OutpayDocs
Developers

Developer security

Protect keys, wallets, webhook endpoints, and order state.

  • Keep API keys and webhook secrets server-side and out of logs.
  • Use the smallest API-key scope set your integration needs.
  • Verify the raw webhook body before JSON-parsing it or acting on it.
  • Enforce your own timestamp tolerance and reject replayed delivery IDs in your handler.
  • Serve webhook endpoints over HTTPS, and confirm the URL belongs to your own system.
  • Confirm the checkout ID and expected amount before updating an order.
  • Store transaction hashes and Outpay request IDs for auditability.
  • Rotate API keys and webhook secrets deliberately; deploy the replacement before revoking the original.
  • Never ask a customer to send a different asset or network to "fix" a payment — see customer troubleshooting.

Wallet changes are consequential

The merchant payout wallet controls where customers send funds. Require an explicit, independently reviewed wallet change, and verify the wallet-ownership signature before enabling it — see payout wallet.

On this page