Merchants
Merchant security
Protect the wallet, Dashboard, and payment operations.
- Verify the payout wallet before publishing any link.
- Share only exact network and currency instructions: Base and USDC.
- Keep webhook secrets and API keys out of screenshots and support tickets.
- Require a second person to review wallet changes and live-key rotation.
- Fulfil an order only after a verified
checkout.paidevent or a server-side paid status. - Retain transaction hashes and checkout references for reconciliation.
- Never ask a customer to send additional funds to "unlock" a pending payment without an operator review.
Related documentation
- Payout wallet — the highest-impact change covered above.
- Team management — who should have access to sensitive actions.
- Developer security — the equivalent guidance for API integrators.