Security
This page covers operational controls for secure integration: key lifecycle, environment separation, webhook verification, and production hardening.
API Keys and Environment Prefixes
- Sandbox keys:
pk_test_*andsk_test_*. - Production keys:
pk_live_*andsk_live_*. - Secret keys are shown once. Store immediately in your secret manager.
- Never embed secret keys in mobile apps, browser code, or client-side logs.
Secure auth request pattern
# Backend only. Do not expose secret key client-side.
POST /auth/token
credentials=base64(pk_live_xxx:sk_live_xxx)Webhook Security
- Verify HMAC signature for every webhook request.
- Reject stale timestamps beyond your tolerance window.
- De-duplicate events using event IDs to defend against replay/retry duplication.
Production Hardening Checklist
- Enforce TLS 1.2+ end-to-end.
- Use least-privilege IAM and rotate credentials regularly.
- Redact sensitive fields in logs and traces.
- Enable audit logging for key payment and configuration changes.
- Run incident drills for provider outage and callback delivery degradation.