ChileColombiaEcuadorMexico
Español (ES)
Log in
ChileColombiaEcuadorMexico
Español (ES)
API reference Centro de Soporte Service status Log in
API referenceCentro de SoporteService status
s

Apple Pay for Subscriptions

clock May 21, 2026

Accept recurring payments with Apple Pay

Accept recurring payments with Apple Pay in your Kushki integration. Depending on the type of solution you use (Smartlink, Custom Integration, or Direct Apple Pay Integration), the configuration process varies.

Supported capabilities

FeatureAvailability in Peru 🇵🇪
One-time payments✅ Supported
Pre-authorization and Capture⛔️ Not supported
Subscriptions✅ Supported
Issuer and merchant installments⛔️ Not supported

Supported cards:

  • Visa
  • Mastercard

If you use Smartlinks, the technical integration is already handled. However, you need to manually enable this option in your Kushki Console.

When creating or editing your Smartlink in the Console, select the Subscription or Combined payment type and make sure to enable the Apple Pay toggle under the Payment Methods section.

2. Custom integrations: Libraries and Kajita

If you use Kushki.js (v1 or v2 - Hosted Fields) or Kajita, a domain verification is required to ensure your website is authorized to process payments with Apple Pay.

Prerequisites: Before getting started, make sure you have access to the Kushki Console, specifically the Configuration module.

Step 1: Request the verification file

To validate your domain, you need the Apple merchant association file (apple-developer-merchantid-domain-association).

  • Contact the Kushki Support team.
  • Request the Apple Pay configuration certificate.
  • Specify which environment you need the file for: Testing (UAT) or Production.

Step 2: Host the file on your server

Once Kushki provides the file, you must host it on your web server. Apple requires this file to be publicly accessible over HTTPS at a specific path.

Create a folder named .well-known at the root of your domain and place the downloaded file there. The final URL should look like this:

https://your-domain.com/.well-known/apple-developer-merchantid-domain-association

You can verify the file is correctly hosted by running the following command in your terminal or simply pasting the URL into your browser:

curl -I https://your-domain.com/.well-known/apple-developer-merchantid-domain-association

You should receive a 200 OK response and the file should be downloadable or visible.

Step 3: Register your domain in the Kushki Console

With the file correctly hosted, the final step is to register your domain on our platform to complete the association.

  • Log in to the Kushki Console.
  • Go to Configuration > Integrations.
  • Find the Apple Pay section.
  • Enter your domain URL (e.g., your-domain.com) in the corresponding field.
  • Click Register or Verify.

At this point, Kushki will communicate with Apple to verify that the file exists on your server. If everything is correct, the domain will be verified.

Step 4: Technical implementation

Once the domain is verified, proceed with the technical implementation according to your integration method:

3. Direct Apple Pay integration

This guide details the process for obtaining the necessary credentials directly from Apple.

Prerequisites:

Phase 1. Get your Merchant ID

The Merchant ID identifies your business for accepting payments.

  • Sign in to your active Apple account.
  • Go to the Certificates, Identifiers & Profiles section.
  • Select Identifiers from the side menu, then Merchant IDs from the list on the right.
  • Click the blue (+) button to add a new one.
  • Select Merchant IDs and click Continue.
  • Enter a Description and a Unique Identifier.
  • Review the details and click Register.

Phase 2: Get the Merchant Identity Certificate

This certificate validates that your website is legitimate to display the Apple Pay button. Apple requires RSA 2048-bit encryption for this step.

  1. Generate the RSA private key: Open your terminal and run the following command to create your key:
openssl genrsa -out merchant.key 2048
  1. Create the Certificate Signing Request (CSR): Generate the .csr file using your Merchant ID as the common name.
openssl req -new -key merchant.key -out merchant.csr \-subj "{merchant_ID}"
  1. Create in Apple:
  • Return to the Apple console (Merchant IDs section), select your ID and click Create Certificate under the Apple Pay Merchant Identity Certificate heading.
  • Upload the generated merchant_id.csr file and click Continue.
  • Download the certificate (merchant_id.cer).

Phase 3: Generate the Apple Pay Payment Processing Certificate

Once the Merchant ID and Merchant Identity Certificate have been generated, you need to obtain a Certificate Signing Request.

Follow these steps to obtain the certificate:

  1. Create the EC private key (P-256): Run the following command to generate the processing key:

openssl ecparam -name prime256v1 -genkey -noout -out payment.key

  1. Create the Certificate Signing Request (CSR): Generate the file to submit to Apple using your Merchant ID.

openssl req -new -key payment.key -out payment.csr \-subj "/CN={merchant_ID}"

  1. Activate your certificate in Apple:
  • Return to the console and select Certificates, Identifiers & Profiles.
  • Under Identifiers, select Merchant ID.
  • Select the Merchant ID created earlier.
  • In the Apple Pay Payment Processing Certificate section, click Create Certificate.
  • Follow the instructions, then upload the generated file.
  • Download the final certificate to complete the process.

Phase 4. Validate your Web Domain

Apple needs to confirm that you own the website.

  • In your Merchant ID, go to the Merchant Domains section.
  • Click Add Domain, enter your website (e.g., www.example.com or example.com) and save.
  • Download the verification file.
  • Host the file in the .well-known path on your server.
  • Return to the Apple console and click Verify.

4.1. Verification confirmation:

  • Success: If the file is accessible, Apple will verify the domain immediately and you will see the status as “Verified”.
  • Error: If verification fails, review these critical points before trying again:
    • Exact path: make sure the folder is named .well-known (with the leading dot) and the filename has no extra extensions.
    • Accessibility: try opening the file URL from an incognito browser window. If you cannot see it, Apple won’t be able to either.
    • Redirects: make sure your server is not forcing redirects or security blocks (firewalls) that prevent the text file from being read directly.

Phase 5: Web Implementation and Tokenization

Once you have your certificates and your domain is verified, proceed with coding the payment button on your website.

Follow these steps:

  • Create the Apple Pay Session: Use your Merchant Identity Certificate (generated in Phase 2) to communicate with Apple’s servers. This is required to validate your identity and allow the payment sheet (Wallet) to display on the customer’s device.
  • Decrypt the data: Once the customer authorizes the subscription, Apple will return an encrypted payment object. Use the private key from your Payment Processing Certificate (generated in Phase 3) to decrypt this package and obtain the card data (DPAN, cryptogram, etc.).
  • Tokenize with Kushki: With the decrypted card data, send it to Kushki to generate a secure subscription token.

You must call the endpoint to create a Network Token with the corresponding subscription parameter.

Frequently Asked Questions (FAQ)

  • Are there special decline codes for Apple Pay transactions? No, because the transaction travels to the card networks through the same card flow, and the same existing decline codes apply.
  • Are there maximum or minimum transaction amounts? No, there are no specific amount limits imposed by Apple Pay.
  • Does it work from mobile apps? No. Currently, the functionality is only available for purchases made through web browsers.
  • Does domain registration need to be done in both UAT (testing) and Production? Yes, Apple requires the domain to be validated in both environments to process payments correctly.
  • Does 3DS authentication apply to Apple Pay transactions? Apple Pay transactions do not require 3DS because when the card is registered in the wallet, the process is authorized by the Issuer.
  • Is the subscription token generated with Apple Pay different from a one-time payment token? Yes. By including isSubscription: true in requestApplePayToken, Kushki generates a subscription token that must be used exclusively with the recurring charge endpoint. It is not interchangeable with a one-time payment token.