The Digital Gift Services APIs use mutual authentication by means of a signed certificate provided by Blackhawk Network. The certificate contains embedded values that support authentication, authorization, and billing. Your applications are authenticated through the use of embedded values in the client certificate.

Blackhawk Network requires client certificates to provide data security and privacy for client application data and services shared between Blackhawk Network and its partners.

Our digital services deal with sensitive information associated with people and financial institutions. We limit access to these services to trusted client applications managed by companies that have signed an agreement with us regarding use of the services.

What is a Client Certificate?

Security certificates are exchanged between clients and servers that need to be sure that their communications are private and when the client and/or server need to verify each other's identity. They are a standard part of HTTPS-based communication. When a browser accesses a secure web site, the web server provides a server certificate signed by a trusted public certificate authority (CA). The browser can verify the certificate and then be certain that the server is what it claims to be.

In a similar fashion, a client certificate enables a client application (or browser) to prove its identity to a server. In this case, the client certificate is signed by a private certificate authority most likely managed by the server that is asking for it. Since the certificate is signed by the server, the server can verify that it is valid and learn from its contents the identity of the client making the request. When a client and server both exchange certificates it is called mutual authentication.


TLS Support

Blackhawk Network supports TLSv1.2. Calls made using older versions of TLS are not supported and will fail.

Obtaining Your Certification & Production Environment Certificates

Please reach out to your Implementation Manager or Account Manager to discuss the certificate signing request (CSR).


You must treat the client certificate as highly confidential. You must not share the certificate with any other entities and must notify Blackhawk Network immediately if you suspect the certificate was compromised.

In summary the following process is used to generate your certificate:

  • Blackhawk Network sends the Partner (you) the distinguished name (subject) string for the client certificate.
  • You will then generate an RSA 2048 bit key pair and a certificate signing request (CSR) with a certificate containing the subject string. For additional guidance, please visit:
  • You will then deliver the CSR to Blackhawk Network over an agreed secure channel, who signs certificate request using Blackhawk Network's private certificate authority (CA) and returns the signed certificate over a secure channel to the Partner.
  • You then need to install the client certificate and client’s private key on each application server that needs to communicate with the Blackhawk Network APIs.


The distinguished name MUST be used exactly as specified with no additional attributes filled in or the authentication process will fail.

Did this page help you?