Create an Apple Pay payment processing certificate
In this tutorial, you'll create an Apple Pay payments processing certificate that's registered in both your Apple Developer account and the Shopify admin. The certificate allows Shopify to act as a payments processor for iOS Apple payments, which involves decrypting the PassKit
payment data generated after a user authorizes a payment.
If you're familiar with setting up Apple Pay certificates already, then you'll notice some similarities to the process detailed in Apple's docs. However, there are differences in how the certificate is generated. For example, Shopify generates a unique Certificate Signing Request (CSR), rather than you creating one using keychain, and the resulting certificate needs to be uploaded using the REST Admin API.
Anchor to What you'll learnWhat you'll learn
In this tutorial, you'll learn how to do the following tasks:
- Create an
ApplePayCertificate
resource using the REST Admin API. - Wait for the certificate to transition from
"issuing"
into"csr"
status. - Retrieve the
base64
encoded Certificate Signing Request (CSR). - Decode the certificate and upload to Apple for encryption.
- Download the encrypted version of the certificate from Apple.
- Encode the encrypted version and upload it to Shopify using the REST Admin API.
- Activate the certificate (optional).
Anchor to RequirementsRequirements
You need to set up the following environment variables before you can run scripts. Paste the following code in your terminal, and replace the values in angled brackets. Refer to the table that follows the code for the correct values.
Set up environment variables
Variable | Description | Read-only? |
---|---|---|
STOREFRONT_DOMAIN | The domain of your store without trailing / . For example, https://store.myshopify.com. | No |
MERCHANT_ID | A unique identifier for Apple to identify your business as a merchant able to accept payments. Located within your Xcode project under Signing & Capabilities > Apple Pay > Merchant IDs . If this isn't setup yet, then you can create one. | No |
API_VERSION | Version of the REST Admin API to target. Refer to: REST Admin API reference. | No |
ADMIN_API_ACCESS_TOKEN | Located within the store settings: Settings > Apps & Sales Channels > Develop Apps > API Credentials > Admin API access token . Only store admins can access this value. ![]() | Yes |
Anchor to Step 1: Create an Apple Pay resourceStep 1: Create an Apple Pay resource
To begin, you need to generate a new certificate resource, as the certificate won't be immediately available. The response should indicate it's issuing
. In this step, you'll check whether the certificate has finished issuing so that you can retrieve the Certificate Signing Request (CSR).
Create an Apple Pay resource
POST - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates.json
Output
Anchor to Step 2: Retrieve an Apple Pay certificateStep 2: Retrieve an Apple Pay certificate
You can check on the progress of the certificate creation with the following GET
request.
If the response shows "status":"csr"
, then you can move on to the next step.
Retrieve an Apple Pay certificate
GET - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json
Output
Anchor to Step 3: Retrieve a Certificate Signing Request (CSR)Step 3: Retrieve a Certificate Signing Request (CSR)
In this step, you'll do the following work to manipulate the data:
- Add new line escape sequences to escape with
tr
. - Extract the JSON data with
jq
. - Decode the data from
base64
and save it to theapple_payment_processing.csr
file. This is the file that you'll later upload to Apple.
Retrieve a Certificate Signing Request (CSR)
GET - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID/csr.json
Output
Anchor to Step 4: Upload a Certificate Signing Request (CSR) to AppleStep 4: Upload a Certificate Signing Request (CSR) to Apple
Complete the following steps:
- Log in to your Apple Developer account.
- Under Certificates, Identifiers & Profiles, click the "+" button to create a new certificate.
- Select the checkbox for Apple Pay Payment Processing Certificate.
If this is the first certificate you're creating, then you'll be redirected to the creation page, otherwise you might encounter the following page. The Apple Pay Payment Processing Certificate section is the only area you need to focus on. The other sections are for setup on the web.
Make sure you don't create the certificate under Apple Pay Merchant Identity Certificate, which is only used for Apple Pay on the web.

-
Select Create Certificate and upload the
apple_payment_processing.csr
file from the previous step in the form. -
Download the encrypted version of the certificate. The filename is
apple_pay.cer
. -
Store the file somewhere securely as you'll upload this file in the next step using the REST Admin API.

If this is the second certificate you created, then leave this page open as you'll be returning to it to activate the certificate after its uploaded.
Anchor to Step 5: Upload the encrypted certificate using the REST Admin APIStep 5: Upload the encrypted certificate using the REST Admin API
After reading the file into a variable, you can upload it to the REST Admin API with the following commands:
Upload encrypted certificate using the REST Admin API
PUT - $STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json
Output
Anchor to Step 6: (Optional) Activate the certificateStep 6: (Optional) Activate the certificate
This step isn't necessary if you're only creating your first certificate, as it will default to active
. Only subsequent certificates that you create will start as inactive
until explicitly activated. This prevent interruptions of service if your application is in production.
-
Return to the page where the certificate was downloaded from Apple. The URL is:
https://developer.apple.com/account/resources/certificates/download/<CERTIFICATE_ID>
) -
Activate the certificate. The modal popup will warn that this should only be performed if this certificate has been setup for payment processing, so unless you missed steps above you can select to activate again.
If your app is already in production, then make sure you've completed the prior steps of uploading the encrypted certificate to Shopify. Failure to do so might cause service interruptions if your store is already live and processing Apple Pay transactions.

Anchor to Limitations and considerationsLimitations and considerations
- The payment processing certificate expires every 25 months. You can perform these steps again in order to configure a backup certificate to prevent interruptions of service.
- The merchant identity certificate is only required for Web, and not apps. Refer to Configure Apple Pay capabilities for more information.