Apple Pay Configuration

March 10, 2026

Acepta pagos con Apple Pay en tu integración con Kushki.

Accept payments with Apple Pay in your Kushki integration. Depending on the type of solution you use (Smartlink/Button, Custom Integration, or Direct Integration with Apple Pay), the configuration process varies.

Supported capabilities

Functionality	Availability in Mexico 🇲🇽
One-time payments	✅ Supported
Pre-authorization and Capture	✅ Supported
Interest-free installments	⛔️ Not supported
Subscriptions	⛔️ Not supported

Supported cards:

Visa
Mastercard

1. No-code integrations: Payment Button and Smartlinks

If you use Payment Button (Webcheckout) or Smartlinks, the technical integration is already resolved. However, it is necessary to manually activate this option in your Kushki console.

When creating or editing your Smartlink or Payment Button in the Console, make sure to enable the toggle corresponding to Apple Pay in the “Payment Methods” section.

Smartlinks: Review the step-by-step guide for Apple Pay activation in Smartlinks.
Payment Button: Consult the guide for Apple Pay activation in Payment Buttons.

2. Custom integrations: Libraries and Kajita

If you use Kushki.js (v1 or v2 - hosted fields) or Kajita, it is necessary to perform a domain verification to ensure that your website is authorized to process payments with Apple Pay.

Prerequisites: Before starting, make sure you have access to the Kushki Console, specifically the Configuration module.

Step 1: Request the verification file

To validate your domain, you need the Apple merchant association file (apple-developer-merchantid-domain-association).

Contact the Kushki Support team.
Request the Apple Pay Configuration Certificate.
Specify which environment you require the file for: Testing (UAT) or Production.

Step 2: Hosting the file on your server

Once Kushki delivers the file to you, you must host it on your web server. Apple requires this file to be publicly accessible via the HTTPS protocol at a specific path.

Create a folder named .well-known in the root of your domain and place the downloaded file there. The final URL should look like this:

https://your-domain.com/.well-known/apple-developer-merchantid-domain-association

You can verify that the file is correctly hosted by running the following command in your terminal or simply pasting the URL into your browser:

curl -I https://your-domain.com/.well-known/apple-developer-merchantid-domain-association

You should receive a 200 OK response and the file should be downloadable or visible.

Step 3: Domain registration in the Kushki Console

With the file correctly hosted, the final step is to register your domain on our platform to complete the association.

Log in to the Kushki Console.
Go to Configuration > Integrations.
Look for the Apple Pay section.
Enter your domain URL (example: your-domain.com) in the corresponding field.
Click on Register or Verify.

At this point, Kushki will communicate with Apple to verify that the file exists on your server. If everything is correct, the domain will be verified.

Step 4: Technical implementation

Once the domain is verified, you must proceed with the technical implementation according to your integration method:

Kajita: Follow the guide to activate Apple Pay in your Kajita form.
Kushki.js v2 (Hosted Fields): Review the Apple Pay integration documentation in v2
Kushki.js v1: Consult the one-time payment examples to see the implementation.

3. Direct integration with Apple Pay

This guide details the process for obtaining the necessary credentials directly from Apple.

Prerequisites:

You must have an active Apple Developer account.
This account has an annual cost. Check the details in the Apple Developer Program ›

Phase 1. Obtain your Merchant ID

The Merchant ID identifies your business to accept payments.

Log in to your active Apple account.
Go to the Certificates, Identifiers & Profiles section.
Select Identifiers in the side menu and then Merchant IDs in the list on the right.
Click the blue (+) button to add a new one.
Select Merchant IDs and click Continue.
Provide a Description and a Unique Identifier.
Review the data and click Register.

Phase 2: Obtain the Merchant Identity Certificate

This certificate validates that your website is legitimate to display the Apple Pay button. Apple requires 2048-bit RSA encryption for this step.

Generate the RSA private key: Open your terminal and run the following command to create your key:

openssl genrsa -out merchant.key 2048

Create the Certificate Signing Request (CSR): Generate the .csr file using your Merchant ID as the common name.

openssl req -new -key merchant.key -out merchant.csr \-subj "{merchant_ID}"

Create in Apple:

Return to the Apple console (Merchant IDs section), select your ID, and click Create Certificate under the title Apple Pay Merchant Identity Certificate.
Upload the generated merchant_id.csr file and click Continue.
Download the certificate (merchant_id.cer).

Phase 3: Generate the Apple Pay Payment Processing Certificate

Once the Merchant ID and the Merchant Identity Certificate have been generated, it is necessary to obtain a Certificate Signing Request.

Follow these steps to obtain the certificate:

Create the EC private key (P-256): Run the following command to generate the processing key:

openssl ecparam -name prime256v1 -genkey -noout -out payment.key

Create the Certificate Signing Request (CSR): Generate the file to deliver to Apple using your Merchant ID.

openssl req -new -key payment.key -out payment.csr \-subj "/CN={merchant_ID}"

Activate your certificate in Apple:

Return to the console and select Certificates, Identifiers & Profile.
Under Identifiers, select Merchant ID.
Select the Merchant ID created previously.
In the Apple Pay Payment Processing Certificate section, click Create Certificate.
Follow the instructions, then upload the generated file.
Download the final certificate to complete the process.

Phase 4. Validate the Web Domain

Apple needs to confirm that you are the owner of the website.

In your Merchant ID, go to the Merchant Domains section.
Click Add Domain, type your website (for example, www.example.com or example.com), and save.
Download the verification file.
Host the file in the .well-known path of your server.
Return to the Apple console and click Verify.

4.1. Verification Confirmation:

Success: If the file is accessible, Apple will verify the domain immediately, and you will see the status as “Verified”.
Error: If verification fails, check these critical points before trying again:
- Exact path: make sure the folder is named .well-known (with the leading dot) and the filename has no strange extensions.
- Accessibility: try opening the file URL from an incognito window in your browser. If you cannot see it, Apple will not be able to either.
- Redirections: ensure your server is not forcing redirections or security blocks (firewalls) that prevent direct reading of the text file.

Phase 5: Web Implementation and Tokenization

Once you have your certificates and the verified domain, you must proceed with programming the payment button on your website.

Follow these steps:

Create the Apple Pay Session: Use your Merchant Identity Certificate (generated in Phase 2) to communicate with Apple’s servers. This is mandatory to validate your identity and allow the payment sheet (Wallet) to display on the customer’s device.
Decrypt the data: Once the customer authorizes the purchase, Apple will return an encrypted payment object. You must use the private key from your Payment Processing Certificate (generated in Phase 3) to decrypt this package and obtain the card data (DPAN, cryptogram, etc.).
Tokenize with Kushki: Finally, with the card information already decrypted, you must send it to Kushki to generate a secure transport token.
You must consume the endpoint to create a Network Token.

Frequently Asked Questions (FAQ)

Are there special decline codes for Apple Pay transactions? No, because the transaction is processed through the same card network flow, and the existing decline codes apply.
Are there maximum or minimum transaction amounts? No, there are no specific amount limits imposed by Apple Pay.
Does it work within mobile applications? No. Currently, this functionality is only available for purchases using web browsers.
Must domain registration be performed in both UAT (testing) and Production? Yes, Apple requires the domain to be validated in both environments to process payments correctly.
Does 3DS authentication apply to transactions made with Apple Pay? Apple Pay transactions do not require 3DS because the Issuer authorizes the process when the card is registered in the wallet.