> ## Documentation Index
> Fetch the complete documentation index at: https://sdk.qfapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials & Merchant Structure

> Understand the credentials used to identify stores and secure API requests.

To interact with the QFPay OpenAPI, you must use the credentials issued during onboarding. These credentials identify the store and ensure requests are authenticated securely.

***

## Store-Level Integration

QFPay OpenAPI integrations operate at the **store level**.

Each API request is processed for a specific store using the identifiers provided by QFPay.

***

## Required Credentials

QFPay provides the following credentials:

* **`app_code`** — Primary identifier of the store.
* **`client_key`** — Secret key used to generate request signatures.
* **`mchid`** *(optional)* — Store identifier used in certain configurations.

<Note>
  Use only the identifiers provided by QFPay during onboarding.

  If an `mchid` is provided, include it when required.\
  If it is not provided, do not include it in API requests.
</Note>

***

## When is `mchid` used?

`mchid` may be required in certain configurations, including:

* agent-managed setups
* specific payment channel requirements
* store identification requirements defined during onboarding

Some integrations use only `app_code` and `client_key`.

Always follow the credentials provided by QFPay.

***

## Security Responsibilities

Keep your credentials secure:

* Never expose the **client\_key** in frontend or mobile applications.
* Do not commit credentials to public repositories.
* Store secrets securely using environment variables or a secrets manager.