*New* Multi-Factor Authentication Universal Login Authentication & Account Management
- What new security update is being introduced?
- Why is MFA being introduced?
- How does MFA work?
- Enter your username and password on the login screen.
- Once your password is accepted, you will be prompted to answer your challenge question.
- After successfully completing the challenge question, you will be taken to the MFA verification screen.
- On this screen, you will select how you would like to receive or generate your OTP. Available options include:
- Click “SEND OTP” to request a one-time passcode. The OTP will be delivered via the method you selected.
- Enter the OTP on the MFA screen.
- Once the OTP is validated successfully, you will be signed in and redirected to your dashboard page.
- What MFA options can I choose from?
- Text Message (SMS)
- Mobile Authenticator App
- Will I need to complete MFA every time I log in?
- Will this change my current access or permissions?
- Will this affect my access to other Visa services?
- Where will my OTP be sent?
- Email OTP
- Text Message (SMS) OTP
- Authenticator App OTP
- Do I need to complete MFA if I log in through Visa Access SSO?
- What if I don't receive the OTP?
- Try the following:
- Check spam/junk folders
- Ensure your profile information is current Use a different MFA option (SMS or authenticator app)
- What is Universal Login and Why is it being introduced?
- What changes will I see on the login page?
- What is Passkey and how does it work?
- Passkey is a secure, passwordless authentication method using device-based credentials (e.g., Windows Hello, FIDO2 Security Key).
- New users will register a Passkey during account setup.
- Existing users will be prompted to register a Passkey after logging in with email and password.
- Can I still use my password to log in, and how do I learn more about Passkey?
- Are there device requirements for Passkey login?
- Windows devices: Enable Windows Hello (PIN, fingerprint, or facial recognition).
- Mac devices: Use a FIDO2-Certified Security Key.
- Security Key login: Ensure your key is FIDO2-Certified.
- Passkey is not supported by iPhone, iPad and Android device users currently.
- How do I create a new Passkey?
- How do I manage my Passkeys?
- Can I delete or deactivate a Passkey?
- How many Passkeys can I create and manage?
- What happens if I reach the limit of 10 Passkeys?
- Are there changes to my account profile?
- Primary Phone Number
- Mobile Phone Number
- Work Address
- Secondary Contact Information
- How do I fix registration/login issues?
- Try using another web browser (e.g. IE, Chrome, etc.).
- Try clearing your cache and cookies.
- Remove extra spaces and do not press TAB.
- Avoid using a password containing parts of your username or company name (e.g. "cUst").
- Try using a different type of special character.
- Make sure your email address and password do not have the same letter sequence or character sequence.
- How do I create and submit a Certificate Signing Request for Two-Way SSL authentication?
- Visa generates a CSR for you
- Generate your own CSR
- How do I fix issues with my test credentials?
- Verify the client certificate being used in the certificate chain with the following command:
OpenSSL> verify -verbose -CA file VDPCA-SBX.pem cert.pem
You should receive:
cert.pem: OK
- Check the contents of keystore by using the following command:
keytool -list -keystore <JKS_File_Path>
The above command displays the three entries related to Visa Developer as following:- Single Private key entry. The private key entry comprises of environment private key and the environment client certificate. The private key should be the same that the client has used for generating Certificate Signing Request for the requested environment. Please ensure that the correct environment certificates are being used.
- Visa Development Platform Intermediate Certificate.
- Visa Development Platform Root Certificate
- How do I fix connectivity issues with Authentication for API Requests?
- What endpoints should I use during the development and testing process?
- Sandbox: sandbox.api.visa.com
- Projects requiring testing in the Certification environment: cert.api.visa.com
- Production: api.visa.com; api.visa.co.in (India)
- How do I fix connectivity issues with the Sandbox.api.visa.com from the Data Power?
- Create a project
- Click the "Sandbox" page from the left navigation of the project
- In the "Credentials" section on the page, click "Add Two-Way SSL" and then "Add CSR" to create a credential
- In the "Credentials" section on the page, download the GeoTrust Certificate and Project Certificate (cert.pem)
- In the Trusted Certificates section of Data Power appliance configuration; add Geotrust.pem and sandbox.pem (Note: sandbox.pem is optional and may be needed if hostname verification is enabled)
- Run the command for sandbox.pem
openssl s_client -showcerts -connect sandbox.api.visa.com:443 - In the Client Configuration section, add the private key in the client private key field and cert.pem in the client certificate field as shown below:
- I’m getting an error from Visa Developer. How do I learn more about the error cause and resolution?
- What is X-CORRELATION-ID?
- How much does it cost to use an API?
- How do I navigate between my Sandbox, Certification, and Production dashboards?
- How do I promote a project to Certification or Production environments?
- Can all certificate types be renewed?
- How do I know when my sandbox certificates expire?
- How do I renew my sandbox certificate?
- Click "Add Two-Way SSL" to add a new Two-way SSL credential
- Click "Add X-Pay Token" to add a new X-pay token
- Will I receive an email notification when my sandbox certificate expires?
- Will I receive an email notice in advance of certificate expiration?
- What are the intervals at which a client will be notified by email?
- How do I know when my certification or production certificates expire?
- What is the duration of certificates?
- When a new certificate is issued does the user id and password also get renewed?
- We are getting an "Access Denied" message when trying to connect to Sandbox. How should I address this?
- Click "Add Two-Way SSL" to add a new Two-way SSL credential
- Click "Add X-Pay Token" to add a new X-pay token
- Can you help me understand how the payment ecosystem works?
- The Four Party model
- The transaction lifecycle
- Payment options (debit, credit, prepaid, etc.)
- The economics of managing a card portfolio
- Implementation strategies
- My Visa Developer account is disabled. How do I enable it?
*NEW* Multi-Factor Authentication- Frequently Asked Questions
Starting February 2026, Visa Developer Platform (VDP) will require Multi-Factor Authentication (MFA) at login. After entering your username and password, you will need to complete an additional verification step using a onetime passcode (OTP).
MFA provides an extra layer of security beyond your password, helping protect your account from unauthorized access. This update enhances trust, safeguards sensitive data, and aligns with Visa’s security standards.
When signing in to the Visa Developer Platform (VDP), MFA adds an additional layer of security to confirm your identity. The full login sequence is as follows:
Email OTP (default)
Text Message (SMS) OTP
Mobile Authenticator App OTP
You will have three verification options:
Yes. MFA will be required each time you log in to the Visa Developer Platform (VDP), unless you choose to authenticate using a Passkey. If you log in with a Passkey, you will not be prompted for MFA, as Passkey authentication already meets the required security factors.
No. This update does not impact your existing access, roles, entitlements, or project permissions on VDP.
No. The change does not affect other Visa platforms or services.
Your OTP will be sent to the verification method you select on the MFA screen after entering your username, password, and completing the challenge question. You may choose from:
Email is the default option because it does not require any additional setup.
No. If you access the Visa Developer Platform (VDP) through Visa Access Single Sign‑On (SSO), you will not be prompted for MFA. The SSO flow already satisfies Visa’s authentication requirements, so no additional verification step is required.
If you continue to experience issues, please contact support at [email protected].
New Sign-In Experience- Frequently Asked Questions
Starting November 5, 2025, Visa Developer Platform will use Visa’s Universal Login for authentication. Universal Login is a single, standardized login experience for Visa Developer Portal (VDP), managed by Visa’s B2BIAM platform. This brings enhanced security, streamlined access management, and consistent user experience across Visa applications.
Introducing a new feature called Passkey on the login screen. Passkey is an optional, passwordless authentication method that is encouraged for enhanced security. While you can continue to use your existing password, setting up a Passkey is optional but recommended for stronger protection against phishing and credential theft.
Yes, while the default login screen will continue to use passwords, users are encouraged to set up Passkey for enhanced security. Passkey setup is optional but recommended to further protect your account.
To explore the Visa Developer Platform Passkey, simply click on the "About Passkey" link, which can also be found on the Visa Developer Platform login screen.
Go to your account’s Security Settings in the "My Account" page, select “Create New Passkey”, and follow the on-screen instructions.
Go to “Manage Passkeys” under My Security in the “My Account” page.
Yes. You can manage, delete, or deactivate Passkeys from the Security Settings under the "My Account" page.
You can create and manage up to 10 Passkeys.
You’ll need to delete an existing Passkey before creating a new one.
There are no changes or impacts to your existing account profile. The only update is the addition of new optional fields in the Profile screen under "My Account". These include:
These fields are entirely optional and can be filled out at your discretion. No existing information will be removed or affected. However, please note that the Organization and Website fields will no longer be displayed in the Profile screen.
Authentication & Account Management- Frequently Asked Questions
Here are some tips to resolve problems with logging in and registering at the Visa Developer Center.
If you are not receiving emails from us, in some cases, the email might get caught in a spam filter. Please check your spam, trash, and archived folders. It could also be that your company’s firewall security is causing the emails not to be going to your company’s email address. Besides that, you may also check your proxy setting, which could be blocking the email.
Password
While logging into your Visa Developer account, please make sure you are providing your email address as how you have entered it in the system, using lowercase or uppercase for characters that you had used lowercase or uppercase on.
When choosing a password, please meet the following requirements listed below. While changing password, please make sure you are providing your email address as how you have entered it in the system, using lowercase or uppercase for characters that you had used lowercase or uppercase on. Your password should NOT contain three consecutive numbers like 123.
To change password, please navigate to this link - https://developer.visa.com/identity/user/forgot.
Or, you can login to Visa Developer and navigate to this link to reset password - https://developer.visa.com/portal/account/password
If you are experiencing an issue, please try the following to resolve the issue.
Account Lockouts
If you enter an incorrect password several times, your account will be locked out and you will be forced to reset your password to get back into your account. You can reset your password by going to Visa Developer Center > Login. This will allow you to change your password through an email delivered to your inbox.
The Certificate Signing Request (CSR) is a prerequisite to get your project certificate (cert.pem), which is required to establish a Two-Way SSL connection. Additionally, you will need a root certificate (VDPCA-SBX.pem) and your private key.
To generate a CSR to use in the sandbox, you have two options:
For more details, refer to the Two-Way SSL guide.
To fix issue with your test credentials:
You can download all three certificates above from the "Credentials" section on the page for the appropriate environment such as Sandbox, Certification or Production.
The easiest way to troubleshoot connectivity issues is to use the SOAPUI tool. Refer to Testing Two-Way SSL Connectivity Using SOAPUI section in Two-Way SSL that includes steps to access the helloworld project. This is the fastest way to test your access credentials and to create sample HTTP requests that work. Once you get your SOAPUI connection to work, review the raw HTTP request – you will get the exact value of an encoded username and a password that works. You can then compare the working value with the value you generate in your IDE.
Use the following endpoints for:
To fix the connectivity issues with the Sandbox: sandbox.api.visa.com from the Data Power:
Refer to Visa Developer Error Codes for a detailed list of Visa Developer error codes and their descriptions.
X-CORRELATION-ID is a unique ID that system generates for every API request and is included in the Response Headers. If you are using SOAP UI, you can see the X-CORRELATION-ID under Response section as shown below. This is helpful for debugging purposes when you report your issues to Visa Developer ([email protected]).
There is no cost to you to develop your project using any of the Visa APIs in the sandbox. Contact Visa for pricing and commercial details to use in Production.
To navigate between the dashboards, select the environment you'd like to switch to from the sidebar as depicted below
In order to use the products in the certification or production environment, complete the steps on the "Onboarding Dashboard" of your project. Visit Going Live for an overview of the processes to be completed before the APIs can be used in the production environment.
Yes, you can renew sandbox, certification, and production certificates for a project.
When sandbox certificates expire, you will see a notification in the Credentials section of your dashboard.
On the "Sandbox" page of your project, you can:
Expiration notifications are sent for projects that have been promoted to certification and production environments only.
For projects that have been promoted to the certification or production environments only, Visa Developer will send email notifications at predetermined intervals, to the “owner” (full access) registered users for the project.
Notifications will be sent 120, 90, 60, 30, 15 and 7 days prior to expiration.
You will see this information in a new status column on the dashboard indicating either “Certificate Expired” or “Certificate Expiring”.
Two-way SSL certificates are valid for 27 months. X-pay tokens are valid for 24 months.
Yes. In sandbox, certification and production the new certificate will come with a new user id and password.
Your sandbox credential has expired. To renew the credentials, on the "Sandbox" page of your project:
Please refer to Visa Partner's Learn section that introduces you to the payments ecosystem, how it works and the steps needed to launch a card program. You’ll come away ready to craft your own payments strategy – with a solid grasp of payment economics and the overall ecosystem.
You'll learn about:
Please contact Visa Developer Support at [email protected] to enable your account.
Find help your way
Read up on Documentation and Getting Started Guides
Find help through our new Learning Hub
