credentials when switching
environments.Optional. Telegram bot token for payment notifications. Can be set here or
via
PUT /api/v1/admin/mi-empresa. See the
Telegram Notifications page.Optional. Telegram chat ID for payment notifications.
Optional. Set to
true to enable Telegram alerts for this company.configuracion_actual object reports boolean presence flags — actual token values are never returned.
Retrieving current configuration
access_token and webhook_secret are always masked in GET responses.
Webhook configuration
Webhook URL
The API exposes a single global webhook endpoint that handles notifications for all companies:POST to this URL whenever a payment status changes (e.g., from pending to approved).
Signature verification
Mercado Pago signs every webhook request using HMAC-SHA256. The API verifies the signature using the following two headers:| Header | Description |
|---|---|
X-Signature | HMAC-SHA256 signature of the request body |
X-Request-Id | Unique request identifier used as part of the signed payload |
webhook_secret stored per company (configured via POST /api/v1/payments/configurar-credenciales) is used as the HMAC key.
Webhook signature verification relies on the decrypted
webhook_secret value
stored in the database. If you rotate your Mercado Pago webhook secret in the
dashboard, you must update it in the API immediately via
POST /api/v1/payments/configurar-credenciales.Switching to live mode
Activate your Mercado Pago account
Complete the identity verification and bank account linking process in the
Mercado Pago dashboard before your live
credentials become active.
Copy your production credentials
In the dashboard, navigate to Your integrations → Credentials and copy
the
APP_USR-... access token and public key.Register the webhook URL
Go to Your integrations → Webhooks, enter
https://your-domain.com/api/v1/webhook/mercado-pago, and copy the
generated Secret key as your webhook_secret.