JAICYLAB
Start a Project
TOSS PAYMENTS

Toss Payments
Merchant Contract & Integration

Accepting payments in apps and on the web requires a PG merchant contract. This guide covers the Toss Payments application, review, and the transition from test keys to live keys.

Apply to Toss PaymentsView steps

Merchant contract

Free

Review time

2–5 business days

Required docs

Business registration · bank account

Overview

Check before you start

A PG merchant contract requires a business registration. Sole proprietors qualify, but depending on your industry you may need extra documents (mail-order filing, medical or financial licenses). Finish the integration with test keys first — live keys are issued after merchant review.

Business registration required

Both individuals and corporations qualify.

Mail-order filing

Required for general retail (district office).

Settlement account

Account name must match the business.

Service URL / app

The product under review must exist.

Step by Step

Step-by-step Guide

01

DEV FIRST

Integrate with test keys first

Completing the payment flow on test keys before signing speeds up your launch.

  • Use the test keys openly published on docs.tosspayments.com
  • Choose a method: Payment Widget, Payment Window, or BrandPay
  • Implement success, failure, and cancel callback URLs
  • Test domestic and international cards, bank transfers, and easy pay
02

APPLY

Fill out the merchant application

Apply for a merchant contract on tosspayments.com.

  • Business name, representative, registration number, industry
  • Product catalog and expected monthly volume
  • Service URL (pre-launch sites can mark "coming soon" with screenshots attached)
  • Settlement account info (name must match the business)
03

DOCS

Upload required documents

Standard plus industry-specific documents.

  • Standard: business registration, representative ID, bank book copy
  • General retail: mail-order filing certificate
  • Medical or pharmaceutical: relevant permit or license
  • Food service: business operation license
  • 2–3 service screenshots (to verify the payment flow)
04

FEE

Negotiate fees

Confirm card and easy-pay rates in the contract.

  • Regular cards: around 2.5–3.5% (varies by volume and industry)
  • Easy pay (Kakao Pay, Naver Pay, etc.): additional fees
  • Settlement cycle: choose D+1 (next business day), D+3, or D+7
  • Higher monthly volume can justify lower rates
05

REVIEW

Review & approval

Takes about 2–5 business days.

  • Requests for additional documents arrive by email
  • Some industries (insurance, investment, games, alcohol) get extra review
  • On approval, you receive a merchant admin account
  • The contract is signed electronically (KakaoTalk authentication, etc.)
06

LIVE KEYS

Issue live keys

After approval, receive the keys that enable real payments.

  • Merchant admin page > API keys
  • Client key: for calling the frontend payment window (safe to expose)
  • Secret key: for server-side approvals and cancellations (never expose)
  • Keep it in .env and use it only on the server
  • Test and live keys are distinguished by prefix (test_* / live_*)
07

WEBHOOK

Register the webhook

Receive payment status changes instantly on your server.

  • Merchant admin > Developer Center > Webhook
  • Events: PAYMENT_STATUS_CHANGED, CANCEL_STATUS_CHANGED, and more
  • Register an endpoint URL (HTTPS required)
  • Implement signature verification to prevent forgery
08

SETTLEMENT

Automate settlement & tax invoices

Review and download settlement records and tax invoices.

  • Settlement records: daily and monthly views in the merchant admin
  • Toss Payments issues tax invoices automatically
  • Cash receipts can be processed automatically on approval
  • Automate settlement via Excel export or API

Pitfalls

Common blockers

Applying with an incomplete service

You need at least payment-flow screenshots or a test URL to pass. "Coming soon" alone usually gets rejected.

Mismatched settlement account name

Applications frequently get rejected when the bank account name does not match the business registration.

Exposing the secret key on the frontend

Approval and cancellation APIs must be called from the server. Calling them from the frontend lets anyone tamper with transactions.

Skipping webhook signature verification

Anyone can POST to your webhook endpoint. Trusting the state without signature checks opens a payment bypass.

In-app purchase policy

Digital goods in iOS and Android apps must use each store's in-app purchase. Using an external PG risks app rejection.

Resources

Official links

Toss Payments home

Merchant application

Developer docs

Integration guide · API reference

Payment Widget guide

Fastest way to integrate

Webhook guide

Events · signature verification

Merchant admin login

API keys · settlement

BrandPay

One-click payments (easy pay)

If setup is a headache, we'll handle it

Projects at JAICYLAB include everything from developer account setup to launch and ops.

Ask us to handle it More guides