Developers
Developer security
Protect keys, wallets, webhook endpoints, and order state.
- Keep API keys and webhook secrets server-side and out of logs.
- Use the smallest API-key scope set your integration needs.
- Verify the raw webhook body before JSON-parsing it or acting on it.
- Enforce your own timestamp tolerance and reject replayed delivery IDs in your handler.
- Serve webhook endpoints over HTTPS, and confirm the URL belongs to your own system.
- Confirm the checkout ID and expected amount before updating an order.
- Store transaction hashes and Outpay request IDs for auditability.
- Rotate API keys and webhook secrets deliberately; deploy the replacement before revoking the original.
- Never ask a customer to send a different asset or network to "fix" a payment — see customer troubleshooting.
Wallet changes are consequential
The merchant payout wallet controls where customers send funds. Require an explicit, independently reviewed wallet change, and verify the wallet-ownership signature before enabling it — see payout wallet.
Related documentation
- Authentication — key format, scopes, and rotation.
- Webhook verification — the signature check referenced above.
- Operational security — the platform-level controls behind this guidance.