Documentation

Security model

Protect keys, confirm signatures, and follow least-privilege practices.

Transport security

All API traffic is encrypted with TLS 1.2+. Requests must include a valid API key in the Authorization header.

Secrets management

  • Rotate API keys and webhook secrets every 90 days.
  • Store secrets in a vault or environment manager, never in code.
  • Limit access to production keys by role.

Webhook signing

Validate every webhook payload with your signing secret before updating order state.

Operational controls

  • Enable audit logging for key changes and payout activity.
  • Monitor webhook delivery failures and retry metrics.
  • Document escalation and incident response procedures.
Previous Webhooks Next API Reference