v1.0
Powered by

# 2. Get Store Credential

One-time endpoint to retrieve the encrypted store credential using the onboarding session ID (sid). Can only succeed once per sid and is only available while the sid is still valid (not expired).

Overview

HMACPII
Auth
HMAC Partner
Method
GET

# Path

https://partners-api.tocobagus.net/api/v1 /partner/onboard/store-access

# Request

# Query Parameters

Name Type Required Description
sid string The onboarding session ID.

# Required Headers

Header Example Description
x-signature bdbb8833fe43671e058b56dace75763a78a2edf8de7365afb6f534d750056e80
x-partner-client-id ptnr_1s4UqMnO64
x-timestamp 1758100350458

# Request Payload

Request payload: Not used for GET.

# Example Request 

curl -X GET "http:///partner/onboard/store-access?sid=%3Csid%3E" \
  -H "Content-Type: application/json" \
  -H "x-signature: bdbb8833fe43671e058b56dace75763a78a2edf8de7365afb6f534d750056e80" \
  -H "x-partner-client-id: ptnr_1s4UqMnO64" \
  -H "x-timestamp: 1758100350458" \
const qs = new URLSearchParams({
  "sid": "<sid>"
});
const url = "http:///partner/onboard/store-access" + (qs.toString() ? "?" + qs.toString() : "");
const res = await fetch(url, {
  method: "GET",
  headers: {
  "x-signature": "bdbb8833fe43671e058b56dace75763a78a2edf8de7365afb6f534d750056e80",
  "x-partner-client-id": "ptnr_1s4UqMnO64",
  "x-timestamp": "1758100350458"
}
});
const json = await res.json();
console.log(json);
qs := url.Values{}
qs.Set("sid", "<sid>")
u := "http:///partner/onboard/store-access"
if q := qs.Encode(); q != "" { u = u + "?" + q }
req, _ := http.NewRequest("GET", u, nil)
req.Header.Set("x-signature", "bdbb8833fe43671e058b56dace75763a78a2edf8de7365afb6f534d750056e80")
req.Header.Set("x-partner-client-id", "ptnr_1s4UqMnO64")
req.Header.Set("x-timestamp", "1758100350458")
req.Header.Set("Content-Type","application/json")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
b, _ := io.ReadAll(resp.Body)
fmt.Println(string(b))
var client = java.net.http.HttpClient.newHttpClient();
var req = java.net.http.HttpRequest.newBuilder()
    .uri(java.net.URI.create("http:///partner/onboard/store-access?sid=%3Csid%3E"))
    .header("Content-Type","application/json")
    .header("x-signature", "bdbb8833fe43671e058b56dace75763a78a2edf8de7365afb6f534d750056e80")
    .header("x-partner-client-id", "ptnr_1s4UqMnO64")
    .header("x-timestamp", "1758100350458")
    .method("GET", java.net.http.HttpRequest.BodyPublishers.noBody())
    .build();
var res = client.send(req, java.net.http.HttpResponse.BodyHandlers.ofString());
System.out.println(res.body());

# Responses

# Example Responses 

{
  "success": true,
  "message": "Store access credential retrieved successfully",
  "requestId": "ba47fd1e-db2f-4fa6-882e-8dc140e9dd63",
  "meta": {
    "timestamp": "2025-11-17T11:01:21.270Z"
  },
  "data": {
    "storeAccess": "ENCRYPTED:/QSP0qvHorkyZ14pyw/Ney1a+b6FFkjzDiJhOemGhXHKpGpq4mk28GurxwSmapwlcTtipqi1VOLck1KKpCnQOIyF5XHMwhr5hHJCRLT/H984h0WDZWmKzPQSLxp6Ud+L8s82eEE2emto/p3Kigjqi1PoTSukUA9HJ5mTJeVN9t9ekXdXoEQh2f0NRiPqwAq/W3A6Pi4fKNEivy3cEpr/gLDtrBSUECJeXymKfkmeSxv2hVuzpyl7Ai3dWDwO1eAoWSVccwVPGMGBqKxTpJSx+rr/02/tNjwi9zenIPdTVvpV/z6NrDGlYTz350WYNA2JVcm2hjrGUAILeyDFB/R8aD70gzGIUpwolw2p/2vZ2fxzVFpAeJM4nkFpf+F26umIVmwg0Rmx+WKO+A/lzMYtv6tf1FaNgCAjcA/sHXmAFy+r/DhOp/Vdz0k7b5evikooh4tJF6anrPSXzgPuUmg/xzJcKjD/zPH2fvNt4fldTL/V+yAAMGdfiCb2ij0tX7gy69h5RSGcoVP+bajc"
  }
}

# Dictionary

Encrypted fields

Values are AES-256-GCM encrypted and returned as strings prefixed with ENCRYPTED:.

Field path Type Notes
data.storeAccess string PII – Store Profile, Credentials

# Related Guides

# Notes

None for this endpoint.

© Copyright 2026. Toco All rights reserved.