Documentation hub

Tech partner guides for onboarding, sandbox setup, and building with Visa Acceptance APIs and embedded components.

3 guides · 2 live · 1 coming soon

Live

Becoming a Tech Partner

Step-by-step guide to applying, getting approved, and activating your Technology Partner account. Covers the portal, agreement types, and your first sandbox.

 

Read time10 min read

Read guide External link
Live

Creating Tech Partner Sandbox

How to set up your partner-level sandbox, provision test credentials, and create merchant sandboxes for integration testing

 

Read time8 min read

Read guide External link
Live

Embeded Components Developer Guide

Full integration reference for Merchant Boarding. Quickstart, OAuth two-step, React example, event handlers, and the production go-live checklist.

 

Read time15 min quickstart. full guide~30 min read

Read guide External link

Looking for the full API reference?

Complete API docs, SDK references, and testing guides live on the Visa Acceptance Developer Center.

Visit Developer Center External link

DEVELOPER GUIDE

Embedded Components

Drop-in UI components for merchant boarding, payments, and account management — running inside your portal. White-labeled to your brand, PCI-scoped by Visa Acceptance, and live in the current Technology Partner pilot.

Information

Pilot scope

Merchant Boarding is live in the current pilot. Flex Microform and Unified Checkout follow in the next phase.

Architecture

Two-step OAuth flow, all server-side. Your backend exchanges client credentials for an access_token, then exchanges that for a session-scoped ec_token. The ec_token is the only token that ever reaches your frontend — your client_secret never leaves your backend.

TOKEN TTL SCOPE WHERE IT LIVES
access_token 15 minutes (no refresh) Per org_id + solution_id Server-side only
ec_token Session Scoped to a single merchant session Passed to the frontend SDK

 

 

QUICKSTART

15-minute Quickstart

From credentials to a live Merchant Boarding component in your sandbox in under fifteen minutes. Five steps, all copy-pasteable.

Warning
Silent failure warning

Portfolio admin consent must be granted in EBC2 → Solution Marketplace before credentials will work. Missing consent causes silent auth failures with no useful error message.

1

Install the SDK

Add @visaacceptance/embed-js to your frontend project.

# Install via npm

npm install @visaacceptance/embed-js

2

Get an access_token (server-side)

Exchange your client credentials for an access_token. 15-minute TTL, no refresh — server-side only.

// Step 1 — client_credentials grant
const oauthRes = await fetch(
  'https://apitest.visaacceptance.com/oauth2/token',
  {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({
      grant_type:    'client_credentials',
      client_id:     process.env.VISA_CLIENT_ID,
      client_secret: process.env.VISA_CLIENT_SECRET,
      solution_id:   process.env.VISA_SOLUTION_ID,
      org_id:        process.env.VISA_ORG_ID,
      scope:         'boarding',
    }),
  }
);
const { access_token } = await oauthRes.json();
3

Exchange for an ec_token

Token-exchange grant produces a session-scoped ec_token — the only token your frontend ever sees.

// Step 2 — token-exchange grant
const ecRes = await fetch(
  'https://sandbox.api.visa.com/v1/oauth2/token',
  {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({
      grant_type:         'urn:ietf:params:oauth:grant-type:token-exchange',
      subject_token:      access_token,
      subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',
      solution_id:        process.env.VISA_SOLUTION_ID,
      org_id:             process.env.VISA_ORG_ID,
    }),
  }
);
const { ec_token } = await ecRes.json();
res.json({ sessionToken: ec_token });
4

Mount the component

Pass the ec_token from Step 3. The component renders inside a sandboxed iframe — card data and KYB documents never touch your DOM.

// React: mount the boarding component
import { VisaMerchantOnboarding } from '@visaacceptance/embed-js/react';

<VisaMerchantOnboarding
  sessionToken={ec_token}
  onSuccess={(r) => save(r.org_id)}
  onError={(e) => show(e)}
  onSessionTimeout={refresh}
/>
5

Handle events

Three callbacks. All required for production. onSessionTimeout in particular is mandatory — without it, merchants see a frozen form after 15 minutes with no recovery.

Callback When it fires What you get
onSuccess Merchant completes boarding result.org_id — merchant ID. Store this.
onError Integration or validation error err.code , err.message
onSessionTimeout 15-min inactivity Must return a fresh ec_token . SDK re-initializes automatically.
Information
That's it

Your Merchant Boarding component is live in sandbox. Run a test merchant through to verify the full flow, then move on to the go-live checklist when you're ready for production.

Go-Live Checklist

Production readiness

Twelve items across four phases. Run them all before flipping environment: 'production'.

Credentials

 
Portfolio admin consent granted in EBC2 → Solution Marketplace
 
EC-scoped OAuth credentials provisioned (client_id, client_secret, solution_id, org_id)
 
Sandbox transactions verified end to end against a test merchant

production setup

 
Production credentials provisioned and stored in your secret manager
 
Token rotation implemented (15-min access_token expiry, no refresh — re-issue server-side)
 
Domain allowlist configured (frontend origins approved by Visa Acceptance)

testing

 
Component states tested: loading, error, validation failure, partial save, success
 
Theme, locale, and logo configured to match your brand
 
Mobile rendering verified on iOS Safari and Chrome Android

going live

 
Error and session-timeout handlers implemented and tested
 
Monitoring and alerts configured for OAuth errors and event-callback failures
 
Internal documentation updated for your support team
Information
Security rule

Never expose client_id or client_secret in frontend code. The two-step OAuth always happens server-side. Your frontend only ever receives the scoped ec_token.

 

Ready to start building?

Apply as a Technology Partner to get sandbox access and start integrating.