Issue with Decryption Error (Tag Mismatch) When Calling /v2/payouts API
Hello Toss Payments Support,
I’m integrating with your /v2/payouts API using encryption with my provided security key. I’m correctly encrypting my payload (in text/plain) with the A256GCM algorithm and sending it with the required headers:
TossPayments-api-security-mode: ENCRYPTION
Authorization: Basic <encoded_secret_key>
However, when I send a request to /v2/payouts, I get an encrypted response, and when I try to decrypt it using the same security key, I get the following error:
Decryption failed: AES/GCM/NoPadding decryption failed: Tag mismatch!
Here's an example of the encrypted response I received
eyJlbmMiOiJBMjU2R0NNIiwiaWF0IjoiMjAyNS0wNi0yNlQxODo0Mjo0Ni4zNTYyNTkzMTUrMDk6MDAiLCJub25jZSI6IjAwOWNiNTQ2LTgzZGYtNDRiNC1hMmQxLWYyMTliMThhZTgxZCIsImFsZyI6ImRpciJ9..myecGkNfS2k3F4en.VVwewGVwcxgf2iA9TZk4YyMZ7xdKu7ZcuBq_SizluSnVB5dCVAIHkpVbdTY326euGWcKXhjAOMjKOwruXxnOJbR2oVylauimkBKNRFbRfFQ-bs0wM8gj4AypeSYnctuStSMzui7ktErCDeHgYo9YNeyZX28SO-G6iT65xLVhCC9MLCqWcsK-86SCIGAQNzvRKJRv96CfCE38J4R0hBbtEo0JAhWCT61_lG6SGc5rhIIvPtg3cEiO4NtUjTklY9WQLWYfTzMBELHEdw5bwArFdlvIWZoTZClIqUENcdf265lbkRNphA.2TP2KoM93w1q7sEO5eG4lw
I used the same security key to encrypt the request, and it works fine locally (I can encrypt + decrypt my own payload).
Additionally, when I call the /v2/balances endpoint, I get a 403 Forbidden error.
Could you please help me confirm:
If my account has the proper permissions to use these endpoints?
If there is anything wrong with the encryption/decryption headers or payload format?
Why I might be getting the tag mismatch on decryption?
Thank you!
29 Replies
⏳ 잠시만 기다려주세요! 곧 답변드리겠습니다
오류 문의일 경우 아래 정보를 미리 전달해주시면, 빠른 답변에 도움이 됩니다.
- 주문번호(orderId) :
- 문의 내용 :
(img를 함께 첨부해주시면 도움이됩니다)
* 계약관련 내용은 1544-7772로 문의주세요.
* 주말/공휴일에는 답변이 늦을 수 있어요.
We're not enforcing any access control on our side.
Could you try submitting a curl request when the error occurs?
💡 정보 제출
민감 정보를 안전하게 제출해주세요
You can submit through "정보제출" btn
1. The detailed error message will be sent as response body. Read response body.
If the response body is encrypted, try decrypt it.
However, for your convenience, we will check the logs for you. Please click "정보 제출" button or click this link, and send us the CURL command you've used.
If you're not using cURL, and if you can retrieve response header or response body, please let us know the traceId instead. It can be found either in the header or response body.
2. If you're sending too many requests, or request was too malformed, it might be filtered from our WAF. This is really rare case, so we don't think this is the case.
I have a question: when using payout api, do I have to become a partner or meet any conditions first?
yes, you need a contract to use the payout first.
Thanks a lot. And when in development, if I'm not a partner yet, can I use payout apis for testing?
안녕하세요. 저희 팀은 현재 Payout 기능을 연동하려고 하고 있습니다.
궁금한 점이 몇 가지 있습니다:
프로덕션 전에 개발 환경에서 Payout API를 테스트할 수 있는지 알고 싶습니다.
아니면 파트너 등록이 선행되어야 하는지요?
만약 등록이 필요하다면, 어디에 연락해야 하고 절차는 어떻게 되나요?
그리고 중요한 질문이 하나 더 있습니다:
지금 저는 클라이언트를 대신하여 구현을 진행 중인데요,
이 유저가 개발 및 프로덕션 환경에서 Payout API를 사용할 수 있는지 확인해주실 수 있을까요?
저희는 현재 Toss Payments를 웹사이트에 연동하려고 최선을 다하고 있습니다.
도움을 주시면 정말 감사하겠습니다.
Thanks so much.
Please note, you can ask us in English (and Vietnamese - only for me as I can speak)
Thanks so much.
I will reply you in English. If you cannot understand, please ask me.
That's my question:
Hi, our team is currently working on integrating the Payout feature. We'd like to know:
Can we test the Payout API in the development environment before going to production?
Or do we need to register as a partner first?
If registration is required, who should we contact, and what is the process?
Thanks so much.
1. Can we test the Payout API in the development environment before going to production?
- Yes, you should. However, there're some restrictions for certain endpoints or actions. Please refer our docs (written in Korean) or the image below.
2. Or do we need to register as a partner first?
- Yes, you should. Once your business is registered as a partner, we will send you the encryption key details. Without the key, you cannot test this APIs.
- In order to contract as a partner, please ask your Korean colleague to call +82 2-1544-7772 (domestic call: 1544-7772). This step requires Business ID (aka Tax ID) and actual contract will be performed.
토스페이먼츠 결제연동팀
3. I am currently working on an implementation for a client, could you please help me to make sure that user can use the Payout API in both development and production environments?
- Once the contract is finished, we will issue MID (Merchant ID) and Key details (Client Key, Secret Key, Encryption Key-only for Payout API).
- Please share us the MID or Client Key (starting with (test|live)_g?ck), if you already have, then we can check the MID is enabled for this API.
- Please also keep in mind that Payout API is special API, so the special contract as well as special review/audit may be required
Thanks so much for your enthusiasm, I understand the process very well thanks to you, thanks again :gold:
May I know the MID, if you already have?
We use MID info for tracking the tickets for further reference.
If you don't, or you don't know, just say Idk, this info is optional.
Now I will ask my colleague in Korea to follow the steps you said to get MID, and at the same time I will do the API first, thank you very much.
But I am assuming that you already contracted with us
So that's how you got the API key details and you're working on API
So it would be great, to check MID and get the contract status from us.
Yes, we will go step by step, I want to ask in advance so we can plan the timeline, thank you very much.
Ah you're right, I got an MID: buskingphi
if you can check contract status with it it will be great, thanks again.
Store ID (MID)
buskingphi
The appropriate account management team will check the details of the MID and will confirm the MID is okay for payout API
Thanks so much. (y)
buskingphi is not ready to use payout service.Thanks so much.
❤️ 기술문의 경험이 어떠셨나요?!
간단히 코멘트 남겨주세요! 제품 발전에 큰 힘이 됩니다.
❤️ 기술문의 경험이 어떠셨나요?!
간단히 코멘트 남겨주세요! 제품 발전에 큰 힘이 됩니다.
FYI @Bui Vuong - This means you should contact your Korean collegue and do the special contract. After the contract is done and ready to use for payout, then you can integrate the API.
Please do not integrate or test the Payout API before the contract is done. This always results to the error (decryption error) or 403 error.
I think , this is the reason why you got decryption errors and 403 errors previously.
Thanks so much, I contacted my Korean colleague and they informed that they will plan with Business Team for these processes, they are looking into the costs involved den Payout.