---
title: Create Apple Pay certificates
description: >-
  Set up the certificate required for payment processing with Apple Pay using
  the REST Admin API.
source_url:
  html: >-
    https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates
  md: >-
    https://shopify.dev/docs/storefronts/mobile/create-apple-payment-processing-certificates.md
---

# Create Apple Pay certificates

Apple Pay with [accelerated checkouts](https://shopify.dev/docs/storefronts/mobile/checkout-kit/accelerated-checkouts-overview) requires an [Apple Pay payment processing certificate](https://developer.apple.com/help/account/configure-app-capabilities/configure-apple-pay/) that lets Shopify decrypt [PassKit payment data](https://developer.apple.com/documentation/passkit). Unlike the standard Apple process, Shopify generates the Certificate Signing Request (CSR) and you upload the certificate through the [REST Admin API](https://shopify.dev/docs/api/admin-rest).

**Caution:**

The `write_mobile_payments` and `read_mobile_payments` access scopes need approval. [Submit the request form](https://www.appsheet.com/start/1ff317b6-2da1-4f39-b041-c01cfada6098) before starting.

***

## What you'll learn

In this guide, you'll:

* Create an `ApplePayCertificate` resource using the REST Admin API.
* Retrieve the Certificate Signing Request (CSR) and upload it to Apple.
* Download the encrypted certificate from Apple and upload it to Shopify.
* Activate the certificate (optional).

***

## Requirements

* `write_mobile_payments` and `read_mobile_payments` access scopes added to your REST Admin API access token.
* [jq](https://jqlang.github.io/jq/) and [openssl](https://www.openssl.org/) available in your terminal.
* An [Apple Developer account](https://developer.apple.com/programs/enroll/).

***

## Step 1: Set up environment variables

The scripts in this guide use four environment variables. Gather these values before continuing:

| Variable | Description |
| - | - |
| `STOREFRONT_DOMAIN` | Your store domain without a trailing `/`, for example `https://{shop}.myshopify.com`. |
| `MERCHANT_ID` | Your Apple merchant identifier from your Xcode project under **Signing & Capabilities** > **Apple Pay** > **Merchant IDs**. [Create one](https://developer.apple.com/documentation/applepaywebmerchantregistrationapi/registering-with-apple-pay-and-applying-to-use-the-api) if you haven't already. |
| `API_VERSION` | The REST Admin API version to target. See the [REST Admin API reference](https://shopify.dev/docs/api/admin-rest). |
| `ADMIN_API_ACCESS_TOKEN` | Your Admin API access token from **Settings** > **Apps** > **Develop apps** > **API credentials**. Only store admins can access this value. |

Set them in your terminal before running any commands:

## Set up environment variables

```terminal
ADMIN_API_ACCESS_TOKEN="{admin_api_access_token}" \
STOREFRONT_DOMAIN="{shop_domain}" \
API_VERSION="{api_version}" \
MERCHANT_ID="{apple_merchant_id}"
```

***

## Step 2: Create an Apple Pay certificate resource

Create a new certificate resource. The script stores the certificate ID in a variable:

## Create an Apple Pay resource

## POST - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates.json

```terminal
APPLE_PAY_CERTIFICATE_ID=$(curl --request POST "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| jq .apple_pay_certificate.id);


echo "APPLE_PAY_CERTIFICATE_ID =" $APPLE_PAY_CERTIFICATE_ID
```

## Output

```text
APPLE_PAY_CERTIFICATE_ID = 1234
```

***

## Step 3: Retrieve the Apple Pay certificate

Check whether the certificate is ready with a `GET` request. The response shows `"status":"csr"` when it's ready:

## Retrieve an Apple Pay certificate

## GET - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates/$APPLE\_PAY\_CERTIFICATE\_ID.json

```shell
curl "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| jq .
```

## Output

```json
{
  "apple_pay_certificate": {
    "id": 1234,
    "status": "csr",
    "merchant_id": null
  }
}
```

***

## Step 4: Retrieve the Certificate Signing Request (CSR)

Download the CSR from the API, decode it, and save it to a file called `apple_payment_processing.csr`:

## Retrieve a Certificate Signing Request (CSR)

## GET - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates/$APPLE\_PAY\_CERTIFICATE\_ID/csr.json

```shell
curl "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID/csr.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
| tr -d \\n \
| jq -r .csr.key \
| openssl base64 -a -d -out apple_payment_processing.csr;


cat apple_payment_processing.csr
```

## Output

```csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBQtcb6AIBADCBhTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMQ8wDQYDVQQH
EwZPdHRhD2eXedaobGNVBAoMB1Nob3BpZnkxETAPBgNVBAsMCFBheW1lbnRzMRAw
DgYDVQQDDAdTaG9waWz5mseWhWyjkOzIhvcNAQkBDBJhZG1pbnNAc2hvcGlmeS5j
b20wWTATBgcqhkjOPQIBBggqhkjOPQMbbWncaas7Zyut/WMsHOERhUXNigv5X0Jk
VvIxuAriMxOIkNhPASsTbjxZGsLmqyv5Td+WrxJ45HeQraashdfgahgiauvCoAAw
CgYIKoZIzj0EAwIDSAAwRQIhAK1lbDqq/VNQbSQqCtLgClZmR/98vjsVhoh2ZwKE
13gLAiB2Pn6eKA1V2XZ+0wxoTpyzBrBeTaoABYiJnbqmTWWG3Q==
-----END CERTIFICATE REQUEST-----
```

***

## Step 5: Upload the CSR to Apple

Apple signs the CSR and returns an encrypted certificate that Shopify uses to process payments:

1. Sign in to your [Apple Developer account](https://developer.apple.com/account).

2. Under [Certificates, Identifiers & Profiles](https://developer.apple.com/account/resources/certificates/list), click **+** to [create a new certificate](https://developer.apple.com/account/resources/certificates/add).

3. Select the checkbox for **Apple Pay Payment Processing Certificate**.\
   If this is the first certificate you're creating, then Apple redirects you to the creation page. Otherwise, you might see a different certificate page. Select only the **Apple Pay Payment Processing Certificate** section.

   **Caution:**

   Don't create the certificate under **Apple Pay Merchant Identity Certificate**, which handles only Apple Pay on the web. See [Configure Apple Pay capabilities](https://developer.apple.com/help/account/configure-app-capabilities/configure-apple-pay/) for more information.

   ![Apple Developer Portal showing the Apple Pay Payment Processing Certificate option under Certificates.](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/apple-developer-docs-7OIYobbc.png)

4. Select **Create Certificate** and upload the `apple_payment_processing.csr` file.

5. Download the encrypted certificate (`apple_pay.cer`). If this is the second certificate you created, then leave this page open for activation.

   ![Apple Developer Portal showing the Download Certificate button for the Apple Pay certificate.](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/download-apple-certificate-CUdf2Zat.png)

***

## Step 6: Upload the encrypted certificate using the REST Admin API

Send the signed certificate back to Shopify so it can decrypt Apple Pay payment data. The script reads `apple_pay.cer`, base64-encodes it, and uploads it through the REST Admin API:

## Upload encrypted certificate using the REST Admin API

## PUT - $STOREFRONT\_DOMAIN/admin/api/$API\_VERSION/apple\_pay\_certificates/$APPLE\_PAY\_CERTIFICATE\_ID.json

```shell
ENCRYPTED_CERTIFICATE="$(openssl base64 -a -A -e -in apple_pay.cer)";


curl --request PUT "$STOREFRONT_DOMAIN/admin/api/$API_VERSION/apple_pay_certificates/$APPLE_PAY_CERTIFICATE_ID.json" \
--header "X-Shopify-Access-Token: $ADMIN_API_ACCESS_TOKEN" \
--header "Content-Type: application/json" \
--data "{
    \"apple_pay_certificate\": {
        \"id\": \"$APPLE_PAY_CERTIFICATE_ID\",
        \"status\": \"completed\",
        \"merchant_id\": \"$MERCHANT_ID\",
        \"encoded_signed_certificate\": \"$ENCRYPTED_CERTIFICATE\"
    }
}" \
| jq .
```

## Output

```json
{
    "apple_pay_certificate": {
        "id": 1234,
        "status": "completed",
        "merchant_id": "{merchant_id}"
    }
}
```

***

## Step 7: Activate the certificate (optional)

Your first certificate defaults to `active`. Subsequent certificates start as `inactive` until you explicitly activate them, which prevents service interruptions for apps in production:

1. Return to the Apple Developer certificate download page at `https://developer.apple.com/account/resources/certificates/download/{CERTIFICATE_ID}`.

2. If your app is already in production, then confirm you've uploaded the encrypted certificate to Shopify. Activating without uploading first will break Apple Pay for your live store. Click **Activate**.

   ![Apple Developer Portal dialog confirming certificate activation for payment processing.](https://shopify.dev/assets/assets/images/custom-storefronts/checkout-sheet-kit/activate-certificate-modal-Cyb2aGv8.png)

3. Certificates expire every 25 months. Create a backup certificate by repeating this guide before your current one expires.

***

## Next steps

[Set up accelerated checkouts\
\
](https://shopify.dev/docs/storefronts/mobile/checkout-kit/accelerated-checkouts)

[Add Apple Pay and Shop Pay buttons to your Swift or React Native app.](https://shopify.dev/docs/storefronts/mobile/checkout-kit/accelerated-checkouts)

[About accelerated checkouts\
\
](https://shopify.dev/docs/storefronts/mobile/checkout-kit/accelerated-checkouts-overview)

[How accelerated checkouts work, customization options, and lifecycle events.](https://shopify.dev/docs/storefronts/mobile/checkout-kit/accelerated-checkouts-overview)

***